No authority could be contacted for authentication
Hello, since we migrated our Domain the OWA has not been working. The following message is displayed when going to our OWA URL: No authority could be contacted for authentication. Outlook is still working correctly without any issues.
The following changes were made on our network.
We are running Exchange 2003 on Server 2003 Std SP2, this server was virtualized and is running as a VDI VM.
Our previously PDC was a Server 2003 Std SP2, this was demoted then decommissioned. A New Server 2008 R2 Enterprise (also a VDI VM) is the new PDC (holds all the FSMO roles). Also, the Domain Function Level was raised to Windows Server 2003.
These servers converted P2V with MS's Virtual Server Migration Toolkit, without any errors.
The DNS looks good, but I did notice some latency between the Exchange VM and PDC VM (about an avg of 35ms). I did have to update the Recipient Update Services to the new Domain Controller. I ran the MS Exchange Best Practice Analyzer, but there was nothing I could pinpoint as the cause.
I referenced the following post:
https://www.experts-exchange.com/questions/23846972/Outlook-Web-Access-displaying-the-error-No-authority-could-be-contacted-for-authentication-when-trying-to-login.html?sfQueryTermInfo=1+10+30+authent+author+contact+could
I rebuilt the Virtual Server in IIS on Exchange, but this did not correct the issue. Any advice or ideas on how to troubleshoot this issue would be greatly appreciated.
The following changes were made on our network.
We are running Exchange 2003 on Server 2003 Std SP2, this server was virtualized and is running as a VDI VM.
Our previously PDC was a Server 2003 Std SP2, this was demoted then decommissioned. A New Server 2008 R2 Enterprise (also a VDI VM) is the new PDC (holds all the FSMO roles). Also, the Domain Function Level was raised to Windows Server 2003.
These servers converted P2V with MS's Virtual Server Migration Toolkit, without any errors.
The DNS looks good, but I did notice some latency between the Exchange VM and PDC VM (about an avg of 35ms). I did have to update the Recipient Update Services to the new Domain Controller. I ran the MS Exchange Best Practice Analyzer, but there was nothing I could pinpoint as the cause.
I referenced the following post:
https://www.experts-exchange.com/questions/23846972/Outlook-Web-Access-displaying-the-error-No-authority-could-be-contacted-for-authentication-when-trying-to-login.html?sfQueryTermInfo=1+10+30+authent+author+contact+could
I rebuilt the Virtual Server in IIS on Exchange, but this did not correct the issue. Any advice or ideas on how to troubleshoot this issue would be greatly appreciated.
Did you check the time sync between the host and the VM ?
Also DC and Exchange.
Any event viewer entries ?
Also DC and Exchange.
Any event viewer entries ?
ASKER
Hello, I checked the time sync and it was off. I corrected the issue. I ran these powershell cmdlets:
PS C:\> Get-WmiObject ExchangeQueue -Namespace "root\cimv2\applications\e
-Table VirtualMachine, LinkName, QueueName, NumberofMessages
VirtualMachine LinkName QueueName NumberofMessages
-------------- -------- --------- ----------------
ExServer PendingRerouteQ PendingRerouteQ 0
ExServer SMTP (ExServer-{5EC... SMTP (ExServer -{5EC... 0
ExServer LocalLink LocalAsyncQueue 0
ExServer PreSubmissionQueue PreSubmissionQueue 0
ExServer PreCatQueue PreCatQueue 0
ExServer PreRoutingQueue PreRoutingQueue 0
ExServer PostDSNGenerationQueue PostDSNGenerationQueue 0
ExServer DeferredDeliveryQueue DeferredDeliveryQueue 0
ExServer FailedMessageQueue FailedMessageQueue 0
ExServer onlinewall.com onlinewall.com 2
When I run any of the 3 cmdlets you posted I receive the following message:
PS C:\> get-owavirtualdirectory | fl
The term 'get-owavirtualdirectory' is not recognized as the name of a cmdlet, f
unction, script file, or operable program. Check the spelling of the name, or i
f a path was included, verify that the path is correct and try again.
