Cannot log on to OWA 2010 from 2003

I am working on a 2003 to 2010 exchange migration. The site has a netscaler that handles the ssl offloading so I turned off ssl encryption on the internal urls for owa, ecp, oab, and exchange. I created a legacy url as such: set-owavirtualdirectory -exchange2003url "http:\\ -identity "cassserver\owa*" I can get to the owa logon screen fine, but when I enter the username and password of a user that still has a 2003 mailbox, I get the following error: Your request couldn’t be completed because no server with the correct security settings was found to handle the request. If the problem continues, contact your helpdesk. Sometimes I get to the screen and regardless of what credentials I put in, it is not accepted. I created a wildcard cert on the cas server, then imported it into the 2003 server. The error still happensl.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is your exchange 2003 server setup for secure https on owa? I think this happens whenyou redirect from secure to non secure or vise versa.
xzay1967Author Commented:
No it is not, the netscaler is doing SSL offloading. That means that the encryption is stripped before it hits the mail server. Because of the netscaler handling the ssl, i also turned off ssl on the 2010 servers, and also the virtual directory. The only thing not enabled on the 2003 server, is form based authentication.
Remember it's a redirect, fba is needed for it to work. Does the certificate on yout firewall contain the URL your using for legacy redirect? If not the client will be attempting to make a connection to your legacy exchange 2003 front end server over https when the virtual directories are not configured to do so hence the error.
xzay1967Author Commented:
The company does not use fba. Is there a way around that, or would they HAVE to use fba until the complete switch over to 2010? As for the  redirect, I am only testing internal right now, so not going thru Netscaler.
FBA is needed if you want single sign on but this shouldnt prevent it from working. Please make sure the security configuration matches between Exchange 2003 and Exchange 2010 virtual directories. Make sure the legacy entry is correct i.e. points to a valid Exchange 2003 or front end server or uses an alias that utimately resolves to Exchange 2003. Also your certificate that your using on Exchange 2010 must contain the legacy redirected URL or DNS alias.

Also read this blog documenting the entire process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xzay1967Author Commented:
Thanks Radweld. I am using a wildcard cert, and it is on 2010 and 2003 servers. However, I will double check the dns entry for the legacy url.
Ahh, Wildcards definately have limitations with Autodiscover, you can't use a wildcard without reconfiguring Outlook. I suspect the wildcard here might also be a problem. If you go through the CSR generatation process, it will reccomend a SAN Certificate and state a wildcard is unsuitable. Also remember the 2010 CAS redirects the client to the  FE 2003, the client then makes a direct connection to the FE 2003 server using the redirect URL. Because of this the legacy URL needs to be published externally and present in a SAN certificate. Communications to your CAS servers go via the Netscaler and are secure upto that point.

Your clients need to be able to use the external Legacy URL to make a direct connection to the FE 2003 server, is the netscaler publishing your Exchange 2003 FE server as well? if the same appliance is publishing both, then it should work, if it's not then I think you might have to disable SSL offloading and allow the CAS to decrypt the data. You can then configure FE 2003 the same.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.