[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

Clients prompted for authentication for one of the two CAS servers

Clients are being prompted for credentials on one of the two CAS servers in the array.

Exchange 2010

Outlook 2007 clients are only prompting for credentials, 2010 clients are fine.

WNLB - Outlook.company.edu 172.16.0.61

CAS1 - CAS1.company.edu 172.16.0.103 (WNLB nic)  172.16.0.88 (physical nic)

CAS2 CAS2.company.edu 172.16.0.104 (WNLB) and 172.16.0.89 (Physical nic)

Clients that are trying to connect to CAS2 are being prompted, clients for CAS1 are not.


Previously, DNS had been pointed at 103, the CAS1 WNLB nic and I had changed outlook.company.edu back to 0.61 (vs 103) and started to notice issues connecting. I have since changed it back to 103 and still see prompts for credentials, regardless of an existing profile or a brand new profile.
0
AllIntUni2000
Asked:
AllIntUni2000
  • 32
  • 26
1 Solution
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Check the IIS setting on both the CAS servers ... also ensure on Events in APP logs and Test-OutlookConectivity runs fine.
Is there some Teaming of Nics on both CAS servers ?
If multiple NIC ensure the binding order is correct.

- Rancy
0
 
AllIntUni2000Author Commented:
Applogs are clean.

Single NIC is in use.. this server is running as a VM.

We have had NO issues what so ever until this morning.. besides as I described, nothing has changed.




typing in Test-Outlookconnectivity -protocol http -identity user and getting



[PS] C:\Windows\system32>Test-OutlookConnectivity -Identity dstutes -Protocol http
The parameter 'MailboxCredential' is required.
    + CategoryInfo          : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
   OutlookConnectivity], MissingParameterException
    + FullyQualifiedErrorId : 549707E0,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask


Do I need to add a password?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What if you run for the other server ?
Hope all Exchange services are started on the server ?
Test-ServiceHealth

No the abover command you ran does not require Password.

- Rancy
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
AllIntUni2000Author Commented:
Other server gives me the same error (CAS1)
[PS] C:\Windows\system32>Test-OutlookConnectivity -protocol:HTTP -GetDefaultsFromAutodiscover$true
The parameter 'MailboxCredential' is required.
    + CategoryInfo          : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
   OutlookConnectivity], MissingParameterException
    + FullyQualifiedErrorId : 578A4A2C,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask

BAD CAS Server (CAS2)
[PS] C:\Windows\system32>Test-OutlookConnectivity -Protocol:http -GetDefaultsFromAutodiscover$true
The parameter 'MailboxCredential' is required.
    + CategoryInfo          : OperationStopped: (Microsoft.Excha...onnectivityTask:TestOutlookConnectivityTask) [Test-
   OutlookConnectivity], MissingParameterException
    + FullyQualifiedErrorId : 549707E0,Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask


Good CAS server
[PS] C:\Windows\system32>Test-ServiceHealth


Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA, MSExchangeFDS, MSExchangeMailbo
                          xReplication, MSExchangeProtectedServiceHost, MSExchangeRPC, MSExchangeServiceHost, W3Svc, Wi
                          nRM}
ServicesNotRunning      : {}


BAD CAS server (CAS2)


[PS] C:\Windows\system32>Test-ServiceHealth


Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA, MSExchangeFDS, MSExchangeMailbo
                          xReplication, MSExchangeProtectedServiceHost, MSExchangeRPC, MSExchangeServiceHost, W3Svc, Wi
                          nRM}
ServicesNotRunning      : {}
0
 
AllIntUni2000Author Commented:
did notice some DCOM errors in eventlog as well.. Event ID 10009

DCOM was unable to communicate with the computer MAIL.alliant.edu using any of the configured protocols.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Did you try to restart the affected CAS and what is the time on both the servers ??

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Please try to change some sesitive information :)
0
 
AllIntUni2000Author Commented:
Time on both are correct.... I am planning on restarting both of the servers this evening in a few...
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Are both VM's ?
Do try to Restart the Good one first and then the affected one and check for time and alerts.
Hope the NIC Binding order is the same on both servers ?

- Rancy

Event ID 10016 — COM Security Policy Configuration
http://technet.microsoft.com/en-us/library/dd337789(v=WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/1333.windows-server-2008-event-id-10016-com-security-policy-configuration.aspx

http://support.microsoft.com/kb/957713
0
 
AllIntUni2000Author Commented:
Also,

both CAS servers live on the same virtual host.. hyper-V enviornment.

We had similar issues about a month ago and you helped.. thank you. Turned out we needed a static ARP entry on our router for the vip for the WNLB.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I almost do so much everyday that i forgot what all i did 2 days ago and have to recollect so a continious comments and quick stuff helps me concentrate :)

- Rancy
0
 
AllIntUni2000Author Commented:
how do I check that the binding order is correct?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Start - Run - Type in 'ncpa.cpl' whitout the Quotes and hit ok.

