none
Exchange 2010: Cannot get to OwA on some computers, sometimes.

    Question

  • Hi all.  This is for Exchange 2010 but when browsing to create a post via technet forums there si no 2010 options so I"m posting here instead. 

    We have a problem that seems to be very intermittent.  First I'll write the issue, then the little notes & tidbits that hopefully will help in figuring this out.  Basically I"m looking for any troubleshootin advice you can offer. 

    Issue:

    Certain users, at random times, cannot get to the OWA web page at all.  There is no apparent pattern to this.  User A might have problems on a Monday for only an hour, then it's fine later, while User B is ok all along.  User B might have the same issue on another day, and so forth. 

    Notes:

    - At any given time, if User A can't get on, I know the site and services are up because I can get to the OWA web page. from other locations or from other systems at the same location.

    - the issue appears to be the computer and not the user, since if I log out of User A, and log in iwth User B on that computer, the problem remains.  And yet, that same user may not be able to get to OWA rom any computer so it almost seems user-specific as well - on this subject I"m not 100% determined yet. 

    - Does not appear to be DNS, since while it i shappening, I can do nslookup and get ot the rigth location.  Also, inputting the direct IP address of the internal server, while on the same subnet, also does not work

    - I"m not an expert on IIS and Exchange logs, but i opened the daily logs for IIS and can't see any failures or errors (doesn't mean they aren't happening, but I see nothing on or around the timestamp of when I try)

    - Windows even logs on the client system being tested with  (usually t he most recent system a user is at when unable to connect) and the event logs on the Exchange server have nothing at all carryingthe timestamp

    - Problem has been happening for roughly 4 weeks. This only began after we did an exercise where I manually disabled a batch of users in AD one at a ttime, then re-enabled them 12 hours later.  This issue only affects those users it seems

    - Today while testing, I tried opening Outlook from an affected worktsation to see what happens.  It tries to connect to Exchange but then prompts for a username/password.  I'm not sure if typo's are the issue but I put in the username/pw about 4 times, when it ifnally worked. and Outlook loaded the mailbox.  At that moment, I tried OWA, no change. 

    So I"m certainly lost on this one, and not sure where to look or what to try next.  Can anybody help? 

    Thank you. 

    Tuesday, November 19, 2013 8:22 PM

Answers

All replies

  • If they don't show in the IIS logs then I suspect it's not even getting to the Exch server. Check each Exch server in the site as it could be hitting any one of those, depends on your deployment NLB/ if you have only one servers etc...

    Sounds like it could be a proxy issue.  I'd take a Fiddler trace and repro the issue and analyse that.


    Sukh

    Tuesday, November 19, 2013 8:34 PM
  • Only one server.  No networking security in between systems eiher, just a switch from affected computers directly to the server.  Each endpoint has a firewall on the computer itself. 

    NOt sure what a Fiddler trace is but is it something I'd get involved with if only using one server, with the issue being internal on the subnet? 

    Thanks Sukh. 

    Wednesday, November 20, 2013 3:48 AM
  • Google fiddler,  download it,  reproduce the issue.

    Sukh

    Wednesday, November 20, 2013 7:22 AM
  • Hi,

    To narrow down the causes, I suggest do the following test:

    When the issue occurs again, log on another user on the problematic client and see whether he can access successfully.

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Wednesday, November 20, 2013 11:41 AM
    Moderator
  • Ok Fiddler downloaded, just waiting for the next time this happens. 

    Simon:  tried all that stuff already.  The issue is not account specific, yet also is not computer specific.  Or so it seems but I will continue verifying this each time it happes. 

    Thursday, November 21, 2013 3:05 PM
  • Hi,

    When the issue occurs, please also try logging the problematic user on the OWA on the CAS server and see whether he/she can login successfully.

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Wednesday, November 27, 2013 7:22 AM
    Moderator
  • That's a good point Simon, I'll do that thanks.  Still waiting for the next report of the problem. 
    Thursday, November 28, 2013 2:34 PM
  • Ok I put Fiddller (.net 4.5.1 version) on a client machine.  I think I understand the issue and am quite excited about that but this brings me back to where I"M not sure what to do next. 

