Outlook 2010 OWA Proxying\Redirection issue for AD Sites

Posted on 2011-10-04
Last Modified: 2012-10-15

We're experiencing a very frustrating issue with OWA access for users with mailboxes in Active Directory Sites that aren't in the CAS\Mailbox Exchange server (call it SiteA for convenience) that has the External URL parameter listed.

We are running Exchange 2010 SP1 at all sites and, after following the MS technet article -, set up our servers so that our Server at SiteA that faces externally has the internal and external OWA URL listed and all the others at remote sites only have the internal URL listed, with External URL being left as blank.  What should happen is that any user in any site navigating to should be proxied to their relevant mailbox server.  However what happens is that users with mailboxes at SiteA work without an issue but users at any other site receive "Outlook Web App isn't available.  If the problem continues, please contact your helpdesk".

Frustratingly, and quite bizarrely, Exchange Activesync works without any issues for users in all sites.

I get the feeling this is an issue related more towards IIS or Windows\Forms authentication on each of the target mailbox servers but I don't want to start guessing.  Can anyone help shed any light on this issue?

Question by:Orion-Group
    LVL 14

    Expert Comment

    One quick question is can you open a mailbox on the CAS in the other sites by navigating directly to Do you have the same certificate loaded onto every CAS in the organisation? are the sites correctly defined in AD Sites and Services?

    Author Comment

    Radweld - thanks for the reply.

    Yes I can access the internal URL and log on with out issue.  I've even taken it a step further by configuing authentication in one site (site1) to Forms Based and in another site (site2) to Intergrated Windows Authentication.  I can successfully logon internally to both.  

    Sites are defined correctly and replication is working - confirmed with a DCDiag.

    Aside from the external facing server that has the SSL for the external domain all the others server have the certificates automatically generated at time of install.
    LVL 14

    Expert Comment

    If you run Get-OWAVirtualDirectory -Identity <NameofClientAccessServer> | FL you will see all the settings for OWA, can you post up the results from either CAS server.

    Author Comment

    This is an output from site2:

    RunspaceId                                          : 7d665846-fa55-41fe-8a77-b9570d4292bf
    DirectFileAccessOnPublicComputersEnabled            : True
    DirectFileAccessOnPrivateComputersEnabled           : True
    WebReadyDocumentViewingOnPublicComputersEnabled     : True
    WebReadyDocumentViewingOnPrivateComputersEnabled    : True
    ForceWebReadyDocumentViewingFirstOnPublicComputers  : False
    ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
    RemoteDocumentsActionForUnknownServers              : Block
    ActionForUnknownFileAndMIMETypes                    : ForceSave
    WebReadyFileTypes                                   : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
    WebReadyMimeTypes                                   : {application/vnd.openxmlformats-officedocument.presentationml.pre
                                                          sentation, application/vnd.openxmlformats-officedocument.wordproc
                                                          essingml.document, application/vnd.openxmlformats-officedocument.
                                                          spreadsheetml.sheet, application/, application/x
                                                          -mspowerpoint, application/, application/x-msexcel, a
                                                          pplication/msword, application/pdf}
    WebReadyDocumentViewingForAllSupportedTypes         : True
    WebReadyDocumentViewingSupportedMimeTypes           : {application/msword, application/, application/x-msex
                                                          cel, application/, application/x-mspowerpoint, a
                                                          pplication/pdf, application/vnd.openxmlformats-officedocument.wor
                                                          dprocessingml.document, application/vnd.openxmlformats-officedocu
                                                          ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
    WebReadyDocumentViewingSupportedFileTypes           : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
    AllowedFileTypes                                    : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm, 
                                                          .docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
    AllowedMimeTypes                                    : {image/jpeg, image/png, image/gif, image/bmp}
    ForceSaveFileTypes                                  : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
                                                          px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
    ForceSaveMimeTypes                                  : {Application/x-shockwave-flash, Application/octet-stream, Applica
                                                          tion/futuresplash, Application/x-director}
    BlockedFileTypes                                    : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
                                                          t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
    BlockedMimeTypes                                    : {application/x-javascript, application/javascript, application/ms
                                                          access, x-internet-signup, text/javascript, application/xml, appl
                                                          ication/prg, application/hta, text/scriplet, text/xml}
    RemoteDocumentsAllowedServers                       : {}
    RemoteDocumentsBlockedServers                       : {}
    RemoteDocumentsInternalDomainSuffixList             : {}
    FolderPathname                                      : 
    Url                                                 : {}
    LogonFormat                                         : FullDomain
    ClientAuthCleanupLevel                              : High
    FilterWebBeaconsAndHtmlForms                        : UserFilterChoice
    NotificationInterval                                : 120
    DefaultTheme                                        : 
    UserContextTimeout                                  : 60
    ExchwebProxyDestination                             : 
    VirtualDirectoryType                                : 
    OwaVersion                                          : Exchange2010
    ServerName                                          : Site2-DC
    InstantMessagingCertificateThumbprint               : 
    InstantMessagingServerName                          : 
    RedirectToOptimalOWAServer                          : True
    DefaultClientLanguage                               : 0
    LogonAndErrorLanguage                               : 0
    UseGB18030                                          : False
    UseISO885915                                        : False
    OutboundCharset                                     : AutoDetect
    GlobalAddressListEnabled                            : True
    OrganizationEnabled                                 : True
    ExplicitLogonEnabled                                : True
    OWALightEnabled                                     : True
    DelegateAccessEnabled                               : True
    IRMEnabled                                          : True
    CalendarEnabled                                     : True
    ContactsEnabled                                     : True
    TasksEnabled                                        : True
    JournalEnabled                                      : True
    NotesEnabled                                        : True
    RemindersAndNotificationsEnabled                    : True
    PremiumClientEnabled                                : True
    SpellCheckerEnabled                                 : True
    SearchFoldersEnabled                                : True
    SignaturesEnabled                                   : True
    ThemeSelectionEnabled                               : True
    JunkEmailEnabled                                    : True
    UMIntegrationEnabled                                : True
    WSSAccessOnPublicComputersEnabled                   : True
    WSSAccessOnPrivateComputersEnabled                  : True
    ChangePasswordEnabled                               : True
    UNCAccessOnPublicComputersEnabled                   : True
    UNCAccessOnPrivateComputersEnabled                  : True
    ActiveSyncIntegrationEnabled                        : True
    AllAddressListsEnabled                              : True
    RulesEnabled                                        : True
    PublicFoldersEnabled                                : True
    SMimeEnabled                                        : True
    RecoverDeletedItemsEnabled                          : True
    InstantMessagingEnabled                             : True
    TextMessagingEnabled                                : True
    ForceSaveAttachmentFilteringEnabled                 : False
    SilverlightEnabled                                  : True
    CalendarPublishingEnabled                           : True
    InstantMessagingType                                : None
    Exchange2003Url                                     : 
    FailbackUrl                                         : 
    LegacyRedirectType                                  : Silent
    Name                                                : owa (Default Web Site)
    InternalAuthenticationMethods                       : {Ntlm, WindowsIntegrated}
    MetabasePath                                        : IIS://Site2-DC.xxxxxxxglobal.local/W3SVC/1/ROOT/owa
    BasicAuthentication                                 : False
    WindowsAuthentication                               : True
    DigestAuthentication                                : False
    FormsAuthentication                                 : False
    LiveIdAuthentication                                : False
    DefaultDomain                                       : 
    GzipLevel                                           : High
    WebSite                                             : Default Web Site
    DisplayName                                         : owa
    Path                                                : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
    ExtendedProtectionTokenChecking                     : None
    ExtendedProtectionFlags                             : {}
    ExtendedProtectionSPNList                           : {}
    Server                                              : Site2-DC
    InternalUrl                                         : https://Site2-dc.xxxxxxxglobal.local/owa
    ExternalUrl                                         : 
    ExternalAuthenticationMethods                       : {Fba}
    AdminDisplayName                                    : 
    ExchangeVersion                                     : 0.10 (
    DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=Site2-DC,C
                                                          N=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=A
                                                          dministrative Groups,CN=xxxxxxxglobal,CN=Microsoft Exchange,CN=Serv
    Identity                                            : Site2-DC\owa (Default Web Site)
    Guid                                                : 5d9bbddd-ec8e-4a56-8950-2d682c64212c
    ObjectCategory                                      : xxxxxxxglobal.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direct
    ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
    WhenChanged                                         : 04/10/2011 13:47:20
    WhenCreated                                         : 27/09/2011 15:45:05
    WhenChangedUTC                                      : 04/10/2011 12:47:20
    WhenCreatedUTC                                      : 27/09/2011 14:45:05
    OrganizationId                                      : 
    OriginatingServer                                   : Site2-DC.xxxxxxxglobal.local
    IsValid                                             : True

