none
OWA and EWS issue

    Question

  • Hi,

    I have Exchange 2010 SP1 with lync integrated in it. If we enabled Windows Authentication under  EWS authentication in IIS settings, the Lync clients will lose the EWS connectivity, and lync clients will ask for credentials (eventhough i enter the correct credentials, it will not accept). If I disable the Window authentication under EWS authentication settings in IIS, Lync can reach the EWS but, OWA users cannot delete or attach mails. they will get a message as follows:

    "The action you tried to perform could not be completed because there is a configuration problem on your server..."

    So, how can i solve this issue to work EWS for both Lync and OWA clients?

    Thursday, May 10, 2012 9:06 AM

Answers

  • No problem.

    Whenever i change the iis authentication, i did do 'iisreset'. Is that ok, or i should do it through PS itself?

    When I enable both, Lync clients cannot see EWS and pop up for credentials, but OWA users can delete or altrer mails in their mailbox.


    Always use EMS to set/change the authentication methods and not IIS.
    That way both Exchange and the metabase will have the correct information, wish is not always the case when doing it in IIS. I have seen many problems beeing caused by doing it in IIS.
    Sure, iisreset must usually be run.

    Can you try and enable both Basic and Windows Authantication in EMS and check if you have the same problem?
    Set-WebServicesVirtualDirectory EWS* -BasicAuthentication $True -WindowsAuthentication $True

    Btw, what authentication methods to have configured for OWA and ECP?

    Martina Miskovic

    • Marked as answer by Bashboosh Saturday, May 19, 2012 6:29 AM
    Thursday, May 10, 2012 10:09 AM
  • you could try the following;

    Set your ews/NTAuthenticationProviders to

    C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/1/root/ews/NTAuthenticationProviders "NTLM,Negotiate"

    (Mine is sitting as "Negotiate,NTLM" - you did restart the IIS Admin Service?)

    also can you please try the following;

    Get-OutlookAnywhere | fl server*, *client*

    what is your Client Authentication Method (clientauthenticationmethod)?



    • Edited by culmor Wednesday, May 16, 2012 12:50 PM modified
    • Marked as answer by Bashboosh Saturday, May 19, 2012 6:29 AM
    Wednesday, May 16, 2012 12:43 PM

All replies

  • Hi,

    What happens if you have both WA and Basic enabled?

    Note: When configuring authentication methods for Exchange virtualdirectories its best to do it in EMS and not in IIS
    Example: Set-WebServicesVirtualDirectory EWS* -BasicAuthentication $True -WindowsAuthentication $True


    Martina Miskovic

    Thursday, May 10, 2012 9:22 AM
  • Thanks for the input,

    Anonymous and basic authentication already enabled.

    The issue raises while Windows authentication is Enabled or Disabled. (When enabled OWA works fine, but Lync not. When Disabled Lync can reach EWS but owa users cannot)

    Any adivise what to do?

    Thanks again

    Thursday, May 10, 2012 9:27 AM
  • Thanks for the input,

    Anonymous and basic authentication already enabled.

    The issue raises while Windows authentication is Enabled or Disabled. (When enabled OWA works fine, but Lync not. When Disabled Lync can reach EWS but owa users cannot)

    Any adivise what to do?

    Thanks again


    Hmm, where did Anonymous come from?
    What happens if you have both "Windows Authentication" and "Basicauthentication" enabled?

    Can you run Get-WebServicesVirtualDirectory EWS* | ft identity,*auth* and post the result?


    Martina Miskovic


    Thursday, May 10, 2012 9:36 AM
  • Here is the result. Anonymous is enabled by default, should i disable it?

    CertificateAuthentication     :
    InternalAuthenticationMethods : {Basic, WSSecurity}
    ExternalAuthenticationMethods : {Basic, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : True
    DigestAuthentication          : False
    WindowsAuthentication         : False

    Thursday, May 10, 2012 9:46 AM
  • Hi,
    NO, do not disable Anonymous Authentication.

    The above output really tells us that you have changed permissions using IIS (=not recommended)

    Sorry for repeating myself, but "What happens if you have both "Windows Authentication" and "Basicauthentication" enabled?"



    Martina Miskovic


    Thursday, May 10, 2012 9:58 AM
  • No problem.

    Whenever i change the iis authentication, i did do 'iisreset'. Is that ok, or i should do it through PS itself?

    When I enable both, Lync clients cannot see EWS and pop up for credentials, but OWA users can delete or altrer mails in their mailbox.

    Thursday, May 10, 2012 10:02 AM
  • No problem.

    Whenever i change the iis authentication, i did do 'iisreset'. Is that ok, or i should do it through PS itself?

    When I enable both, Lync clients cannot see EWS and pop up for credentials, but OWA users can delete or altrer mails in their mailbox.


    Always use EMS to set/change the authentication methods and not IIS.
    That way both Exchange and the metabase will have the correct information, wish is not always the case when doing it in IIS. I have seen many problems beeing caused by doing it in IIS.
    Sure, iisreset must usually be run.