At line:1 char:24
+ get-owavirtualdirectory <<<< | fl
+ CategoryInfo : ObjectNotFound: (get-owavirtualdirectory:S
[], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I am not too familiar with using the PoweShell, but I assume this means I the OWA Virtual Directory is not setup correctly.
PS C:\> Get-WmiObject ExchangeQueue -Namespace "root\cimv2\applications\e
-Table VirtualMachine, LinkName, QueueName, NumberofMessages
VirtualMachine LinkName QueueName NumberofMessages
-------------- -------- --------- ----------------
ExServer PendingRerouteQ PendingRerouteQ 0
ExServer SMTP (ExServer-{5EC... SMTP (ExServer -{5EC... 0
ExServer LocalLink LocalAsyncQueue 0
ExServer PreSubmissionQueue PreSubmissionQueue 0
ExServer PreCatQueue PreCatQueue 0
ExServer PreRoutingQueue PreRoutingQueue 0
ExServer PostDSNGenerationQueue PostDSNGenerationQueue 0
ExServer DeferredDeliveryQueue DeferredDeliveryQueue 0
ExServer FailedMessageQueue FailedMessageQueue 0
ExServer onlinewall.com onlinewall.com 2
When I run any of the 3 cmdlets you posted I receive the following message:
PS C:\> get-owavirtualdirectory | fl
The term 'get-owavirtualdirectory' is not recognized as the name of a cmdlet, f
unction, script file, or operable program. Check the spelling of the name, or i
f a path was included, verify that the path is correct and try again.
At line:1 char:24
+ get-owavirtualdirectory <<<< | fl
+ CategoryInfo : ObjectNotFound: (get-owavirtualdirectory:S
[], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I am not too familiar with using the PoweShell, but I assume this means I the OWA Virtual Directory is not setup correctly.
You have to run get-owavirtualdirectory | fl
from Exchange shell
dont run it from powershell.
please post back results.
from Exchange shell
dont run it from powershell.
please post back results.
ASKER
We are running Exchange 2003. It seems there there is no native Exchange Shell for 2003.
I am downloading Exchange Server 2007 Management Tools. There are posts that state that this can be used with some Exchange 2003 objects. The link gives instructions on how to setup EMS 2007 on an XP Machine.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-server-2007-using-windows-xp-workstation.html
This is a bit cumbersome. Any other ideas to troubleshoot the OWA, or should I just continue on with setting up the 2007 EMS and hope that I can run those cmdlets?
I am downloading Exchange Server 2007 Management Tools. There are posts that state that this can be used with some Exchange 2003 objects. The link gives instructions on how to setup EMS 2007 on an XP Machine.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-server-2007-using-windows-xp-workstation.html
This is a bit cumbersome. Any other ideas to troubleshoot the OWA, or should I just continue on with setting up the 2007 EMS and hope that I can run those cmdlets?
my bad.
Those cmdlets are for Exchange 2007/2010.
Lets try a diff. approach.
let me know if you see anything in event logs from MsExchange or IIS sources:
start > run > eventvwr
Check under application.
Those cmdlets are for Exchange 2007/2010.
Lets try a diff. approach.
let me know if you see anything in event logs from MsExchange or IIS sources:
start > run > eventvwr
Check under application.
ASKER
There are several entries with Event ID 7010
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7010
Date: 10/17/2011
Time: 11:31:12 AM
User: N/A
Computer: ExServer
Description:
This is an SMTP protocol log for virtual server ID 1, connection #192. The client at "69.94.235.148" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2516 2". This will probably cause the connection to fail.
There are a few 3018 Events:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 10/17/2011
Time: 10:48:12 AM
User: N/A
Computer: ExServer
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;perry@satx.IT.com (Message-ID <FB6C754090D94D45B5300A86F
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
Just to be clear, Outlook and ActiveSync are working correctly, but not the OWA or IMAP/POP.
