Exchange 2013 - Double password and bad request

Hi all,

Few issues with our exchange 2013 server, when we load https://mail/ecp we get the login form, afterwhich we also get a dialog box to login, eventually we are met with bad request

Theres nothing in the event viewer useful either.

anyone help us out?

Thanks
LVL 1
awilderbeastAsked:
Who is Participating?
 
awilderbeastAuthor Commented:
fixed by microsoft, needed to run the following

Add-PSSnapin *exchange*
Set-EcpVirtualDirectory -Identity "E15MBX\ecp (Exchange Back End)" -WindowsAuthentication $true -FormsAuthentication $false

Open in new window

0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
On that first login form you should put in (by default) domain\user
what type of second dialog box you get prompted with afterwards? does the user that you are using has a mailbox on that exchange organization? is it on exchange 2013 (the mailbox)?
0
 
awilderbeastAuthor Commented:
well ive since recreated both exchange front end and back end directories and weve just opened a call with microsoft, but if we can get it sorted before they call me, we can cancel it.

At the moment we do not get the second prompt anymore.

using the login form, i get username or password incorrect for both the administrator account and my mailbox account (both user and pass are correct with the domain\user format)

Thanks
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
and do they have a mailbox? can you open the exchange management shell? if so do a get-mailbox and see the mailbox enabled users. not really sure if you have many, just trying to make sure that the ones you're trying with have a mailbox.
if this is a new clean exchange installation the user that installed exchange will for sure have a mailbox.
also can you get into https://mail/owa with the same credentials you try to get into ecp?
0
 
awilderbeastAuthor Commented:
yes they both have mailboxes there, it was working before but now it does not

i cant login to owa either
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
well I know this is a basic check but, can you see if the account is locked and also change the password just to make sure? also, can you log in with any account? can you use outlook? just trying to understand if this is an issue only with the OWA and ECP virtual directories. Outlook will use outlook anywhere.
you can also test EWS by typing in on a browser your EWS internal url
get-webservicesvirtualdirectory |ft internalurl
will give you the exact url that you need to type (Exchange management shell cmdlet)
finally lets check the authentication methods on owa:
Get-OwaVirtualDirectory |ft *auth*
check out the internalauthenticationmethods, and if you have at least basic and forms auth as true.
0
 
awilderbeastAuthor Commented:
yup all checked.

heres the output of said commands

mail is our 2007 server
mailfront is our 2007 webmail server
email is our 2013 server
emailfront it our 2013 webmail server

email is the one i recently recreated odd that id doesnt have an asmx like the others
[PS] C:\Windows\system32>get-webservicesvirtualdirectory |ft internalurl
Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...

InternalUrl
-----------
https://mail.domain.co.uk/EWS/Exchange.asmx
https://mailfront.domain.co.uk/EWS/Exchange.asmx
https://emailfront.domain.co.uk/EWS/Exchange.asmx
https://email/ews

Open in new window


and the other returns this

ClientAuthCle InternalAuthe BasicAuthenti WindowsAuthe DigestAuthen FormsAuthent LiveIdAuthen AdfsAuthenti ExternalAuth
    anupLevel nticationMeth        cation    ntication     tication      ication     tication       cation enticationMe
              ods                                                                                          thods       
------------- ------------- ------------- ------------ ------------ ------------ ------------ ------------ ------------
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic, Nt...          True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True         True        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic}                True        False        False        False        False        False {Fba}       
         High {Basic, Fba}           True        False        False         True        False        False {Fba}       

Open in new window


Thanks
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Ok I thing I got the issue.
you have only one server with forms based authentication
to find out which one run:
Get-OwaVirtualDirectory |ft server,internalauth*, formsauth*
it will probably be your e-mailfront which is your CAS.
so please confirm the below:
https://emailfront.domain.co.uk/EWS/Exchange.asmx - HAS ONLY THE CAS ROLE 2013
https://email/ews - HAS ONLY THE MAILBOX ROLE 2013
now do the following in order:
1- https://emailfront.domain.co.uk/owa and use a 2013 user to try and get in
2- https://emailfront.domain.co.uk/owa and use a 2007 user to try and get in

if you don't have a 2013 user please use the shell to create one
you said on the beginning of the post that you're trying to access https://mail/ecp
if mail is the 2007 you should use emailfront. always use the 2013 CAS to try and get in.
with the proper configuration the request will be processed on 2013 or proxyed to 2007.
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
of course if it's a 2007 user you can use the old address. but not the old address for a 2013. always use the CAS 2013 address.
0
 
awilderbeastAuthor Commented:
https://emailfront.domain.co.uk/ has only the CAS Role
https://email/ews has the CAS and MAILBOX role
emailfront is for webmail for external access, email is for internal access and mailbox

Email has forms authentication set to true

i am trying to access https://email which is ex2013 where my mailbox lives

Thanks
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
do a get-owavirtualdirectory |ft server, internalurl, externalurl and see what urls do you have configured.

also you should have similar auth methods on emailfront and email CAS roles.
0
 
awilderbeastAuthor Commented:
as above
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.