    Can you try and enable both Basic and Windows Authantication in EMS and check if you have the same problem?
    Set-WebServicesVirtualDirectory EWS* -BasicAuthentication $True -WindowsAuthentication $True

    Btw, what authentication methods to have configured for OWA and ECP?

    Martina Miskovic

    • Marked as answer by Bashboosh Saturday, May 19, 2012 6:29 AM
    Thursday, May 10, 2012 10:09 AM
  • Thanks for the valuable information.

    For OWA, i need basic authentication and for Lync its both Basic and windows.

    >>Can you try and enable both Basic and Windows Authantication in EMS and check if you have the same problem?
    >>Set-WebServicesVirtualDirectory EWS* -BasicAuthentication $True -WindowsAuthentication $True

    Both are same effect right? shall i run it in PS?

    Thursday, May 10, 2012 10:15 AM
  • Both are same effect right? shall i run it in PS?


    Yes, the command must be run in Exchange Management Shell (EMS)

    Martina Miskovic

    Thursday, May 10, 2012 10:18 AM
  • Ye, i did that, now the output shows:

    CertificateAuthentication     :
    InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : True
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Waiting for your update. by the way i will check the result now. Do i need to reset iis ?

    Thursday, May 10, 2012 10:27 AM
  • The result is same, Lync pop up for credentials (EWS not available) but OWA working fine.

    Thursday, May 10, 2012 10:34 AM
  • Any further thoughts? Could be any Lync issue, the way it contacts the EWS?

    Thanks

    Thursday, May 10, 2012 10:58 AM
  • Hi,
    I have only integrated OCS with Exchange 2010 and at that customer we have both "Windows Authentication" and "Basic" enabled and that works just fine, so I was kind of assuming that it would be the same with OWA2010 and Lync2010.

    Could be worth asking in the Lync Forum.
    http://social.technet.microsoft.com/Forums/en-US/category/ocs


    I actually saw the error "The action you tried to perform could not be completed because there is a configuration problem on your server..." yesterday and the issue there was that they had opend up OWA on port 80, but EWS still had requireSSL on EWS.

    How do you access OWA? Is there a HLB and/or ISA/TMG involved in the picture?



    Martina Miskovic

    Thursday, May 10, 2012 11:27 AM
  • Hi,

    We have the integration working fine with the following settings; Basic Auth might be your issue?

    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Thursday, May 10, 2012 3:33 PM
  • Hello,

    In my environment, I just enable the Anonymous and WindowsIntegrated authentication.

    You can try rebuilding the EWS virtual directory to troubleshoot this issue.

    http://technet.microsoft.com/en-us/library/ff629372.aspx

    Thanks,

    Simon

    Friday, May 11, 2012 2:30 AM
  • Hi Culmor,

    Thanks for your comment. I did the authentication as your suggestion. Now, the OWA operations are ok (before while windows authentication was enabled, they could not delete mails). But even though the Windows Authentication is enabled, the lync cannot reach EWS.

    The only change here is the Basic Authentication is disabled. While basic authentication disabled Lync could not reach EWS. Is there anything i can do to solve this behavior?

    Thanks again

    Saturday, May 12, 2012 5:56 AM
  • Hi Simon,

    What could be the working Authentication method for EWS to reachable for both OWA and Lync after i rebuild the EWS? I would try this tonight as a last hand.

    Thanks for your time.

    Saturday, May 12, 2012 5:59 AM
  • What authentication methods to you have configured for OWA?
    Get-OwaVirtualDirectory | ft Name,*Auth*

    Martina Miskovic

    Saturday, May 12, 2012 6:09 AM
  • Here is the output:


    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | ft Name,*Auth*

    Name          ClientAuthCle InternalAuthe BasicAuthent WindowsAuthe DigestAuthen FormsAuthent LiveIdAuthen ExternalAuth
                      anupLevel nticationMeth      ication    ntication     tication      ication     tication enticationMe
                                ods                                                                            thods
    ----          ------------- ------------- ------------ ------------ ------------ ------------ ------------ ------------
    owa (Defau...          High {Basic, Fba}          True        False        False         True        False {Fba}

    Saturday, May 12, 2012 6:16 AM
  • I had a similar issue but in my case it was a Hardware NLB was interacting with IIS redirect
    Saturday, May 12, 2012 6:22 AM
  • I dont have any LB in my environment for exchange.
    Saturday, May 12, 2012 6:26 AM
  • Martina, does the OWA auth output gives us some clues? Thanks for your time
    Saturday, May 12, 2012 10:17 AM
  • Hi,

    You have outlined that you have two issues that relate to Authentication?

    If you set BasicAuth to disabled as outlined before and set instantmessagingenabled to $false is your OWA working ok? 

    Have a look at this URL

    If your OWA is working fine then your issue must relate to the Lync integration?

    Have a look at this URL

    Can you run this command on your CAS server Get-OwaVirtualDirectory | fl *insta*

    Monday, May 14, 2012 8:30 AM
  • Basic authentication is disabled and OWA working fine, but link asks credentials to access the EWS. Here is the out put you requested:

    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl *insta*

    InstantMessagingCertificateThumbprint :
    InstantMessagingServerName            :
    InstantMessagingEnabled               : True
    InstantMessagingType                  : None

    Thanks and waiting for your update.

