Orion-Group
asked on
Outlook 2010 OWA Proxying\Redirection issue for AD Sites
Hi,
We're experiencing a very frustrating issue with OWA access for users with mailboxes in Active Directory Sites that aren't in the CAS\Mailbox Exchange server (call it SiteA for convenience) that has the External URL parameter listed.
We are running Exchange 2010 SP1 at all sites and, after following the MS technet article - http://technet.microsoft.com/en-us/library/bb310763.aspx, set up our servers so that our Server at SiteA that faces externally has the internal and external OWA URL listed and all the others at remote sites only have the internal URL listed, with External URL being left as blank. What should happen is that any user in any site navigating to https://mail.example.com/owa should be proxied to their relevant mailbox server. However what happens is that users with mailboxes at SiteA work without an issue but users at any other site receive "Outlook Web App isn't available. If the problem continues, please contact your helpdesk".
Frustratingly, and quite bizarrely, Exchange Activesync works without any issues for users in all sites.
I get the feeling this is an issue related more towards IIS or Windows\Forms authentication on each of the target mailbox servers but I don't want to start guessing. Can anyone help shed any light on this issue?
Thanks
We're experiencing a very frustrating issue with OWA access for users with mailboxes in Active Directory Sites that aren't in the CAS\Mailbox Exchange server (call it SiteA for convenience) that has the External URL parameter listed.
We are running Exchange 2010 SP1 at all sites and, after following the MS technet article - http://technet.microsoft.com/en-us/library/bb310763.aspx, set up our servers so that our Server at SiteA that faces externally has the internal and external OWA URL listed and all the others at remote sites only have the internal URL listed, with External URL being left as blank. What should happen is that any user in any site navigating to https://mail.example.com/owa should be proxied to their relevant mailbox server. However what happens is that users with mailboxes at SiteA work without an issue but users at any other site receive "Outlook Web App isn't available. If the problem continues, please contact your helpdesk".
Frustratingly, and quite bizarrely, Exchange Activesync works without any issues for users in all sites.
I get the feeling this is an issue related more towards IIS or Windows\Forms authentication on each of the target mailbox servers but I don't want to start guessing. Can anyone help shed any light on this issue?
Thanks
Radweld
One quick question is can you open a mailbox on the CAS in the other sites by navigating directly to https://serverinsite2.com/owa? Do you have the same certificate loaded onto every CAS in the organisation? are the sites correctly defined in AD Sites and Services?
ASKER
Radweld - thanks for the reply.
Yes I can access the internal URL and log on with out issue. I've even taken it a step further by configuing authentication in one site (site1) to Forms Based and in another site (site2) to Intergrated Windows Authentication. I can successfully logon internally to both.
Sites are defined correctly and replication is working - confirmed with a DCDiag.
Aside from the external facing server that has the SSL for the external mail.example.com domain all the others server have the certificates automatically generated at time of install.
Yes I can access the internal URL and log on with out issue. I've even taken it a step further by configuing authentication in one site (site1) to Forms Based and in another site (site2) to Intergrated Windows Authentication. I can successfully logon internally to both.
Sites are defined correctly and replication is working - confirmed with a DCDiag.
Aside from the external facing server that has the SSL for the external mail.example.com domain all the others server have the certificates automatically generated at time of install.
If you run Get-OWAVirtualDirectory -Identity <NameofClientAccessServer>
ASKER
This is an output from site2:
RunspaceId : 7d665846-fa55-41fe-8a77-b9570d4292bf
DirectFileAccessOnPublicComputersEnabled : True
DirectFileAccessOnPrivateComputersEnabled : True
WebReadyDocumentViewingOnPublicComputersEnabled : True
WebReadyDocumentViewingOnPrivateComputersEnabled : True
ForceWebReadyDocumentViewingFirstOnPublicComputers : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers : Block
ActionForUnknownFileAndMIMETypes : ForceSave
WebReadyFileTypes : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes : {application/vnd.openxmlformats-officedocument.presentationml.pre
sentation, application/vnd.openxmlformats-officedocument.wordproc
essingml.document, application/vnd.openxmlformats-officedocument.
spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x
-mspowerpoint, application/vnd.ms-excel, application/x-msexcel, a
pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes : True
WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel, application/x-msex
cel, application/vnd.ms-powerpoint, application/x-mspowerpoint, a
pplication/pdf, application/vnd.openxmlformats-officedocument.wor
dprocessingml.document, application/vnd.openxmlformats-officedocu
ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
cument.presentationml.presentation}
WebReadyDocumentViewingSupportedFileTypes : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm,
.docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes : {Application/x-shockwave-flash, Application/octet-stream, Applica
tion/futuresplash, Application/x-director}
BlockedFileTypes : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
}
BlockedMimeTypes : {application/x-javascript, application/javascript, application/ms
access, x-internet-signup, text/javascript, application/xml, appl
ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers : {}
RemoteDocumentsBlockedServers : {}
RemoteDocumentsInternalDomainSuffixList : {}
FolderPathname :
Url : {}
LogonFormat : FullDomain
ClientAuthCleanupLevel : High
FilterWebBeaconsAndHtmlForms : UserFilterChoice
NotificationInterval : 120
DefaultTheme :
UserContextTimeout : 60
ExchwebProxyDestination :
VirtualDirectoryType :
OwaVersion : Exchange2010
ServerName : Site2-DC
InstantMessagingCertificateThumbprint :
InstantMessagingServerName :
RedirectToOptimalOWAServer : True
DefaultClientLanguage : 0
LogonAndErrorLanguage : 0
UseGB18030 : False
UseISO885915 : False
OutboundCharset : AutoDetect
GlobalAddressListEnabled : True
OrganizationEnabled : True
ExplicitLogonEnabled : True
OWALightEnabled : True
DelegateAccessEnabled : True
IRMEnabled : True
CalendarEnabled : True
ContactsEnabled : True
TasksEnabled : True
JournalEnabled : True
NotesEnabled : True
RemindersAndNotificationsEnabled : True
PremiumClientEnabled : True
SpellCheckerEnabled : True
SearchFoldersEnabled : True
SignaturesEnabled : True
ThemeSelectionEnabled : True
JunkEmailEnabled : True
UMIntegrationEnabled : True
WSSAccessOnPublicComputersEnabled : True
WSSAccessOnPrivateComputersEnabled : True
ChangePasswordEnabled : True
UNCAccessOnPublicComputersEnabled : True
UNCAccessOnPrivateComputersEnabled : True
ActiveSyncIntegrationEnabled : True
AllAddressListsEnabled : True
RulesEnabled : True
PublicFoldersEnabled : True
SMimeEnabled : True
RecoverDeletedItemsEnabled : True
InstantMessagingEnabled : True
TextMessagingEnabled : True
ForceSaveAttachmentFilteringEnabled : False
SilverlightEnabled : True
CalendarPublishingEnabled : True
InstantMessagingType : None
Exchange2003Url :
FailbackUrl :
LegacyRedirectType : Silent
Name : owa (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
MetabasePath : IIS://Site2-DC.xxxxxxxglobal.local/W3SVC/1/ROOT/owa
BasicAuthentication : False
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
DefaultDomain :
GzipLevel : High
WebSite : Default Web Site
DisplayName : owa
Path : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : Site2-DC
InternalUrl : https://Site2-dc.xxxxxxxglobal.local/owa
ExternalUrl :
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=Site2-DC,C
N=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=A
dministrative Groups,CN=xxxxxxxglobal,CN=Microsoft Exchange,CN=Serv
ices,CN=Configuration,DC=xxxxxxxglobal,DC=local
Identity : Site2-DC\owa (Default Web Site)
Guid : 5d9bbddd-ec8e-4a56-8950-2d682c64212c
ObjectCategory : xxxxxxxglobal.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direct
ory
ObjectClass : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged : 04/10/2011 13:47:20
WhenCreated : 27/09/2011 15:45:05
WhenChangedUTC : 04/10/2011 12:47:20
WhenCreatedUTC : 27/09/2011 14:45:05
OrganizationId :
OriginatingServer : Site2-DC.xxxxxxxglobal.local
IsValid : TrueASKER
Also this is an error logged in SiteA regarding proxy attempts from earlier today:
Event ID 41 - MSExchange OWA
The Client Access server "https://mail.xxxxxxx.com/owa" attempted to proxy Outlook Web App traffic for mailbox "/o=xxxxxxxglobal/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Dxxxx Mxxxx". This failed because no Client Access server with an Outlook Web App virtual directory configured for Kerberos authentication could be found in the Active Directory site of the mailbox. The simplest way to configure an Outlook Web App virtual directory for Kerberos authentication is to set it to use Integrated Windows authentication by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, or by using the Exchange Management Console. If you already have a Client Access server deployed in the target Active Directory site with an Outlook Web App virtual directory configured for Kerberos authentication, the proxying Client Access server may not be finding that target Client Access server because it does not have an internalUrl parameter configured. You can configure the internalUrl parameter for the Outlook Web App virtual directory on the Client Access server in the target Active Directory site by using the Set-OwaVirtualDirectory cmdlet.ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have a similar issue here, whereby the CAS servers are not talking to each other.
I get:
Log Name: Application
Source: MSExchange OWA
Date: 15/10/2012 16:12:27
Event ID: 71
Task Category: Proxy
Level: Error
Keywords: Classic
User: N/A
Computer: server.domain.local
Description:
Microsoft Exchange Client Access server https://server/owa tried to proxy Outlook traffic to Client Access server https://server2.domain.local/owa. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in https://server2.domain.local/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory" task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting https://server2.domain.local/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange OWA" />
<EventID Qualifiers="49152">71</Eve
<Level>2</Level>
<Task>6</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2012-10-15T15:
<EventRecordID>27739</Even
<Channel>Application</Chan
<Computer>server.domain.lo
<Security />
</System>
<EventData>
<Data>https://server/owa</Data>
<Data>https://server2.domain.local/owa</Data>
</EventData>
</Event>
Both server have been changed from FBA to Integrated and Basic....
I get:
Log Name: Application
Source: MSExchange OWA
Date: 15/10/2012 16:12:27
Event ID: 71
Task Category: Proxy
Level: Error
Keywords: Classic
User: N/A
Computer: server.domain.local
Description:
Microsoft Exchange Client Access server https://server/owa tried to proxy Outlook traffic to Client Access server https://server2.domain.local/owa. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in https://server2.domain.local/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory" task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting https://server2.domain.local/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange OWA" />
<EventID Qualifiers="49152">71</Eve
<Level>2</Level>
<Task>6</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2012-10-15T15:
<EventRecordID>27739</Even
<Channel>Application</Chan
<Computer>server.domain.lo
<Security />
</System>
<EventData>
<Data>https://server/owa</Data>
<Data>https://server2.domain.local/owa</Data>
</EventData>
</Event>
Both server have been changed from FBA to Integrated and Basic....