locked
Exchange 2016 Admin Center - cannot login RRS feed

  • Question

  • I have installed Exchange 2016 in my hybrid organization to replace/upgrade my on premise Exchange 2010 service.

    I built a new server (server 2012 R2), applied all of the patches, applied all of  the prerequisites, and then installed Exchange 2016 (Mailbox + Admin tools)

    The Exchange Management Shell works as expected.

    For some reason I cannot log in to the Exchange Admin Center.  The URL is https://localhost/ecp/?ExchClientVer=15

    When I provide my credentials (domain\myadminaccount) and password the page blanks the password field and returns me back to the credentials page.  However, if I enter the wrong password or a user/password combination that is invalid the password field is blanked and I receive an error: "The user name or password you entered isn't correct.  Try entering it again"

    Valid username/password = password field blanked and I'm asked for password again.
    Invalid username/password gets the error message, the password is blanked, and I'm asked for password again.

    I can't find any authentication or IIS errors in the log files.

    My Account is a member of the Organization Management security group and is the same account I used to install Exchange 2016.

    We set up Federated services for the Office 365 portion of our hybrid environment, do I have to force the Exchange Admin Center to use ADFS for authentication?

    Any help getting me into the console would be appreciated.  I can manage the install from PowerShell if I have to but my junior team members are lost without a GUI......

    TIA

    Vince 

    Tuesday, October 20, 2015 12:03 AM

Answers

  • I finally broke down and opened a ticket with Microsoft.  They started down the same road that all of you who responded had suggested.

    In the end, the issue was caused by the certificates created and assigned to the web applications during install. 

    We have a domain CA and the certs created did not work with our on-premise exchange 2010 install.  To fix this we changed the site bindings in IIS to use the self-signed certificate also created during install.

    This fixed the sign-in issue but created another, every Outlook user received an invalid cert notice when they launched outlook.  I requested a new domain certificate from our CA and used it in the IIS bindings.  This fixed the issue with Outlook and works well in IE.

    Thanks for everyone who offered help!  I hope this thread can help someone else!

    VV

     
    • Marked as answer by BDS_Vince Friday, October 30, 2015 10:55 PM
    • Edited by BDS_Vince Friday, October 30, 2015 10:55 PM
    Friday, October 30, 2015 10:54 PM

All replies

  • Hi,

    Can you confirm that there were no errors in the installation and that all automatic services are started. Try open the URL: https://localhost/ecp and also try move a test mailbox and test opening ECP with that test mailbox.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Tuesday, October 20, 2015 12:09 AM
  • I have an email account associated with the account I use to perform the install so I migrated it to the Exchange 2016 server using the new-moverequest applet and waited until it showed as Completed in get-moverequest.

    There is no change in the logon process.

    I tried the url you suggested and after accepting the certificate warning it was changed to:
    https://localhost/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2flocalhost%2fecp%2f

    I tried using the email address myadmin@mydomain.com and the experience was the same.

    The install ran without error and all automatic services are running.

    <edit>OWA does the same thing</edit>

    I'm stumped....


    • Edited by BDS_Vince Tuesday, October 20, 2015 12:28 AM missed OWA reference
    Tuesday, October 20, 2015 12:23 AM
  • Hi,

    Has there been any change made to the virtual directories in IIS or any redirects put in place?

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Tuesday, October 20, 2015 12:57 AM
  • Hi,

    Also consider looking at the IIS logs. You can find the path to these log files by looking at the logging settings on the web sites configured in IIS.

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Tuesday, October 20, 2015 12:58 AM
  • Hi,

    I understand you can not login OWA and ECP page smoothly .

    On exchange 2016, I suggest you can create a new mailbox and login again.

    Please run the below command to check the OWA settings:

    Get-OwaVirtualDirectory | FL Identity,name,*URL*,*auth*

    Also check some related event logs in event viewer for further analysis .

    Regards,

    David 

    Tuesday, October 20, 2015 2:13 AM
  • This is a fresh install starting with the server OS.  If there are redirects they were installed by the Exchange 2016 installer.

    Tuesday, October 20, 2015 3:00 PM
  • Results from the powershell command:

    Identity                      : EX2010-01\owa (Default Web Site)
    Name                          : owa (Default Web Site)
    Url                           : {}
    InternalSPMySiteHostURL       :
    ExternalSPMySiteHostURL       :
    SetPhotoURL                   :
    Exchange2003Url               :
    FailbackUrl                   :
    InternalUrl                   : https://mail.mydomain.com/owa
    ExternalUrl                   : https://mail.mydomain.com/owa
    ClientAuthCleanupLevel        : High
    InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
    BasicAuthentication           : True
    WindowsAuthentication         : True
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    AdfsAuthentication            : False
    OAuthAuthentication           : False
    ExternalAuthenticationMethods : {Fba}

    Identity                      : EX2010-02\owa (Default Web Site)
    Name                          : owa (Default Web Site)
    Url                           : {}
    InternalSPMySiteHostURL       :
    ExternalSPMySiteHostURL       :
    SetPhotoURL                   :
    Exchange2003Url               :
    FailbackUrl                   :
    InternalUrl                   : https://mail.mydomain.com/owa
    ExternalUrl                   : https://mail.mydomain.com/owa
    ClientAuthCleanupLevel        : High
    InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
    BasicAuthentication           : True
    WindowsAuthentication         : True
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    AdfsAuthentication            : False
    OAuthAuthentication           : False
    ExternalAuthenticationMethods : {Fba}

