Solved

Exchange 2013 - Double password and bad request

Posted on 2013-05-20
12
946 Views
Last Modified: 2013-06-03
Hi all,

Few issues with our exchange 2013 server, when we load https://mail/ecp we get the login form, afterwhich we also get a dialog box to login, eventually we are met with bad request

Theres nothing in the event viewer useful either.

anyone help us out?

Thanks
0
Comment
Question by:awilderbeast
  • 6
  • 6
12 Comments
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183742
On that first login form you should put in (by default) domain\user
what type of second dialog box you get prompted with afterwards? does the user that you are using has a mailbox on that exchange organization? is it on exchange 2013 (the mailbox)?
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39183885
well ive since recreated both exchange front end and back end directories and weve just opened a call with microsoft, but if we can get it sorted before they call me, we can cancel it.

At the moment we do not get the second prompt anymore.

using the login form, i get username or password incorrect for both the administrator account and my mailbox account (both user and pass are correct with the domain\user format)

Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183919
and do they have a mailbox? can you open the exchange management shell? if so do a get-mailbox and see the mailbox enabled users. not really sure if you have many, just trying to make sure that the ones you're trying with have a mailbox.
if this is a new clean exchange installation the user that installed exchange will for sure have a mailbox.
also can you get into https://mail/owa with the same credentials you try to get into ecp?
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39183936
yes they both have mailboxes there, it was working before but now it does not

i cant login to owa either
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39183975
well I know this is a basic check but, can you see if the account is locked and also change the password just to make sure? also, can you log in with any account? can you use outlook? just trying to understand if this is an issue only with the OWA and ECP virtual directories. Outlook will use outlook anywhere.
you can also test EWS by typing in on a browser your EWS internal url
get-webservicesvirtualdirectory |ft internalurl
will give you the exact url that you need to type (Exchange management shell cmdlet)
finally lets check the authentication methods on owa:
Get-OwaVirtualDirectory |ft *auth*
check out the internalauthenticationmethods, and if you have at least basic and forms auth as true.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39184050
yup all checked.

heres the output of said commands

mail is our 2007 server
mailfront is our 2007 webmail server
email is our 2013 server
emailfront it our 2013 webmail server

email is the one i recently recreated odd that id doesnt have an asmx like the others
[PS] C:\Windows\system32>get-webservicesvirtualdirectory |ft internalurl
Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...

InternalUrl
-----------
https://mail.domain.co.uk/EWS/Exchange.asmx
https://mailfront.domain.co.uk/EWS/Exchange.asmx
https://emailfront.domain.co.uk/EWS/Exchange.asmx
https://email/ews

Open in new window


and the other returns this

ClientAuthCle InternalAuthe BasicAuthenti WindowsAuthe DigestAuthen FormsAuthent LiveIdAuthen AdfsAuthenti ExternalAuth
    anupLevel nticationMeth        cation    ntication     tication      ication     tication       cation enticationMe
              ods                                                                                          thods       
------------- ------------- ------------- ------------ ------------ ------------ ------------ ------------ ------------
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic, Fba}           True        False        False         True        False        False {Fba}       

Open in new window


Thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:GreatVargas
ID: 39184065
Ok I thing I got the issue.
you have only one server with forms based authentication
to find out which one run:
Get-OwaVirtualDirectory |ft server,internalauth*, formsauth*
it will probably be your e-mailfront which is your CAS.
so please confirm the below:
https://emailfront.domain.co.uk/EWS/Exchange.asmx - HAS ONLY THE CAS ROLE 2013
https://email/ews - HAS ONLY THE MAILBOX ROLE 2013
now do the following in order:
1- https://emailfront.domain.co.uk/owa and use a 2013 user to try and get in
2- https://emailfront.domain.co.uk/owa and use a 2007 user to try and get in

if you don't have a 2013 user please use the shell to create one
you said on the beginning of the post that you're trying to access https://mail/ecp
if mail is the 2007 you should use emailfront. always use the 2013 CAS to try and get in.
with the proper configuration the request will be processed on 2013 or proxyed to 2007.
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39184066
of course if it's a 2007 user you can use the old address. but not the old address for a 2013. always use the CAS 2013 address.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39184386
https://emailfront.domain.co.uk/ has only the CAS Role
https://email/ews has the CAS and MAILBOX role
emailfront is for webmail for external access, email is for internal access and mailbox

Email has forms authentication set to true

i am trying to access https://email which is ex2013 where my mailbox lives

Thanks
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 39187019
do a get-owavirtualdirectory |ft server, internalurl, externalurl and see what urls do you have configured.

also you should have similar auth methods on emailfront and email CAS roles.
0
 
LVL 1

Accepted Solution

by:
awilderbeast earned 0 total points
ID: 39204162
fixed by microsoft, needed to run the following

Add-PSSnapin *exchange*
Set-EcpVirtualDirectory -Identity "E15MBX\ecp (Exchange Back End)" -WindowsAuthentication $true -FormsAuthentication $false

Open in new window

0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 39215601
as above
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now