?
Solved

Exchange 2013 - Double password and bad request

Posted on 2013-05-20
12
Medium Priority
?
957 Views
Last Modified: 2013-06-03
Hi all,

Few issues with our exchange 2013 server, when we load https://mail/ecp we get the login form, afterwhich we also get a dialog box to login, eventually we are met with bad request

Theres nothing in the event viewer useful either.

anyone help us out?

Thanks
0
Comment
Question by:awilderbeast
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183742
On that first login form you should put in (by default) domain\user
what type of second dialog box you get prompted with afterwards? does the user that you are using has a mailbox on that exchange organization? is it on exchange 2013 (the mailbox)?
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39183885
well ive since recreated both exchange front end and back end directories and weve just opened a call with microsoft, but if we can get it sorted before they call me, we can cancel it.

At the moment we do not get the second prompt anymore.

using the login form, i get username or password incorrect for both the administrator account and my mailbox account (both user and pass are correct with the domain\user format)

Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183919
and do they have a mailbox? can you open the exchange management shell? if so do a get-mailbox and see the mailbox enabled users. not really sure if you have many, just trying to make sure that the ones you're trying with have a mailbox.
if this is a new clean exchange installation the user that installed exchange will for sure have a mailbox.
also can you get into https://mail/owa with the same credentials you try to get into ecp?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:awilderbeast
ID: 39183936
yes they both have mailboxes there, it was working before but now it does not

i cant login to owa either
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183975
well I know this is a basic check but, can you see if the account is locked and also change the password just to make sure? also, can you log in with any account? can you use outlook? just trying to understand if this is an issue only with the OWA and ECP virtual directories. Outlook will use outlook anywhere.
you can also test EWS by typing in on a browser your EWS internal url
get-webservicesvirtualdirectory |ft internalurl
will give you the exact url that you need to type (Exchange management shell cmdlet)
finally lets check the authentication methods on owa:
Get-OwaVirtualDirectory |ft *auth*
check out the internalauthenticationmethods, and if you have at least basic and forms auth as true.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39184050
yup all checked.

heres the output of said commands

mail is our 2007 server
mailfront is our 2007 webmail server
email is our 2013 server
emailfront it our 2013 webmail server

email is the one i recently recreated odd that id doesnt have an asmx like the others
[PS] C:\Windows\system32>get-webservicesvirtualdirectory |ft internalurl
Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...

InternalUrl
-----------
https://mail.domain.co.uk/EWS/Exchange.asmx
https://mailfront.domain.co.uk/EWS/Exchange.asmx
https://emailfront.domain.co.uk/EWS/Exchange.asmx
https://email/ews

Open in new window


and the other returns this

ClientAuthCle InternalAuthe BasicAuthenti WindowsAuthe DigestAuthen FormsAuthent LiveIdAuthen AdfsAuthenti ExternalAuth
    anupLevel nticationMeth        cation    ntication     tication      ication     tication       cation enticationMe
              ods                                                                                          thods       
------------- ------------- ------------- ------------ ------------ ------------ ------------ ------------ ------------
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic, Fba}           True        False        False         True        False        False {Fba}       

Open in new window


Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39184065
Ok I thing I got the issue.
you have only one server with forms based authentication
to find out which one run:
Get-OwaVirtualDirectory |ft server,internalauth*, formsauth*
it will probably be your e-mailfront which is your CAS.
so please confirm the below:
https://emailfront.domain.co.uk/EWS/Exchange.asmx - HAS ONLY THE CAS ROLE 2013
https://email/ews - HAS ONLY THE MAILBOX ROLE 2013
now do the following in order:
1- https://emailfront.domain.co.uk/owa and use a 2013 user to try and get in
2- https://emailfront.domain.co.uk/owa and use a 2007 user to try and get in

if you don't have a 2013 user please use the shell to create one
you said on the beginning of the post that you're trying to access https://mail/ecp
if mail is the 2007 you should use emailfront. always use the 2013 CAS to try and get in.
with the proper configuration the request will be processed on 2013 or proxyed to 2007.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39184066
of course if it's a 2007 user you can use the old address. but not the old address for a 2013. always use the CAS 2013 address.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39184386
https://emailfront.domain.co.uk/ has only the CAS Role
https://email/ews has the CAS and MAILBOX role
emailfront is for webmail for external access, email is for internal access and mailbox

Email has forms authentication set to true

i am trying to access https://email which is ex2013 where my mailbox lives

Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39187019
do a get-owavirtualdirectory |ft server, internalurl, externalurl and see what urls do you have configured.

also you should have similar auth methods on emailfront and email CAS roles.
0
 
LVL 1

Accepted Solution

by:
awilderbeast earned 0 total points
ID: 39204162
fixed by microsoft, needed to run the following

Add-PSSnapin *exchange*
Set-EcpVirtualDirectory -Identity "E15MBX\ecp (Exchange Back End)" -WindowsAuthentication $true -FormsAuthentication $false

Open in new window

0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 39215601
as above
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month8 days, 6 hours left to enroll

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question