    Identity                      : EX2K1601\owa (Default Web Site)
    Name                          : owa (Default Web Site)
    Url                           : {}
    InternalSPMySiteHostURL       :
    ExternalSPMySiteHostURL       :
    SetPhotoURL                   :
    Exchange2003Url               :
    FailbackUrl                   :
    InternalUrl                   : https://ex2k1601.mydomain.local/owa
    ExternalUrl                   :
    ClientAuthCleanupLevel        : High
    InternalAuthenticationMethods : {Basic, Fba}
    BasicAuthentication           : True
    WindowsAuthentication         : False
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    AdfsAuthentication            : False
    OAuthAuthentication           : False
    ExternalAuthenticationMethods : {Fba}

    These values look to be correct to me although the Ex2k1601 server internal auth appears to be missing 2 methods.

    I have moved a mailbox to the server and am unable to log in.

    Tuesday, October 20, 2015 3:14 PM
  • Try creating a mailbox for your admin user.  I saw a thread a while back where someone was having an issue with the EAC and he was able ot access it after giving his admin account a mailbox.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Tuesday, October 20, 2015 5:21 PM
  • My admin user had an account on the Exchange 2010 infrastructure.  I moved the account to the new Exchange 2016 server using new-moverequest and the logon still failed with the same results.

    Tuesday, October 20, 2015 6:09 PM
  • Hi,

    Have you tried creating a new account on Exchange 2016 and giving it the required permissions in Exchange?

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

    Blog: http://markgossa.blogspot.com

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Wednesday, October 21, 2015 12:51 AM
  • I finally broke down and opened a ticket with Microsoft.  They started down the same road that all of you who responded had suggested.

    In the end, the issue was caused by the certificates created and assigned to the web applications during install. 

    We have a domain CA and the certs created did not work with our on-premise exchange 2010 install.  To fix this we changed the site bindings in IIS to use the self-signed certificate also created during install.

    This fixed the sign-in issue but created another, every Outlook user received an invalid cert notice when they launched outlook.  I requested a new domain certificate from our CA and used it in the IIS bindings.  This fixed the issue with Outlook and works well in IE.

    Thanks for everyone who offered help!  I hope this thread can help someone else!

    VV

     
    • Marked as answer by BDS_Vince Friday, October 30, 2015 10:55 PM
    • Edited by BDS_Vince Friday, October 30, 2015 10:55 PM
    Friday, October 30, 2015 10:54 PM
  • Thanks for this!

     Not sure if you are monitoring this thread anymore but it would be useful to know what properties of the certificates were needed in order to get them to work properly.  I'm in the same boat in my DEV environment.  Tried installing certificate generated from my Enterprise CA and can no longer log into the EAC.  Change the certificate on IIS back to the "Microsoft Exchange" certificate and magically I can log in again.

    JT

    Wednesday, February 3, 2016 3:46 PM
  • Actually solved this one myself...  I originally created and requested the certificate for Exchange using the certificates MMC with only the following SANs:

    mail.domain.com
    autodiscover.domain.com

    That cert didn't appear to allow EAC to work so I did the request using the EAC wizard and it created the certificate with the following SANs:

    mail.domain.com
    autodiscover.domain.com
    ex01
    domain.com

    Once I bound that to IIS things worked as expected.  No idea whether it was the extra SANs or the fact that I generated the request with Exchange itself that fixed the issue.

    JT

    Wednesday, February 3, 2016 7:20 PM
  • Can you elaborate as to steps to change certificate on IIS back to "Microsoft Exchange" certificate?

    Saturday, February 6, 2016 10:22 PM
  • Main reason is that Exchange 2013/2016 can not use sha-2 certificates issued by enterprise CA.

    So - if you are using internal Windows based CA then use sha-1.

    If you must use sha-2 certificate - order it from external CA.

    Sunday, April 10, 2016 1:44 PM
  • On the Ex2016 server- that you recently added the new certificate to or modified existing certificates on- open an elevated command prompt as administrator and run IISRESET.  Then, you should be able to login to EAC.

    After you've added/ imported a new 3rd-party certificate for Ex2016 (ie UC/SAN cert- ie Unified Communication/ Subject Alternative Name), IIS services get bound to that new certificate.   And, you have to reset IIS. 

    I experienced the same issue and was able to login to EAC after this.  No complicated certificate modifications required.  Hope this helps.

    Detrich

    Friday, September 23, 2016 4:58 PM
  • I had the same issue and ran the iisreset and it worked! Thank you so much
    • Proposed as answer by SJ1709 Friday, March 8, 2019 5:04 PM
    Friday, January 25, 2019 3:49 PM
  • IISreset did the trick. 

    My Setup:

    New Exchange 2016, Have already imported the Digicert SSL cert that we were using in another Exchange 2016 server. After importing and assigning services to certificate, I was unable to login to OWA. It says 'Invaid username or password'

    Solution:

    Checked the IIS bindings and it looked good.

    Run a IISreset cmd.

    Friday, March 8, 2019 5:07 PM