    Monday, May 14, 2012 12:11 PM
  • Hi,

    I think you need to look over your Lync install; the output above should look like..

    InstantMessagingCertificateThumbprint : 345345345DGDFGD123423423423DHDHDHDH
    InstantMessagingServerName            : your.lyncserver.pool.name
    InstantMessagingEnabled               : True
    InstantMessagingType                  : Ocs

    Have a look at this article and more specifically;

    Step 2. Configure your Exchange 2010 Sp1 Client Access server

    Using the Shell, you can configure your Client Access server OWA-virtual directory for InstantMessaging integration with OCS.

    Important here are the parameters:
    •InstantMessagingCertificateThumbprint = the thumbprint of the certificate which is enabled for the service IIS on your CAS!
    •InstantMessagingServerName = the Lync pool name
    •InstantMessagingType = OCS
    •InstantMessagingEnabled = $True :-)

    Monday, May 14, 2012 2:01 PM
  • Thanks for the reply,

    Can i get the commands to do that? (sorry, if it is found in the article, i have not yet read it, i will shortly)

    I am not sure, my issue is produced while changing the authentication settings in the EWS. Does it really related to the OWA virtual directory?

    Monday, May 14, 2012 3:02 PM
  • Lync integration with OWA is working fine now. But still my original problem exists.

    Lync client still pops up with credentials. Here is again the authentication details of EWS:

    Identity                      : MailServer\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Tuesday, May 15, 2012 2:29 PM
  • After the auth prompt into Lync do you get a red ! error saying Lync 2010 is experiencing connection issues?

    run the following command on your cas server;

    C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders

    Tuesday, May 15, 2012 2:57 PM
  • Hi,

    Yes, the red mark with Exchange connection error on right bottom corner and on dialpad+activities icon.

    The command you specified brought me this result:

    The parameter NTAuthenticationProviders is not set at this node.

    Doe it give any clue?

    Thanks a lot

    Wednesday, May 16, 2012 5:51 AM
  • For time saving, i issued the command to change the authentication providers for w3svc\1\root and the result now shows:

    NTAuthenticationProviders       : (STRING) "Negotiate,Basic,NTLM"

    But still no change, Lync pops up asking credentials, it cannot see EWS. The above sequence and path affect the configuration? (Negotiate,Basic,NTLM and path w3svc\1\root)

    Thanks

    Wednesday, May 16, 2012 6:55 AM
  • Hi,

    Have a look at this article

    Wednesday, May 16, 2012 8:27 AM
  • Hi,

    The lync client does not pops up for credentials once I disable the 'Integrated windows authentication' under Internet Options>Advanced>Security section of Internet Explorer on client computer. OWA users also can delete/modify their mails. This way i have to go all the clients and change each, which is not practical.

    Is there a way to change the way Lync client look for authentication?

    Sorry for the long thread, but i hope i am near by the result..

    Thanks for your support

    Wednesday, May 16, 2012 10:42 AM
  • try;

    C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "NTLM,Negotiate"

    Wednesday, May 16, 2012 10:44 AM
  • it is already NTLM, Negotiate.

    (C:\inetpub\AdminScripts>cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    NTAuthenticationProviders       : (STRING) "NTLM,Negotiate"

    C:\inetpub\AdminScripts>)

    Authentication providers for EWS is showing as follows. is it the expected?

    C:\inetpub\AdminScripts>cscript adsutil.vbs get w3svc/1/root/ews/NTAuthenticationProviders
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    NTAuthenticationProviders       : (STRING) "Negotiate,Negotiate:Kerberos,NTLM"

    Wednesday, May 16, 2012 12:22 PM
  • you could try the following;

    Set your ews/NTAuthenticationProviders to

    C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/1/root/ews/NTAuthenticationProviders "NTLM,Negotiate"

    (Mine is sitting as "Negotiate,NTLM" - you did restart the IIS Admin Service?)

    also can you please try the following;

    Get-OutlookAnywhere | fl server*, *client*

    what is your Client Authentication Method (clientauthenticationmethod)?



    • Edited by culmor Wednesday, May 16, 2012 12:50 PM modified
    • Marked as answer by Bashboosh Saturday, May 19, 2012 6:29 AM
    Wednesday, May 16, 2012 12:43 PM
  • Culmor, you are the man! Thanks a lot.

    After changing the EWS authentication provider (changed to NTLM, Negotiate), Lync could reach EWS and OWA users can also reach EWS. No issues. For your question, the client authentication method for OWA is Basic.

    I will monitor this one day more for any responses from user and get back to you to mark as answer. By the way, are there any security risk by changing the authentication providers in this way? Is this the best practice?

    Thanks again and have a nice day!

    Wednesday, May 16, 2012 1:52 PM
  • Thanks culmor,

    So far no issues, you have pointed the right answer :) cheers.

    Saturday, May 19, 2012 6:30 AM