    Open in new window


    Author Comment

    Also this is an error logged in SiteA regarding proxy attempts from earlier today:

    Event ID 41 - MSExchange OWA
    The Client Access server "" attempted to proxy Outlook Web App traffic for mailbox "/o=xxxxxxxglobal/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Dxxxx Mxxxx". This failed because no Client Access server with an Outlook Web App virtual directory configured for Kerberos authentication could be found in the Active Directory site of the mailbox. The simplest way to configure an Outlook Web App virtual directory for Kerberos authentication is to set it to use Integrated Windows authentication by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, or by using the Exchange Management Console. If you already have a Client Access server deployed in the target Active Directory site with an Outlook Web App virtual directory configured for Kerberos authentication, the proxying Client Access server may not be finding that target Client Access server because it does not have an internalUrl parameter configured. You can configure the internalUrl parameter for the Outlook Web App virtual directory on the Client Access server in the target Active Directory site by using the Set-OwaVirtualDirectory cmdlet.

    Open in new window

    LVL 14

    Accepted Solution

    Ok I am pretty sure you need to set the External Authentication Method to Windows Integrated and not FBA when you don't have an external URL specified.

    LVL 1

    Expert Comment

    I have a similar issue here, whereby the CAS servers are not talking to each other.  

    I get:

    Log Name:      Application
    Source:        MSExchange OWA
    Date:          15/10/2012 16:12:27
    Event ID:      71
    Task Category: Proxy
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      server.domain.local
    Microsoft Exchange Client Access server https://server/owa tried to proxy Outlook traffic to Client Access server https://server2.domain.local/owa. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
    1. The host name in https://server2.domain.local/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory" task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
    2.The server hosting https://server2.domain.local/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.
    Event Xml:
    <Event xmlns="">
        <Provider Name="MSExchange OWA" />
        <EventID Qualifiers="49152">71</EventID>
        <TimeCreated SystemTime="2012-10-15T15:12:27.000000000Z" />
        <Security />

    Both server have been changed from FBA to Integrated and Basic....

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now