Link to home
Start Free TrialLog in
Avatar of awilderbeast
awilderbeastFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Exchange 2013 - Double password and bad request

Hi all,

Few issues with our exchange 2013 server, when we load https://mail/ecp we get the login form, afterwhich we also get a dialog box to login, eventually we are met with bad request

Theres nothing in the event viewer useful either.

anyone help us out?

Avatar of Antonio Vargas
Antonio Vargas
Flag of United States of America image

On that first login form you should put in (by default) domain\user
what type of second dialog box you get prompted with afterwards? does the user that you are using has a mailbox on that exchange organization? is it on exchange 2013 (the mailbox)?
Avatar of awilderbeast


well ive since recreated both exchange front end and back end directories and weve just opened a call with microsoft, but if we can get it sorted before they call me, we can cancel it.

At the moment we do not get the second prompt anymore.

using the login form, i get username or password incorrect for both the administrator account and my mailbox account (both user and pass are correct with the domain\user format)

and do they have a mailbox? can you open the exchange management shell? if so do a get-mailbox and see the mailbox enabled users. not really sure if you have many, just trying to make sure that the ones you're trying with have a mailbox.
if this is a new clean exchange installation the user that installed exchange will for sure have a mailbox.
also can you get into https://mail/owa with the same credentials you try to get into ecp?
yes they both have mailboxes there, it was working before but now it does not

i cant login to owa either
well I know this is a basic check but, can you see if the account is locked and also change the password just to make sure? also, can you log in with any account? can you use outlook? just trying to understand if this is an issue only with the OWA and ECP virtual directories. Outlook will use outlook anywhere.
you can also test EWS by typing in on a browser your EWS internal url
get-webservicesvirtualdirectory |ft internalurl
will give you the exact url that you need to type (Exchange management shell cmdlet)
finally lets check the authentication methods on owa:
Get-OwaVirtualDirectory |ft *auth*
check out the internalauthenticationmethods, and if you have at least basic and forms auth as true.
yup all checked.

heres the output of said commands

mail is our 2007 server
mailfront is our 2007 webmail server
email is our 2013 server
emailfront it our 2013 webmail server

email is the one i recently recreated odd that id doesnt have an asmx like the others
[PS] C:\Windows\system32>get-webservicesvirtualdirectory |ft internalurl
Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...


Open in new window

and the other returns this

ClientAuthCle InternalAuthe BasicAuthenti WindowsAuthe DigestAuthen FormsAuthent LiveIdAuthen AdfsAuthenti ExternalAuth
    anupLevel nticationMeth        cation    ntication     tication      ication     tication       cation enticationMe
              ods                                                                                          thods       
------------- ------------- ------------- ------------ ------------ ------------ ------------ ------------ ------------
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic, Fba}           True        False        False         True        False        False {Fba}       

Open in new window

Ok I thing I got the issue.
you have only one server with forms based authentication
to find out which one run:
Get-OwaVirtualDirectory |ft server,internalauth*, formsauth*
it will probably be your e-mailfront which is your CAS.
so please confirm the below: - HAS ONLY THE CAS ROLE 2013
https://email/ews - HAS ONLY THE MAILBOX ROLE 2013
now do the following in order:
1- and use a 2013 user to try and get in
2- and use a 2007 user to try and get in

if you don't have a 2013 user please use the shell to create one
you said on the beginning of the post that you're trying to access https://mail/ecp
if mail is the 2007 you should use emailfront. always use the 2013 CAS to try and get in.
with the proper configuration the request will be processed on 2013 or proxyed to 2007.
of course if it's a 2007 user you can use the old address. but not the old address for a 2013. always use the CAS 2013 address. has only the CAS Role
https://email/ews has the CAS and MAILBOX role
emailfront is for webmail for external access, email is for internal access and mailbox

Email has forms authentication set to true

i am trying to access https://email which is ex2013 where my mailbox lives

do a get-owavirtualdirectory |ft server, internalurl, externalurl and see what urls do you have configured.

also you should have similar auth methods on emailfront and email CAS roles.
Avatar of awilderbeast
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
as above