RBAC Authentication error - Remote EMC not able to access Exchange Organization
Running Exchange 2010 on Server 2008 R2. I've set up a user account within a group. That group has the "Recipient Management" and "Discovery Management" roles in Exchange.
From another server running Server 2008 R2 I can run the Exchange Management Console without issue using the account that Exchange was installed.
When I attempt to use the EMC under the account with the "Recipient Management" and "Discovery Managment" roles the EMC connection fails. The text in the EMC is:
Connecting to remote server failed with the following error message: The WinRM client received an HTTP server error status (500), but the remote service did not include any other information...
On the Exchange server the following event is logged:
(Process w3wp.exe, PID 5788) "RBAC authorization is unavailable due to application exception System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)at System.Security.Principal.SecurityIdentifier.Translate(Type targetType) at System.Security.Principal.WindowsIdentity.GetName() at System.Security.Principal.WindowsIdentity.get_Name() at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.TryFindUserByWsManSenderDetails(WsManSenderDetails wsManSenderDetails, ADRawEntry& userEntry) at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.AuthorizeUser(IntPtr senderDetails, String& redirectURL)."
I've also attempted to manually establish an Exchange remote session in Powershell with similar results (same event logged on Exchange server).
Everything appears to be working fine except for this issue. Any suggestions?
Rob
Rob
All Replies
- I appear to be having the same issue. and am running Exchange 2010 with on a windows 2008 R2 machine with a Windows 2003 Domain controller.
Nathan - I am having the same issue.
Exchange 2010 on Windows 2008 Sp2 with a Windows 2008 SP2 DC.
I will post an answer when I find one. Powershell V2 (CTP3) is required.
You need to uninstall v1 and make some registry hacks to get it to see v1 is removed.
Install v2
Install WinRM CTP3
Do some signing configurations to unrestricted
Then access it with Administrator
- I don't think it is a version issue. The applications work fine as Administrator but not with this security group. I'm sure it is some type of permissions issue but I can't seem to find what it is. I shouldn't have to allow a group to be a domain admin to give them remote Exchange management shell permissions. I've followed the technet guide on the permissions that should be required.
Rob - http://support.microsoft.com/default.aspx/kb/977962
This is the exact error but .Net Extensibility is enabled under the web server role. So it isn't clear at all what the real issue may be.
Rob - Are there any Microsoft folks that have any comment about this broken functionality in Exchange 2010? There is clearly an issue related to KB977962 even if .Net Extensibility is enabled under the server role.
Rob - Still no comments or work arounds? The problem has not gone away.
Rob - Rob, I've got a few questions to narrow down the problem.
- Can you describe how your created the security group and what other groups the user is a member of? The issue appears ot be that one of the SIDs in user's token cannot be resolved (not necessarily the SID of the group you granted permissions to).
- Do you have a single domain/forest or more?
- To make the cleanest reproduction of the problem, can you use Exchange tools (new-mailbox, new-rolegroup, add-rolegroupmember) to create a user and a group with the permissions you expect, and check if EMC works?
Thanks!
Vladimir
