No authority could be contacted for authentication

Posted on 2011-10-14
Medium Priority
Last Modified: 2012-08-14
Hello, since we migrated our Domain the OWA has not been working. The following message is displayed when going to our OWA URL: No authority could be contacted for authentication. Outlook is still working correctly without any issues.

The following changes were made on our network.

We are running Exchange 2003 on Server 2003 Std SP2, this server was virtualized and is running as a VDI VM.

Our previously PDC was a Server 2003 Std SP2, this was demoted then decommissioned. A New Server 2008 R2 Enterprise (also a VDI VM) is the new PDC (holds all the FSMO roles).  Also, the Domain Function Level was  raised to Windows Server 2003.

These servers converted P2V with MS's Virtual Server Migration Toolkit, without any errors.  

The DNS looks good, but I did notice some latency between the Exchange VM and PDC VM (about an avg of 35ms).  I did have to update the Recipient Update Services to the new Domain Controller.  I ran the MS Exchange Best Practice Analyzer, but there was nothing I could pinpoint as the cause.

I referenced the following post:

I rebuilt the Virtual Server in IIS on Exchange, but this did not correct the issue.  Any advice or ideas on how to troubleshoot this issue would be greatly appreciated.
Question by:ItSecurePro
  • 8
  • 5
LVL 28

Expert Comment

ID: 36974979
get-owavirtualdirectory | fl
get-clientaccessserver | fl
get-webservicesvirtualdirectory | fl

Please post back.
LVL 28

Expert Comment

ID: 36974981
Did you check the time sync between the host and the VM ?
Also DC and Exchange.
Any event viewer entries ?

Author Comment

ID: 36979576
Hello, I checked the time sync and it was off. I corrected the issue. I ran these powershell cmdlets:

PS C:\> Get-WmiObject ExchangeQueue -Namespace "root\cimv2\applications\exchange" -ComputerName ExServer | Format
-Table VirtualMachine, LinkName, QueueName, NumberofMessages

VirtualMachine                LinkName                      QueueName                                  NumberofMessages
--------------                --------                      ---------                                  ----------------
ExServer                           PendingRerouteQ               PendingRerouteQ                                           0
ExServer                      SMTP (ExServer-{5EC... SMTP (ExServer  -{5EC...                                         0
ExServer                      LocalLink                     LocalAsyncQueue                                           0
ExServer                      PreSubmissionQueue            PreSubmissionQueue                                        0
ExServer                      PreCatQueue                   PreCatQueue                                               0
ExServer                      PreRoutingQueue               PreRoutingQueue                                           0
ExServer                      PostDSNGenerationQueue        PostDSNGenerationQueue                                    0
ExServer                      DeferredDeliveryQueue         DeferredDeliveryQueue                                     0
ExServer                      FailedMessageQueue            FailedMessageQueue                                        0
ExServer                      onlinewall.com                onlinewall.com                                            2

When I run any of the 3 cmdlets you posted I receive the following message:

PS C:\> get-owavirtualdirectory | fl
The term 'get-owavirtualdirectory' is not recognized as the name of a cmdlet, f
unction, script file, or operable program. Check the spelling of the name, or i
f a path was included, verify that the path is correct and try again.
At line:1 char:24
+ get-owavirtualdirectory <<<<  | fl
    + CategoryInfo          : ObjectNotFound: (get-owavirtualdirectory:String)
    [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

I am not too familiar with using the PoweShell, but I assume this means I the OWA Virtual Directory is not setup correctly.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 28

Expert Comment

ID: 36979600
You have to run get-owavirtualdirectory | fl
from Exchange shell
dont run it from powershell.

please post back results.

Author Comment

ID: 36980241
We are running Exchange 2003. It seems there there is no native Exchange Shell for 2003.
I am downloading Exchange Server 2007 Management Tools. There are posts that state that this can be used with some Exchange 2003 objects. The link gives instructions on how to setup EMS 2007 on an XP Machine.


This is a bit cumbersome. Any other ideas to troubleshoot the OWA, or should I just continue on with setting up the 2007 EMS and hope that I can run those cmdlets?
LVL 28

Expert Comment

ID: 36980456
my bad.
Those cmdlets are for Exchange 2007/2010.

Lets  try a diff. approach.
let me know if you see anything in event logs from MsExchange or IIS sources:
start > run > eventvwr
Check under application.

Author Comment

ID: 36980685
There are several entries with Event ID 7010

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7010
Date:            10/17/2011
Time:            11:31:12 AM
User:            N/A
Computer:      ExServer
This is an SMTP protocol log for virtual server ID 1, connection #192. The client at "" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first  ". The full command sent was "xexch50 2516 2".  This will probably cause the connection to fail.

