HTTP/1.1 500 Internal Server Error OWA Exchange 2003
Hello everyone, I've got myself quite the problem, I've been trying to figure this one out for weeks.
I am speaking, as the title implies, of OWA on Exchange 2003 running on Small Business Server 2003. What was happening when the problem first occurred is that certain users would get an HTTP/1.1 500 Internal Server error when trying to log in. When investigating things I noticed that this would only occur on user's whose mail box said that the user was the last one to log into the mailbox, and on the ones where it would actually work, such as the administrator account, it would say that it was last accessed by "NT AUTHORITY\SYSTEM". During my troubleshooting I tried the following methods in the links below to no avail.
http://support.microsoft.com/kb/894965
http://support.microsoft.com/default.aspx?scid=kb;EN-US;829167
Tried uninstalling Exchange Update 926666 as stated was the solution by a poster in this thread - http://forums.msexchange.org/m_1800431832/mpage_1/key_/tm.htm#1800488577 , the reference for the update is - http://support.microsoft.com/kb/926666/
At first this appeared to have worked, but it started messing up the following day, I discovered that restarting the HTTP SSL service would get it to work again, this lasted for 2 days, but that also stopped working and I'm back to square one, I checked to see if it had automatically reinstalled the update but its still gone
I've tried nearly every permutation of directory security on all 6 of the virtual directories.
I have also tried this as there were some active sync errors as well -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;817379
That article left me with a virtual directory called exchange2. It solved my activesync problems (as far as I know) but OWA is still out of commission.
But despite all of this very limited results which reverted back or none at all were encountered with all of the solutions. This morning at around 10 CST though nothing could be accessed from OWA, you couldn't even authenticate any more, it would just simply give the internal server error 500 as soon as you browse to the site, so I tried what I classified as last resort and did what this article said and deleted the 6 virtual directories and metabase key -
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
It behaved exactly as the article said it would, after deletion the directories were recreated and everything appeared to be good. But when i tried to access OWA it was still the same 500 internal server error page before even asking to login. So I went back and retried all of the previously mentioned solutions to see if trying them on fresh virtual directories would make a difference. When I tried the one that had me add them all to the exchangeapplicationpool again this got the limited functionality that I had before back, where i could authenticate with users last logged onto by the "NT AUTHORITY\SYSTEM" but anyone who had their username or anyone else's username listed as the last logged on by is not able to access it. So basically I'm back at square one, and I'm not sure where to go from here. I thank everyone in advance for any help they can provide, and if I can provide any additional information please let me know.
I am speaking, as the title implies, of OWA on Exchange 2003 running on Small Business Server 2003. What was happening when the problem first occurred is that certain users would get an HTTP/1.1 500 Internal Server error when trying to log in. When investigating things I noticed that this would only occur on user's whose mail box said that the user was the last one to log into the mailbox, and on the ones where it would actually work, such as the administrator account, it would say that it was last accessed by "NT AUTHORITY\SYSTEM". During my troubleshooting I tried the following methods in the links below to no avail.
http://support.microsoft.com/kb/894965
http://support.microsoft.com/default.aspx?scid=kb;EN-US;829167
Tried uninstalling Exchange Update 926666 as stated was the solution by a poster in this thread - http://forums.msexchange.org/m_1800431832/mpage_1/key_/tm.htm#1800488577 , the reference for the update is - http://support.microsoft.com/kb/926666/
At first this appeared to have worked, but it started messing up the following day, I discovered that restarting the HTTP SSL service would get it to work again, this lasted for 2 days, but that also stopped working and I'm back to square one, I checked to see if it had automatically reinstalled the update but its still gone
I've tried nearly every permutation of directory security on all 6 of the virtual directories.
I have also tried this as there were some active sync errors as well -
http://support.microsoft.com/default.aspx?scid=kb;EN-US;817379
That article left me with a virtual directory called exchange2. It solved my activesync problems (as far as I know) but OWA is still out of commission.