    Here's a breakdown of things:

    On my Exchange 2010 server I have a URL for OWA configured in IIS as follows:

    http://mail.company.com which when somebody visits it redirects to https://mail.company.com/owa

    Fiddler is showing a HTTP 502, and if I click the RAW button to view output it says:

    Fiddler] The socket connection to mail.company.com failed. <br />ErrorCode: 10061. <br />No connection could be made because the target machine actively refused it 8.8.8.8:443

    (I substitiuted the real external IP of this site with 8.8.8.8)

    So since IIS is redirecting http to https, the URL configured in IIS for this https website is https://mail.company.com/owa - thus it is trying to go outbound outside of the network and then back in again, in terms of the firewall and that out-and-back behavior is usually prevented by firewalls. 

    To further prove this, from the internal client PC that is currently failing to connect, if I type the internal IP of the server without any subdirectories, so either http://10.10.10.10 or https://10.10.10.10, these bopth fail with the 502 in Fiddler, but if I type https://10.10.10.10/owa, this works and OWA displays. 

    So the redirection configuration is the issue it appears - any form of reidrect to OWA done from a computer inside the network ends up being sent to the https://mail.company.com URL which translates to the external IP, thus the firewall prevents the "out and back in" thing (whatever the technical term is I don't know). 

    All of this might explain why periodically systems internal to the network can't get to OWA but when I access from any system outside the network, it always works. 

    So at this point, what do I do?  Should I reconfigure IIS in some way so that the redirect from http: (and https: without a subdirectory specified) goes to https://internal_IP/owa or would that cause security issues, or certifcate issues? 

    Monday, December 16, 2013 8:21 PM
  • consider using split dns which resolves mail.xxxx.com to the internal ip of exch.

    Sukh

    Monday, December 16, 2013 10:20 PM
  • I actually have on my AD server (DNS server) a setting that points mail.company.com to the internal IP of the mail server.  But maybe the IIS server ignores this?  Maybe during DNS refresh cycles  some systems are beimng fed by IIS the wrong pointer to the website, that being the external address, whereas other computers that haven't updated theie DNS cache and had previously resolved mail.company.com to the  internal IP, still work. 

    The behavior on the intenral network is that any given computer, apparnetly at any given time, might stop being able to get to OWA, and then an hour, or day later, it suddenly starts working. 

    Is that what you meant by split DNS though? 

    Tuesday, December 17, 2013 3:39 PM
  • so ye have a zone for the external name space? and you created a A record for this mail.xxxx.com?

    Sukh

    Tuesday, December 17, 2013 9:48 PM
  • It seems I may have something needing your advice. 

    So on the DNS server, under Forward Lookup Zones I have three entries

    1. msdcs.internalname.local

    2. internalname.local

    3. company.com

    I looked through #1 and ignored it, it seems just AD-related stuff.  I looked at #2, and "mail" is an A record pointing to the internal IP of the mail server. But when I go to #3, "mail" is setup as a CNAME alias pointing to the internal server name of the mail server, so let's say mailserver.internalname.local . This is a static entry. So in other words nothing inside the DNS server points mail.company.com to an external IP address, but either way should I change this CNAME to an A record, and also point it just to the IP address of the mail server?  Is there any reason to think this would affect my problem or is it just a good idea to make the change anyway? 

    • Edited by viProCon Wednesday, December 18, 2013 3:49 PM Accidently hit Submit before doing editing
    Wednesday, December 18, 2013 3:45 PM
  • you should uave it set like this http://support.microsoft.com/kb/940726

    Sukh

    Thursday, December 19, 2013 12:59 AM
  • I don't understand.  Are you saying I shoild set the internalurl properities for these services mentioned in that KB article to be the external namespace, mail.company.com instead of servername.domain.local ?

    I have a SAN certificate that has both FQDNs for autodiscover (internal and external) in it, as well as the internal FQDN of the mail server and the external FQDN of mail.company.com (and then just company.com as the 5th "parent" name, but it's not a wildcard so...)

    My questions come from a lack of understanding on my part.  I'm very reluctant to change anyting without knowing what will happen as a result as I probably would not know what to do to fix things if another problem resulted from doing this. 

    If I do Get-ClientACcessServer |FL and review the properties, the autodiscoverserviceinternalurl is servername.domain.local .  Should I run any other Get commands to find out more? 

    Friday, December 20, 2013 3:44 PM