There are a few 3018 Events:

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3018
Date:            10/17/2011
Time:            10:48:12 AM
User:            N/A
Computer:      ExServer
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;perry@satx.IT.com (Message-ID <FB6C754090D94D45B5300A86FF692462024E7CC2@ExServer.mydomain.org>).  
Causes: This message indicates a DNS problem or an IP address configuration problem  
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.

Just to be clear, Outlook and ActiveSync are working correctly, but not the OWA or IMAP/POP.

I did notice some this error in the System log:

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5721
Date:            10/17/2011
Time:            11:31:12 AM
User:            N/A
Computer:      ExServer
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC3Server.mydomain.org for the domain MYDOMAIN.ORG failed because the Domain Controller did not have an account ExServer$ needed to set up the session by this computer ExServer.  

If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.

Our Exchange sever "ExServer" is listed a Domain Controller in AD. A Writable Domain Controller. Our PDS with all the FSMO roles is "DC1Server". I'm not sure why there is an entry for the DC3Server in the event log.

Author Comment

ID: 37021012
This issue has not been resolved.

I noticed a few different things.

First, on the PDC, when I run an nslookup I receive the following results:

Default Server:  UnKnown
Address:  ::1

When run Nslookup mydomain.org on the PDC I receive the following results:

Server:  UnKnown
Address:  ::1

Name:    MyDomain.org

When I run a nslookup for our Domain on other servers and clients it returns the correct info. Just not of the DCs themselves.

The PDC is assigned IP address

The Exchange Server is a writable Domain Controller
the PDC ( System Log has the following error::

Log Name:      System
Source:        NETLOGON
Date:          10/24/2011 3:32:42 PM
Event ID:      5723
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC1.MyDomain.org
The session setup from computer 'ExServer' failed because the security database does not contain a trust account 'ExServer$' referenced by the specified computer.  

If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'ExServer$' is a legitimate machine account for the computer 'ExServer' then 'ExServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  

If 'ExServer$' is a legitimate machine account for the computer 'ExServer', then 'ExServer' should be rejoined to the domain.  

If 'ExServer$' is a legitimate interdomain trust account, then the trust should be recreated.  

Otherwise, assuming that 'ExServer$' is not a legitimate account, the following action should be taken on 'ExServer':  

If 'ExServer' is a Domain Controller, then the trust associated with 'ExServer$' should be deleted.  

If 'ExServer1' is not a Domain Controller, it should be disjoined from the domain.

Author Comment

ID: 37021071
I tried to run a DCDiag on the Exchange Server (which show as a writable DC in AD), I received the following error:

ExServer is not a DC

Accepted Solution

ItSecurePro earned 0 total points
ID: 37059867
I resolved the issue. Removed Exchange Server VM from Domain. Computer Account was listed as Domain Controller in AD, and with UserAccountControl flag set to "8192". Used ADSI Edit to Change UserAccountControl flag to "4096" and then reset computer account. Rejoined Exchange Server VM to domain. This corrected the issue. OWA and POP/IMAP are working correctly now.

Author Closing Comment

ID: 37087336
I would like to be awarded 50 points for this solution.
LVL 28

Expert Comment

ID: 37086925
You should be awarded 500 points for this. This is amazing.
How did you go about narrowing it down to UAC.

I have been out of EE for past 2 weeks. I am sorry I couldnt reply earlier.

Author Comment

ID: 37087004
No problem. Although I waited for a response I had to continue troubleshooting this issue. Users were getting really impatient having OWA, and IMAP/POP down.

From the Event ID:  5723 in the System Log on our Domain Controller I knew the problem was with the computer account for the Exchange Server. Because it showed as a writable Domain Controller in AD and this server was never setup this way. The account must have been changed during the P2V process. I remembered a post on EE about a DC showing as a workstation or server:


I knew that I had to reset the computer account for the Exchange Server to correct the trust issue as stated on the DC system log. In AD Users&Computers I couldn't right-click and select reset, the message displayed said this computer is a Domain Controller and cannot be reset. So now I had to remove the Exchange Server from the Domain and then re-join it, but without deleting the original computer account. Creating a new account would also create a new SID, in which there was a risk of breaking Exchange. Up to this point Exchange was still working and as was the Outlook clients.

So back to the UserAccountControl flag. I checked the value for all our other member severs and the value was the same, 4096, except for the Exchange Server.

So I Removed Exchange Server VM from Domain, made the edit to the UAC, then from ADUC I  right-clicked on account and selected reset. Then I was able to rejoin the Exchange Server VM. This immediately corrected the issue. So to really answer your question, it was previous use of EE that helped solve this issue.


Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question