But despite all of this very limited results which reverted back or none at all were encountered with all of the solutions. This morning at around 10 CST though nothing could be accessed from OWA, you couldn't even authenticate any more, it would just simply give the internal server error 500 as soon as you browse to the site, so I tried what I classified as last resort and did what this article said and deleted the 6 virtual directories and metabase key -
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
It behaved exactly as the article said it would, after deletion the directories were recreated and everything appeared to be good. But when i tried to access OWA it was still the same 500 internal server error page before even asking to login. So I went back and retried all of the previously mentioned solutions to see if trying them on fresh virtual directories would make a difference. When I tried the one that had me add them all to the exchangeapplicationpool again this got the limited functionality that I had before back, where i could authenticate with users last logged onto by the "NT AUTHORITY\SYSTEM" but anyone who had their username or anyone else's username listed as the last logged on by is not able to access it. So basically I'm back at square one, and I'm not sure where to go from here. I thank everyone in advance for any help they can provide, and if I can provide any additional information please let me know.
Do you have all the correct Applications from the Application Pool associated with the Virtual Directory.
Is there a reason that you change the Exchange Virtual Directory?
Is there a reason that you change the Exchange Virtual Directory?
Do you have debug level logging set?
ASKER
Indeed it is
Exchange Active Sync was working, now I'm getting reports that its down again.....But I tried that when ActiveSync was working and I still got the same 500 error.
I believe so, I essentially mirrored the settings from another working SBS 2003 server, at least on the application pools for the virtual directories, assuming I'm understanding what your talking about.
I didn't actually touch the Exchange virtual directory. All I did was export the Exchange VDir configuration to a file, created a virtual directory from a file using said exported configuration, and pointed the appropriate registry key for active sync to the new virtual directory. It actually didn't change the behavior of the OWA side at all, it just (at the time) got the active sync working.
As an update I've been working on it this morning and have been testing it with the Exchange Connectivity Analyzer since active sync is once again down and I'm getting this sometimes when it attempts to establish and Active Sync session with the server:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
Exception details:
Message: The operation has timed out
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.
at Microsoft.Exchange.Tools.E
And other times I'm getting my old friend:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).
There was another error to but I didn't copy and paste it when it came up.
Exchange Active Sync was working, now I'm getting reports that its down again.....But I tried that when ActiveSync was working and I still got the same 500 error.
I believe so, I essentially mirrored the settings from another working SBS 2003 server, at least on the application pools for the virtual directories, assuming I'm understanding what your talking about.
I didn't actually touch the Exchange virtual directory. All I did was export the Exchange VDir configuration to a file, created a virtual directory from a file using said exported configuration, and pointed the appropriate registry key for active sync to the new virtual directory. It actually didn't change the behavior of the OWA side at all, it just (at the time) got the active sync working.
As an update I've been working on it this morning and have been testing it with the Exchange Connectivity Analyzer since active sync is once again down and I'm getting this sometimes when it attempts to establish and Active Sync session with the server:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
Exception details:
Message: The operation has timed out
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.
at Microsoft.Exchange.Tools.E
And other times I'm getting my old friend:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).
There was another error to but I didn't copy and paste it when it came up.
You say they get the 500 error wehen trying to log in. It's possible that the FBA mechanism is failing, since it just adds another layer of complication to the whole thing. See if turning off FBA, and just using Basic and/or Integrated works any better, It'll also give you the chance to try it without SSL required (temporarily, of course), since that can cause problems of its own.
ASKER
Here is the other error I spoke of in my last post:
Testing HTTP Authentication Methods for URL https://mail.domain.org/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
Additional Details
Exception details:
Message: The underlying connection was closed: An unexpected error occurred on a receive.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.
at Microsoft.Exchange.Tools.E
Exception details:
Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Type: System.IO.IOException
Stack trace:
at System.Net.Sockets.Network
at System.Net.FixedSizeReader
at System.Net.Security._SslSt
at System.Net.Security._SslSt
at System.Net.Security._SslSt
at System.Net.TlsStream.Read(
at System.Net.PooledStream.Re
at System.Net.Connection.Sync
Exception details:
Message: An existing connection was forcibly closed by the remote host
Type: System.Net.Sockets.SocketE
Stack trace:
at System.Net.Sockets.Network
Testing HTTP Authentication Methods for URL https://mail.domain.org/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
Additional Details
Exception details:
Message: The underlying connection was closed: An unexpected error occurred on a receive.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.
at Microsoft.Exchange.Tools.E
Exception details:
Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Type: System.IO.IOException
Stack trace:
at System.Net.Sockets.Network
at System.Net.FixedSizeReader
at System.Net.Security._SslSt
at System.Net.Security._SslSt
at System.Net.Security._SslSt
at System.Net.TlsStream.Read(
at System.Net.PooledStream.Re
at System.Net.Connection.Sync
Exception details:
Message: An existing connection was forcibly closed by the remote host
Type: System.Net.Sockets.SocketE
Stack trace:
at System.Net.Sockets.Network
ASKER
Disabling forms based authentication and SSL was one of the first things that I tried but unfortunately it didn't help. Interesting side note: I went back in and tried re-enabling FBA just for S&G and i get the following error message.
