locked
LS Storage Service 32053 and Autodiscover EWS errors RRS feed

  • Question

  • Hi have Skype for Business in an Exchange 2016/2010 coexistence environment.

    The S4B Standard server is throwing the following "LS Storage Service" 32054 event s and the S4B client is prompting for Exchange credentials:

    Storage Service had an EWS Autodiscovery failure.
    
    StoreWebException: code=ErrorEwsAutodiscover, reason=GetUserSettings failed,  smtpAddress=user@domain.com, Autodiscover 
    Uri=https://autodiscover.domain.com/autodiscover/autodiscover.svc, Autodiscover WebProxy=<NULL>, WebExceptionStatus=ProtocolError ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.

    This is for a mailbox that has been migrated to Exchange 2016.

    403 forbidden is indicating some kind of permissions problem but there aren't any other issues with Autodiscover or EWS.

    Authentication settings on the Exchange 2016 server:

    RunspaceId                      : 98fad0e0-c3cd-492e-9f06-a63be1465672
    Name                            : Autodiscover (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
    ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}

    test-csExStorageConnectivity -Sipuri user@domain.com succeeds.

    Autodiscover is pointing to an Exchange 2016 server.

    I'm wondering if it's something related to the coexistence which will go away once we've decommissioned the Exchange 2010 servers.

    But the prompt for credentials is definitely new since we pointed all Autodiscover and client access to Exchange 2016.

    I'm not sure if the errors logged and the prompt for credentials are even related. But if I look at the Connection Information for the S4B client under the EWS Information field it says "EWS not fully initialized." and the EWS Internal and External URL fields are blank.

    So I'm making the connection between the two based on that.

    Anyone run into this particular error? Lots of info with regards to OAuth but not this one.




    Monday, November 13, 2017 4:23 PM

All replies

  • Hello Jay,

    If the autodiscover is set for your environment, the client should show EWS deployed after 5 minutes.

    The first error is normal if a mobile client connect, this error will always happened if not Unified contact store is deployed, supported for Exch 2013/2016.


    regards Holger Technical Specialist UC


    Monday, November 13, 2017 8:03 PM
  • I definitely have Autodiscover deployed and configured in S4B.  But the client never detects the EWS settings.

    By "the first error" do you mean the 503 error in the Autodiscover events?  Or the Exchange credentials?

    The Exchange Credentials prompt occurs in the desktop client.

    I haven't deployed the Unified Contact Store.


    Monday, November 13, 2017 8:18 PM
  • I mean the first error, this is a default behavior and can be ignored.

    regards Holger Technical Specialist UC

    Monday, November 13, 2017 8:20 PM
  • Hi Jay,

    This behavior occurs because the OAuth method is not supported by Exchange Server 2010.

    To fix this issue, install the cumulative update for Skype for Business Server 2015.

    https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015

    please check steps of configuring partner applications in Skype for Business Server 2015 and Microsoft Exchange Server

    https://technet.microsoft.com/en-us/library/jj688151(v=ocs.16).aspx


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 14, 2017 8:27 AM
  • Is there a specific fix in the May 2017 CU that addresses this? I don't see one mentioned in the release.

    I have the February 2017 CU installed.

    Tuesday, November 14, 2017 1:54 PM
  • Hi Jay,

     

    If you installed February 2017 CU,you need not intall May 2017 CU to fix the problem.

    First,please check the following steps.

    1. Use NSlookup command to test if the computer is able to resolve Exchange Autodiscover address.

    2. Go to Credential Manager to check if there’s any stale credential exists.

     

    If above steps you have checked ,you could try to following ways

    Please exit skype for business client, open the following registry entry, define your EWS Internal and External URLs

    [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Lync\<sip address>\Autodiscovery]

     

    Inside are a bunch of values, two of which are InternalEwsUrl and ExternalEwsUrl.  You could try to change these URLs on your test machine.(if donnot have the Autodiscovery key,please create one)


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Tuesday, November 21, 2017 8:40 AM
  • I am only at the Feb 2017 update so I definitely could use some updating but...

    It appears that the two problems aren't necessarily related.

    The real problem is that my clients are getting the "Exchange needs your credentials" prompt. 

    If I look in the IIS logs of the Exchange 2016 Client Access Service server that Autodiscover is pointing to I see:

    2017-11-27 14:06:21 192.168.x.x POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=666110d6-0f59-49c7-8382-5c4e561f0490; 443 SANDVINE\jscovill 192.168.x.x OC/16.0.4615.1000+(Skype+for+Business) - 403 0 0 31

    A Fiddler trace also confirms this:

    POST https://ews.domain.com/EWS/Exchange.asmx HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: OC/16.0.4615.1000 (Skype for Business)
    SOAPAction: "http://schemas.microsoft.com/exchange/services/2006/messages/ConvertId"
    X-AnchorMailbox: jscovill@domain.com
    Content-Length: 514
    Host: ews.domain.com
    Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAABAAEABYAAAAEAAQAGgAAAAYABgAeAAAABAAEADAAAAAFYKI4goA1zoAAAAP/LTL0gkRlHGg3KxE2Wf8uVMAQQBOAEQAVgBJAE4ARQBqAHMAYwBvAHYAaQBsAGwASgBTAEMATwBWAEkATABMAC0AUABDADIAixRsN+8s1gcAAAAAAAAAAAAAAAAAAAAANgpzAyB85lqnnvu++SQSV6+gGZ9MvKKJ85y3Zb9uN/lHz66SIUWoHA==
    