Go to Advance and Advance settings and check the Binding Order.

- Rancy
0
 
AllIntUni2000Author Commented:
on the virtual host correct?
0
 
AllIntUni2000Author Commented:
Production LAN team is at the top

Management NIC is bellow that
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Thats fine :)
0
 
AllIntUni2000Author Commented:
Well, rebooted last night about 6.. we'll see how today goes. I did re point DNS for our virtual ip and name back to the WNLB vs CAS1.. so I am hoping that connection issues will go away. I will report back later today and let you know.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Sure ... :)
0
 
AllIntUni2000Author Commented:
Well, getting into the morning, just a few people where it asks for their password but lets them right in. I am thinking they had Outlook open after we did the reboot.

Made http://www.expta.com/2011/07/fix-for-dcom-10009-errors-in-exchange.html this Change on both of my cas servers.. seems to have fixed it? I hope...
0
 
AllIntUni2000Author Commented:
So, now multiple clients both 2007 and 2010 are being prompted for credentials...

THoughts?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Can you try to stop services on the CAS2 just to ensure all queries goes to CAS1 and then we can check on it ?

Hope no errors on the VM box or the host itself.
We can hardcore clients for CAS1 ... but its a large number of clients i guess you have.

- Rancy
0
 
AllIntUni2000Author Commented:
6 sites across california, roughly 1000 users and students per
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Outlook prompt for username and password on MS Exchange 2010 DAG & CAS Servers
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26430756.html

I would say check IIS once and make sure that the settings on both the CAS is the same and the what all servies in Automatic arent running (Remote registry, IIS, etc) ?

- Rancy
0
 
AllIntUni2000Author Commented:
I have noticed that serveral clients that are connected to CAS instead of outlook..

see attached.

Could this be an issue with auto discover?
2012-09-05-1133.png
2012-09-05-1142.png
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What is Outlook ... yes surely thats an issue ? Hope no server was installed and removed because you couldnt get that up or some stale object ?

Check for any host entires ? Do you have Single domain environement ?

- Rancy
0
 
AllIntUni2000Author Commented:
single forest two domains.. although the sub domain does not seem to be effected.

No Host entries are present on either CAS server.

Outlook is the vip of our WNLB.. previously, I had noticed that it was outlookl.company.edu which I changed back to outlook about a week ago. Have not seen any issues since moving DNS back to the WNLB outlook.company.edu address.

Im about 30 seconds from calling microsoft.

So, should I stop all of the services on one of the cas servers and see if issues go away?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
No Host entries - On the client machine :)

Hope you corrected all DNS entires ? If you have multiple Dns servers make sure that its replicated.

Yes you can try and best to Get MS to see as the issue is getting bigger !

- Rancy
0
 
AllIntUni2000Author Commented:
Checking DNS, and it looks good at a few other DCs across the sites I have checked. We have a static entry for outlook resolving to 0.61

I think at this point, im going to call MS.. Thank you for your help. I will check back if I find anything else.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Let me know about MS findings as well ... so i can upgrade my Mind Database and see what i missed.

- Rancy
0
 
AllIntUni2000Author Commented:
Still waiting at this point.. I think its with in two hours they will have to call back.  I have about another hour to go.

I did find this artical..

http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/b18d0624-51da-4045-9302-fc0832ccf3ae/

and am going to suggest it to MS
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Why not check this as if it resolves you can get the ticket refunded as no troubleshooting was done.

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Get-MailboxDatabase | FL RPC*

- Rancy
0
 
AllIntUni2000Author Commented:
Only one is listed under VMAIL.company.edu the rest of the Databases are listed as outlook.company.edu


Is there a way to tell what is pointed to vmail? This may have resolved it.

VMAIL is another CAS server, but not included in the CAS array.
0
 
AllIntUni2000Author Commented:
I found the remaining one.. was a db I created recently.

I will verify and test and let you know.. good find.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
If this fixes ... wallah ask MS to Please refund :)
0
 
AllIntUni2000Author Commented:
We luckily have 1 free call left from our technet... so that would be great if we don't have to burn it.

I am going to do some testing
0
 
AllIntUni2000Author Commented:
Cchecked with a few users just now, and that did not seem to resolve the issue.. so, still waiting on microsoft.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Hope the RPC service is running on all CAS servers .... also what change was made before the issue started ?

- Rancy
0
 
AllIntUni2000Author Commented:
repointed DNS for outlook.company.edu from CAS1 back to the WNLB ip

then rebooted both CAS servers

static DNS entry

nslookup comes back correct.

RPC server service is running
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So the only change made was DNS and CAS Array Name change ?