Access Denied.
Facility: Win32
ID no: 80070005
Exchange System Manager
Access Denied.
Facility: Win32
ID no: 80070005
Exchange System Manager
It's just getting stranger. Is there anything written to the event logs (the application one) when you see the 500 error? Sometimes, it's due to something outside IIS.
Did you try just using DefaultAppPool in the Exchange VDir?
Did you try just using DefaultAppPool in the Exchange VDir?
ASKER
Attached are three screenshots of the errors we receive. What's odd is that it's been working fine till about 2 days ago.
Error-OMA.jpg
Error-exchange.jpg
Exchange-VirtualError.jpg
Error-OMA.jpg
Error-exchange.jpg
Exchange-VirtualError.jpg
This all seems to be pointing to the App Pool as I stated in my first reply.
What if you moved everything back into the Default Web Site?
Have you tried that?
What if you moved everything back into the Default Web Site?
Have you tried that?
ASKER
I set everything back to default and I still get the same error when trying to enable forms based authentication.
Does it allow you to create another virtual server? ISTR this will end up creating another site in IIS, dedicated to OWA. If you give it a host header name in IIS Manager, you'll be able to see if a newly-created virtual server (with all default settings automatically configured for you) works any better.
ASKER
Ok we've managed to get it working with OWA, kind of....
When I go into the exchange virtual directory and tell to allow anonymous access, basic authentication, and integrated windows authentication, OWA works completely in google chrome, in IE though it sort of works, at the top it generates the error message i pasted below. But its acting really weird on the server side. Active sync still fails with a 500 error message, and whenever you try to use active sync, it resets the permissions on the exchange virtual directory, causing an "error: access is denied" error message to be generated whenever you try to access OWA. It will also reset the permissions after a certain period of time, the duration of which I haven't been able to determine yet. If I go back in reset the permissions, OWA works again, but the permissions will get reset in the same manner i said before.
Error message when using OWA in IE (OWA works but this shows up at the top of the window)
/exchweb/img/table-layout:
When I go into the exchange virtual directory and tell to allow anonymous access, basic authentication, and integrated windows authentication, OWA works completely in google chrome, in IE though it sort of works, at the top it generates the error message i pasted below. But its acting really weird on the server side. Active sync still fails with a 500 error message, and whenever you try to use active sync, it resets the permissions on the exchange virtual directory, causing an "error: access is denied" error message to be generated whenever you try to access OWA. It will also reset the permissions after a certain period of time, the duration of which I haven't been able to determine yet. If I go back in reset the permissions, OWA works again, but the permissions will get reset in the same manner i said before.
Error message when using OWA in IE (OWA works but this shows up at the top of the window)
/exchweb/img/table-layout:
ASKER
ok i got it to retain the settings by going into system manager and setting the authentication settings on the virtual directory from there, but i still get the same long text in IE. Active sync still doesn't work but after changing that setting in system manager the error message i'm getting in the remote connectivity analyzer has change from 500 to the one i'll paste below
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
For the long text you are seeing in the previous post, you seem to be seeing some of the page source, which should really be executed on the server, not just sent to you as text. Maybe some of the executable handler mappings (.asp or .aspx) have been removed.
