Citrix Cloud Portal and Exchange server 2013 CU8 OWA

Hi All.

We have a hosted exchange 2010 solution with and we are in the process of upgrading to 2013. We have cloned and created a live LAB environment to test the deployment and this is where we are now...

We have the following:
2 x AD controllers. 1x 2008 and 1x 2012
1x exch2010 server with Citrix provisioning installed (MBX & CAS roles)
1x exch2010 mailbox server
2x Exch2013 CAS servers
2x Exch2013 MBX server
1x SQL
1x Web
1xProvisioning (Citrix Server)

We made sure that everything works before installing 2013 into the environment so i can confirm that the 2010 provisioning worked perfectly before installing the Exchange 2013 into the environment.

I then started with preparing the domain, schema and domain controllers and then continued to install the first exchange2013 server.
After going through some errors, and working through some documented KB articles, the exchange server are all successfully installed.

I then created a new user called hexadmin. I can log in to OWA and ECP on 2013 successfully and i can log into administrator on 2010 successfully using the OWA redirect from 2013>2010.

Mail flow also works between two accounts.

We then introduced exchange 2013 to our Citrix panel by updating the panel to the latest version, added the servers to the panel, added the services to the servers and also installed the Citrix software needed on one of the CAS servers.

The Panel is happy with everything and we are able to successfully provision a new Customer, new Exchange service and also new user mailboxes.

I checked for the following:
- the new client is listed under AD
- the new user is listed under the correct OU and the structure is the same as a working user
- the Exchange 2013 ECP panel detects the users and confirms that the user has a mailbox.
- the mailbox is located on one of the Exchange 2013 Mailbox servers.

So, everything looks good so far... but when I try to log into OWA on EXCH2013 i get the following message:

"The user name or password you entered isn't correct. Try entering it again."

I can confirm that I have double checked and triple checked the username and password. I have done multiple resets on the account using the Citrix Panel with which provisions successfully.

I have tried with multiple customers and multiple users with in these customers.

When I look in Event viewer I can see the attempted login with error:
Audit Failure:

An account failed to log on.

      Security ID:            SYSTEM
      Account Name:            HEX2013-EXCAS09$
      Account Domain:            Domain
      Logon ID:            0x3E7

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            peter@Domain.local
      Account Domain:            HEX2013-EXCAS09

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC0000064

Process Information:
      Caller Process ID:      0xb58
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      HEX2013-EXCAS09
      Source Network Address:
      Source Port:            20765

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

If i give the mailbox Full permissions to the HEXADMIN, then I am able to open the mailbox, but no matter what i try, I can't log onto any mailbox when provisioned with Citrix.

I am hoping that someone has gone through this already can maybe assist with this?

I have scoured the citrix forum with nothing coming back with any decent info.

Please let me know if you want to know anything else.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

Nice to see such detailed questions!.

While looking at the log you posted, it looks like IIS issue. May be authentication. Actually w3wp.exe belongs to a IIS worker process which needs proper authentication.

I would suggest to check the Citrix website in IIS and make sure the authentication set properly?

technolutionsAuthor Commented:
Thanks Radhakrishnan

I will go through the IIS config and double check. but with the citrix config working on ex2010, what would be different for 2013 and what should I look out for?
Radhakrishnan RSenior Technical LeadCommented:

Did you used any Package Migration Wizard after moving the mailbox to the new exchange? This is found under Configuration \ Provisioning & Debug Tools \ Package Migration Wizard.

During this wizard there will be an option  in the portal, click on Services, expand Hosted Exchange and select the new Exchange version from the radio button options.
technolutionsAuthor Commented:
No, we are currently testing with a newly provisioned customer so no upgrade package used at all.

That is why it is so weird. I have replicated the OWA and ECP virtual directory authentication settings but still no luck.
technolutionsAuthor Commented:
Hi All.

I managed to find the problem. It was the Citrix Panel that did not want to authenticate against our AD.
We rebuilt the Lab environment and managed to fix the problem.

On to the next step :-)

Thanks so much for all the help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.