Hope the DNS is resolving fine on both CAS servers.

- Rancy
0
 
AllIntUni2000Author Commented:
when I do nslookup CAS1 it comes back to 172.16.0.103 and 0.88 (LAN nic) which is the ip assigned to the Load Balancer for CAS1

WHen I do nslookup CAS2 it comes back to 172.16.0.104 and 0.89 (LAN Nic)  which is the IP for CAS2 Load Balancer

When I do nslookup on outlook it comes back as 172.16.0.61 which is the load balancer it self.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So users should see "outlook" as Mailbox Database RPClient info and not CAS1\2 or VMAIL ?

- Rancy
0
 
AllIntUni2000Author Commented:
Just got off call 1 with microsoft (3 hours later)

The CAS array is running fine.. It is a problem with DNS and the WNLB.

I have been escalated up to the networking team and WNLB team... and since this is the same issue as we had last month, they re-opened our original case
0
 
AllIntUni2000Author Commented:
per your previous comment, YES.. should see Outlook and not CAS1/Vmail
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I have been escalated up to the networking team and WNLB team... and since this is the same issue as we had last month, they re-opened our original case - Perfect so no additional cost i guess ?

You tried your best and very hard i know ..... humm DNS :) .... as i had said earlier could be DNS replication issues :(

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
One more thing .... was there some DC\DNS or some Server that had some roles died or was removed ungracefully ? If Yes .... was metadata done to clean its reminings ?

- Rancy
0
 
AllIntUni2000Author Commented:
Only DCs that were removed recently were RODCs... one for site A, and one for Site B.

And a DC that was removed ungracefully but we have not had issues as far as I know.. it was a TestDC that would not demote. My Network Engineer removed it, and I see no trace of that server since... it does not resolve or anything
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
And a DC that was removed ungracefully but we have not had issues as far as I know.. it was a TestDC that would not demote - Was this in production ??

Was this happended last time when MS was on ? Did they not check this ?

Ideally you dont see such references as if i dont have a DNS entry how can you resolve anything in the environment ? - Does it Makes sense :)

I would say check that as well :) - by the way when was this removal done and what roles did it have ?

I guess we checked the FSMO role holder if not please check.

- Rancy
0
 
AllIntUni2000Author Commented:
I believe it was just a GC/DNS but not a primary DC.. my FSMO role holders are locally here and at one of the effected sites.

MS agree's that it is a DNS / WNLB issue. I am trying to get them to tell me that the WNLB is not a very good product to justify getting one of the Kemp NLB's...
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
MS agree's that it is a DNS / WNLB issue. I am trying to get them to tell me that the WNLB is not a very good product to justify getting one of the Kemp NLB's -- Smart :)

Ask them to check with metadata .... if there is any info of those server it can anytime haunt you as Exchange badly depends on DNS and AD.

- Rancy
0
 
AllIntUni2000Author Commented:
Understood... I will have them check that as well.
0
 
AllIntUni2000Author Commented:
Well, After an initial 3 hours on the phone with the CAS guys, they moved me up to the networking team.. The Networking team and I isolated the issue to the wnlb / dns. 100%

We placed a hosts file on an effected client and tested to both of the cas servers 103 and 104, and it connects no problem what so ever. Once we remove the host file and it goes back to outlook, 0.61 it is no dice.

Microsoft had me run Network Monitor on both cas servers, vmail which is another cas server but not in the array, and the effected client. Had me run it with the hosts file in, and out and upload them the results.. they will " Analyze " the netmon and let us know.

Upon further troubleshooting, it appears that I can only reproduce the problem at one of our 7 AD sites we have.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
As we spoke Host file will specifically point to the CAS we want .... so lets see what they find from Netmon ..... :)

- Rancy
0
 
AllIntUni2000Author Commented:
Latest update, per microsoft, its an issue with our Cisco router.. we have to contact Cisco (With M$) on the line and have them duke it out.

My CCNP Network Engineer says otherwise. Kinda a blame game now
0
 
AllIntUni2000Author Commented:
MS had us put a static ARP entry in our Routers at each of our 7 campus locations

Did not resolve the issue. Their gripe is that you cannot ping outlook.company.edu from other subnets.. I disagree but hey.. what do I know.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So your saying the best Cisco and MS unable to find a way ??

- Rancy
0
 
AllIntUni2000Author Commented:
Well,

We are on day two of running on the NLB. Microsoft and Cisco determined we had placed our static ARP entries on the wrong router.. they had to be in our MPLS routers and not the campus routers.. after adding those, all is working well. *knock on wood*
0
 
AllIntUni2000Author Commented:
DNS issue that Rancy identified
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 32
  • 26
Tackle projects and never again get stuck behind a technical roadblock.
Join Now