This 403 (resulting in the ActiveSync failure) sounds like it is trying to communicate with the Exchange vdir instead of whichever vdir you created from doing KB817379 (Exchange2). 403 usually means ssl required, and ActiveSync can only make its internal requests on port 80 (i.e. plain http). Or maybe you now have SSL required on your Exchange2? If so, you'll need to uncheck it
This 403 (resulting in the ActiveSync failure) sounds like it is trying to communicate with the Exchange vdir instead of whichever vdir you created from doing KB817379 (Exchange2). 403 usually means ssl required, and ActiveSync can only make its internal requests on port 80 (i.e. plain http). Or maybe you now have SSL required on your Exchange2? If so, you'll need to uncheck it
ASKER
Ok long text is gone, but the error message is back, 500 internal server error. For a while through all of this I though it was a permissions issue, referring back to the access denied message I posted. I managed to fix that problem by changing some stuff around on the server object in adsiedit......for about an hour, then it gave out again, its pretty much back to doing the same thing, except now the common denominator of having the last logged onto field as NT AUTHORITY\SYSTEM allowing it to work is no longer the case. The only account that can log into OWA is administrator at this point, even another account thats been copied directly from the administrator account can't login to OWA. At this point I'm at a complete and total loss, every permutation of a google search on my computer generates two pages of purple already clicked on links, and I find myself beginning to repeat steps without even thinking, the amount of things I've tried are to numerous to list at this point. Any ideas as to what it could be at this point? Thanks once again in advance for any help
EDIT: I don't think i was clear in my last paragraph, the permissions issues are gone now, at least on enabling FBA and there is no longer an access denied message in place of the log file path on the server object properties, nor am i getting an access denied message when i try to click on the directory access tab. after i resolved the error causing that message it started working for about an hour, but then it gave out again.
EDIT: I don't think i was clear in my last paragraph, the permissions issues are gone now, at least on enabling FBA and there is no longer an access denied message in place of the log file path on the server object properties, nor am i getting an access denied message when i try to click on the directory access tab. after i resolved the error causing that message it started working for about an hour, but then it gave out again.
Okay, well you have some progress, at least. For now, I would make sure that FBA is turned off and SSL is not required, to keep things as simple as possible. Also, if you have any kind of redirection in place (i.e. default web site root to /Exchange), don't use it - go directly to the /Exchange URL.
Also, is OMA working for any user besides Admin?
Also, is OMA working for any user besides Admin?
Just curious, What browser are you using?
ASKER
FBA is turned off, SSL is also not required, and there isn't any kind of redirection enabled, users have to manually add the /exchange to the URL. No it isn't, at first there were certain users it would work for, on those users I couldn't find any commonality, other than the fact that if I went into system manager and looked at the mailboxes the ones that would actually login were the ones that had "NT AUTHORITY/SYSTEM" in the "Lasted logged on by" column. But now that isn't the case, the only account that can access OWA is administrator. And its the same thing with active sync, it works with administrator, but when I try it with a regular user it gives the 500 internal server error when it tries to do the folder sync command. Having said that it almost makes me wonder if there is still a lingering permissions issue, but if that was the case I would think the other domain admin user I have setup would be able to login but it can't, so if it is a permissions issue, that would mean that somewhere something has it set to where only the administrator has access to it, but thats all just speculation.
I'm using Firefox and IE 8 (My workstation is running XP) for testing, anytime that I go to test OWA after troubleshooting or trying a solution I test it with both browsers.
I'm using Firefox and IE 8 (My workstation is running XP) for testing, anytime that I go to test OWA after troubleshooting or trying a solution I test it with both browsers.
ASKER
Ok I'm wrong, the commonality I spoke of still exists. Any user that has "NT AUTHORITY/SYSTEM" in the "Last Logged on By" column is able to logon, if it says that it was last accessed by the user, then it doesn't work. What I haven't been able to figure out is what causes the change to "NT AUTHORITY/SYSTEM"
What I said about active sync is true though, it only works with administrator.
EDIT: grrrr.....ok the commonality is now gone again after running the email and internet wizard to see if that would help, its now back to where only the administrator account will work.
What I said about active sync is true though, it only works with administrator.
EDIT: grrrr.....ok the commonality is now gone again after running the email and internet wizard to see if that would help, its now back to where only the administrator account will work.
ASKER
Ok I'm noticing some event log entries that are showing up that may be relevant, there is this one:
Type: Warning
Event ID: 1040
Metabase Update failed replication 5 times with error 80070003 (The system cannot find the path specified.). Please change the diagnostic logging level of MSExchangeMU to 'minimum' or greater to find the source of the problem.
And then there is this one, which seems like it might be more relevant because for some reason this error shows up every time i try to hit OWA with a regular user.
Type: Error
Event ID: 201
No license was available for user DOMAIN\user using product FilePrint . Use Licensing from the Administrative Tools folder to ensure that you have sufficient licenses.
If it is a licensing issue then I guess it would make sense that its not working with any other user than the administrator (I think). But what I find odd is that its referring to "FilePrint" I'm not even sure what that is and why it would be affecting OWA, unless, if it is a licensing issue, its affecting the entire server by design.