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><RequestServerVersion Version="Exchange2007_SP1" xmlns="http://schemas.microsoft.com/exchange/services/2006/types"/></s:Header><s:Body><ConvertId DestinationFormat="OwaId" xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">  <SourceIds>    <t:AlternateId Format="EwsId" Id="0" Mailbox="dummy@example.com"/>  </SourceIds></ConvertId></s:Body></s:Envelope>
    HTTP/1.1 403 Forbidden
    Cache-Control: private
    Server: Microsoft-IIS/8.5
    request-id: 29fed5d7-853b-4f7f-8cd9-8d6771b5dd85
    X-CalculatedBETarget: excas.domain.com
    X-DiagInfo: excas1
    X-BEServer: excas1
    X-AspNet-Version: 4.0.30319
    Set-Cookie: exchangecookie=f7bf16c32fe84714acf15a8e1be738b8; expires=Tue, 27-Nov-2018 14:10:22 GMT; path=/; HttpOnly
    Set-Cookie: X-BackEndCookie=jscovill@domain.com=u56Lnp2ejJqBycvGyp3GnJ7SnszLxtLLmsnM0p2anJ3SzsaansmcypnKms+agYHNz87I0s7N0s3Iq87Lxc7Pxc3NgYyekZuJlpGa0ZyQkoHP; expires=Wed, 27-Dec-2017 14:10:22 GMT; path=/EWS; secure; HttpOnly
    Persistent-Auth: true
    X-Powered-By: ASP.NET
    X-FEServer: excas
    Date: Mon, 27 Nov 2017 14:10:22 GMT
    Content-Length: 0
    
    

    So there appears to be an issue with the client accessing the Exchange Web Services URL.  But I can't find a reason.


    Monday, November 27, 2017 2:15 PM
  • Hi Jay,

     

    When you open the Outlook, sfb client will still prompt "Exchange needs your credentials"?

     

    Make sure these URLs are correct and you are able to browse internal EWS on intranet and external EWS URL from internet. You should see the EWS XML document displayed in the web browser. See below Image.

     

    If you are prompted for credential multiple time then, check firewall or a proxy is blocking Lync from connecting to EWS, you may experience symptoms such as repeated credential requests, stale Address Book Service (ABS), and intermittent Free/Busy presence issues.

    To resolve this problem, verify that the user has the correct proxy configured in Internet Explorer.

    a.     Start Internet Explorer.

    b.    On the Tools menu, click Internet Options, click Connections, and then click LAN Settings.

    c.     Make sure that the automatically detect settings option is selected. If your organization requires you to enter specific information for the proxy server or an automatic configuration script, contact your network administrator.

    d.    Restart both Internet Explorer and Lync to check whether the problem is resolved. If the problem persists, go on to the next section.

    5.    Make sure you correctly configured Outlook profile and selected the default profile to work correctly.


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 29, 2017 11:24 AM
  • yes, I can browse the EWS URL in IE from the same client that is getting the 403 in the S4B client.

    That is the strange part.  There is definitely no firewalls blocking the access between the client and EWS.

    Wednesday, November 29, 2017 2:40 PM
  • Hi jay,

     

    If you set other account in your computer, does the issue persist?

    Do other users in your organization have the same problem?

    Have you check the “automatically detect settings” on the IE settings?

     

    If other account in your computer,the problem relate to your account,please re-enable your account on the skype for business control pannel.

     

    Please check the office credential congifuration(User name and password)in the Credential Manage.

     

    Check the “Windows integrated authenticaton” was selected on the skype for business control pannel,table “Security”.

     

    You could try to clean the skype for business client cache and make a test.


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 1, 2017 9:25 AM
  • Persists across multiple accounts and multiple computers or same account on multiple computers.

    Removing/renabling account for Skype doesn't change anything.

    Credential Manager is cleared.

    Have completely removed the SIP profile for the user on the client.

    There is nothing related to Windows Integrated Authentication in the S4B CP -> Security section.

    Friday, December 1, 2017 5:23 PM
  • Hi Jay,

     

    You could Get-OrganizationConfig check the attribute called EwsApplicationAccessPolicy ,if it is like the following screenshot?

    Disabling all authentications except "Anonymous and Windows Authentication" for EWS in IIS.

     

    Based on you reply “browse the EWS URL in IE from the same client that is getting the 403”,please check the IIS log for the detailed error code. Error code 403 might be caused by various factors (See http://support.microsoft.com/kb/943891). 


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, December 5, 2017 9:43 AM
  • My EWSApplicationAcessPolicy matches.

    I can browse the EWS directory with IE.  It is just the Skype for Business client that is getting the 403.  And it isn't all users.

    This is the IIS log entry:

    2017-12-05 21:16:02 192.168.x.x POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=1d873a9b-fed0-4041-b05d-020c6ae64902; 443 domain\jscovill 192.168.x.x OC/16.0.4615.1000+(Skype+for+Business) - 403 0 0 15
    Tuesday, December 5, 2017 9:18 PM
  • Hi Jay,

     

    Did you SIP Domain is different from SMTP Domain (Mail)?

     

    If you are running Skype for Business Server internally, then you might try turning off certificate authentication. That should prevent it from saving the cert credentials in the first place.

    You could log out of SfB, delete the saved credentials (using the button on the sign in page), and enter the password again.


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 8, 2017 8:10 AM