I did notice some this error in the System log:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5721
Date: 10/17/2011
Time: 11:31:12 AM
User: N/A
Computer: ExServer
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC3Server.mydomain.org for the domain MYDOMAIN.ORG failed because the Domain Controller did not have an account ExServer$ needed to set up the session by this computer ExServer.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
Our Exchange sever "ExServer" is listed a Domain Controller in AD. A Writable Domain Controller. Our PDS with all the FSMO roles is "DC1Server". I'm not sure why there is an entry for the DC3Server in the event log.
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7010
Date: 10/17/2011
Time: 11:31:12 AM
User: N/A
Computer: ExServer
Description:
This is an SMTP protocol log for virtual server ID 1, connection #192. The client at "69.94.235.148" sent a "xexch50" command, and the SMTP server responded with "504 Need to authenticate first ". The full command sent was "xexch50 2516 2". This will probably cause the connection to fail.
There are a few 3018 Events:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: NDR
Event ID: 3018
Date: 10/17/2011
Time: 10:48:12 AM
User: N/A
Computer: ExServer
Description:
A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;perry@satx.IT.com (Message-ID <FB6C754090D94D45B5300A86F
Causes: This message indicates a DNS problem or an IP address configuration problem
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.
Just to be clear, Outlook and ActiveSync are working correctly, but not the OWA or IMAP/POP.
I did notice some this error in the System log:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5721
Date: 10/17/2011
Time: 11:31:12 AM
User: N/A
Computer: ExServer
Description:
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC3Server.mydomain.org for the domain MYDOMAIN.ORG failed because the Domain Controller did not have an account ExServer$ needed to set up the session by this computer ExServer.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
Our Exchange sever "ExServer" is listed a Domain Controller in AD. A Writable Domain Controller. Our PDS with all the FSMO roles is "DC1Server". I'm not sure why there is an entry for the DC3Server in the event log.
ASKER
This issue has not been resolved.
I noticed a few different things.
First, on the PDC, when I run an nslookup I receive the following results:
Default Server: UnKnown
Address: ::1
When run Nslookup mydomain.org on the PDC I receive the following results:
Server: UnKnown
Address: ::1
Name: MyDomain.org
Addresses: 10.32.46.227
10.32.45.226
10.32.0.241
10.32.16.0
10.32.46.228
When I run a nslookup for our Domain on other servers and clients it returns the correct info. Just not of the DCs themselves.
The PDC is assigned 10.32.46.227 IP address
The Exchange Server is a writable Domain Controller
the PDC (10.32.46.227) System Log has the following error::
Log Name: System
Source: NETLOGON
Date: 10/24/2011 3:32:42 PM
Event ID: 5723
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1.MyDomain.org
Description:
The session setup from computer 'ExServer' failed because the security database does not contain a trust account 'ExServer$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'ExServer$' is a legitimate machine account for the computer 'ExServer' then 'ExServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:
If 'ExServer$' is a legitimate machine account for the computer 'ExServer', then 'ExServer' should be rejoined to the domain.
If 'ExServer$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'ExServer$' is not a legitimate account, the following action should be taken on 'ExServer':
If 'ExServer' is a Domain Controller, then the trust associated with 'ExServer$' should be deleted.
If 'ExServer1' is not a Domain Controller, it should be disjoined from the domain.
I noticed a few different things.
First, on the PDC, when I run an nslookup I receive the following results:
Default Server: UnKnown
Address: ::1
When run Nslookup mydomain.org on the PDC I receive the following results:
Server: UnKnown
Address: ::1
Name: MyDomain.org
Addresses: 10.32.46.227
10.32.45.226
10.32.0.241
10.32.16.0
10.32.46.228
When I run a nslookup for our Domain on other servers and clients it returns the correct info. Just not of the DCs themselves.