I'm also seeing active sync errors now showing up in the event log as one of the user's phones keeps trying to communicate with the server. I found it to be woefully unhelpful but perhaps one of ya'll will find it more useful:
Type: Error
Event ID: 3005
Unexpected Exchange mailbox Server error: Server: [servername.domain.domain.
Type: Warning
Event ID: 1040
Metabase Update failed replication 5 times with error 80070003 (The system cannot find the path specified.). Please change the diagnostic logging level of MSExchangeMU to 'minimum' or greater to find the source of the problem.
And then there is this one, which seems like it might be more relevant because for some reason this error shows up every time i try to hit OWA with a regular user.
Type: Error
Event ID: 201
No license was available for user DOMAIN\user using product FilePrint . Use Licensing from the Administrative Tools folder to ensure that you have sufficient licenses.
If it is a licensing issue then I guess it would make sense that its not working with any other user than the administrator (I think). But what I find odd is that its referring to "FilePrint" I'm not even sure what that is and why it would be affecting OWA, unless, if it is a licensing issue, its affecting the entire server by design.
I'm also seeing active sync errors now showing up in the event log as one of the user's phones keeps trying to communicate with the server. I found it to be woefully unhelpful but perhaps one of ya'll will find it more useful:
Type: Error
Event ID: 3005
Unexpected Exchange mailbox Server error: Server: [servername.domain.domain.
ASKER
Good grief I'm spamming my own question -.-
I managed to get OWA working (cautious optimism enabled). It seems that there wasn't enough licenses as indicated by that error that i posted above, so I installed some more and its working, now to just cross my fingers that it stays that way.
But unfortunately Active Sync is still misbehaving, its giving a 500 internal server error at the same point.
I managed to get OWA working (cautious optimism enabled). It seems that there wasn't enough licenses as indicated by that error that i posted above, so I installed some more and its working, now to just cross my fingers that it stays that way.
But unfortunately Active Sync is still misbehaving, its giving a 500 internal server error at the same point.
I'd be surprised if a lack of licences would make it fail in such a confusing manner, but you never know.
Is A/S producing a 500 error or a 501 (that's what is pasted in your previous message)? There's a description here
http://support.microsoft.com/kb/318380
but I've never seen a 501 in lreal life.
Is A/S producing a 500 error or a 501 (that's what is pasted in your previous message)? There's a description here
http://support.microsoft.com/kb/318380
but I've never seen a 501 in lreal life.
Tapped out here, you've tried all the techniques I could come up with.
- gurutc
- gurutc
ASKER
Yea it wasn't one of things I would have thought of, but the errors would be generated each time a user would try to logon, and according to the licensing on the server, 5 were installed and 14 were in use. In any case as soon as I installed the new licenses OWA started working, very strange.
And the active sync issue now appears to be solved, it started working after I implemented this solution: http://support.microsoft.com/default.aspx?scid=kb;EN-US;817379
Which is strange cause I've tried that like 3 or 4 times but maybe it had something to do with the licensing or the myriad of things i've tried doing to troubleshoot stuff on this server. I'll go ahead and leave this open for a day, just in case the server decides to make a liar out of me, but for now, its working.......woot! lol
And the active sync issue now appears to be solved, it started working after I implemented this solution: http://support.microsoft.com/default.aspx?scid=kb;EN-US;817379
Which is strange cause I've tried that like 3 or 4 times but maybe it had something to do with the licensing or the myriad of things i've tried doing to troubleshoot stuff on this server. I'll go ahead and leave this open for a day, just in case the server decides to make a liar out of me, but for now, its working.......woot! lol
hooray, woot you and others.
- gurutc
- gurutc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, I have found turning off License Logging helps also.
- gurutc
- gurutc
ASKER
There is a license logging service, I never thought of turning that off, if we start to experience problems again in the future I'll give that a try. That server will only be in operation for the next two or three months before its decommissioned and replaced though so hopefully it will behave until then. Thank you all once again for your help.
ASKER
Seeing as how it doesn't make sense to select multiple posts from one poster as a solution I'll just pick the last one you posted Lee. You stuck with it through the entire process and were helpful and informative with each prompt reply. Thanks alot.
If you are sure that exchange2 is working correctly for your activesync users, then it may be a working copy of your OWA installation. See what happens if you go to https://servername/exchange2 in your desktop browser.