The PDC is assigned 10.32.46.227 IP address
The Exchange Server is a writable Domain Controller
the PDC (10.32.46.227) System Log has the following error::
Log Name: System
Source: NETLOGON
Date: 10/24/2011 3:32:42 PM
Event ID: 5723
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC1.MyDomain.org
Description:
The session setup from computer 'ExServer' failed because the security database does not contain a trust account 'ExServer$' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'ExServer$' is a legitimate machine account for the computer 'ExServer' then 'ExServer' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:
If 'ExServer$' is a legitimate machine account for the computer 'ExServer', then 'ExServer' should be rejoined to the domain.
If 'ExServer$' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'ExServer$' is not a legitimate account, the following action should be taken on 'ExServer':
If 'ExServer' is a Domain Controller, then the trust associated with 'ExServer$' should be deleted.
If 'ExServer1' is not a Domain Controller, it should be disjoined from the domain.
ASKER
I tried to run a DCDiag on the Exchange Server (which show as a writable DC in AD), I received the following error:
ExServer is not a DC
ExServer is not a DC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I would like to be awarded 50 points for this solution.
You should be awarded 500 points for this. This is amazing.
How did you go about narrowing it down to UAC.
I have been out of EE for past 2 weeks. I am sorry I couldnt reply earlier.
How did you go about narrowing it down to UAC.
I have been out of EE for past 2 weeks. I am sorry I couldnt reply earlier.
ASKER
No problem. Although I waited for a response I had to continue troubleshooting this issue. Users were getting really impatient having OWA, and IMAP/POP down.
From the Event ID: 5723 in the System Log on our Domain Controller I knew the problem was with the computer account for the Exchange Server. Because it showed as a writable Domain Controller in AD and this server was never setup this way. The account must have been changed during the P2V process. I remembered a post on EE about a DC showing as a workstation or server:
https://www.experts-exchange.com/questions/21851539/Domain-Controller-show-as-workstation-and-server-in-role.html?sfQueryTermInfo=1+10+30+control+domain+show+workstat
I knew that I had to reset the computer account for the Exchange Server to correct the trust issue as stated on the DC system log. In AD Users&Computers I couldn't right-click and select reset, the message displayed said this computer is a Domain Controller and cannot be reset. So now I had to remove the Exchange Server from the Domain and then re-join it, but without deleting the original computer account. Creating a new account would also create a new SID, in which there was a risk of breaking Exchange. Up to this point Exchange was still working and as was the Outlook clients.
So back to the UserAccountControl flag. I checked the value for all our other member severs and the value was the same, 4096, except for the Exchange Server.
So I Removed Exchange Server VM from Domain, made the edit to the UAC, then from ADUC I right-clicked on account and selected reset. Then I was able to rejoin the Exchange Server VM. This immediately corrected the issue. So to really answer your question, it was previous use of EE that helped solve this issue.
From the Event ID: 5723 in the System Log on our Domain Controller I knew the problem was with the computer account for the Exchange Server. Because it showed as a writable Domain Controller in AD and this server was never setup this way. The account must have been changed during the P2V process. I remembered a post on EE about a DC showing as a workstation or server:
https://www.experts-exchange.com/questions/21851539/Domain-Controller-show-as-workstation-and-server-in-role.html?sfQueryTermInfo=1+10+30+control+domain+show+workstat
I knew that I had to reset the computer account for the Exchange Server to correct the trust issue as stated on the DC system log. In AD Users&Computers I couldn't right-click and select reset, the message displayed said this computer is a Domain Controller and cannot be reset. So now I had to remove the Exchange Server from the Domain and then re-join it, but without deleting the original computer account. Creating a new account would also create a new SID, in which there was a risk of breaking Exchange. Up to this point Exchange was still working and as was the Outlook clients.
So back to the UserAccountControl flag. I checked the value for all our other member severs and the value was the same, 4096, except for the Exchange Server.
So I Removed Exchange Server VM from Domain, made the edit to the UAC, then from ADUC I right-clicked on account and selected reset. Then I was able to rejoin the Exchange Server VM. This immediately corrected the issue. So to really answer your question, it was previous use of EE that helped solve this issue.
get-clientaccessserver | fl
get-webservicesvirtualdire
Please post back.