locked
Can not access OWA RRS feed

  • Question

  • Working in a Empty forest Root, two Child Domains.  All domains are using the same AD site.

    I have a CAS server in ChildDomain1 which is trying to access a Mailbox Server in ChildDomain2.

    When trying to access OWA it shows that the connection to the Exchange Server can not be established.

    When running a test-owaConnectivity I'm getting a message "The test encountered an error while logging on to Outlook Web Access.  Outlook Web Access Error Page:  Error Message:  Outlook Web Access could not connect to Microsoft Exchange.  Ifthe problem continues, contact technical support for your organization.  Request URL: https://localhost/owa/forms/premium/startpage.aspx.  Exception Type: Microsoft.Exchange.data.storage.connectionfailedtransientexception  Exception message: Event manager was not created"

    When running Test-WebServicesConnectivy I get SyncFolderItems Failur  Access is denied.  Check credentials and try again.

    I am testing with a mailbox in the ChildDomain2, I can access the mailbox if using Outlook in that domain with that user logged in.

    I did build a lab around this and was able to sucessfully accesss OWA using the same setup as above.

    I'm guessing there is something in AD preventing authenticaiton to pass from one child to the next BUT I check the trusts and they are all Transitive.   

    I'm curious if anyone else has seen this or has any input on this b/c it is driving me crazy!  I did just learn that the OU where the Exchange Servers are deployed is blocked from inheriting the domain policy, it is set to loop back to what ever policy the logon user has. 

    Thoughts?

    BP
    Monday, March 9, 2009 8:53 PM

Answers

  • So after about four days I finally got this one resolved.

    As it would turn out it was an issue with the Domain and the SPN.

    What had occured is that when the server was created and configured it was deployed in the ChildDomain1.  Once the configuration was complete it was then moved to ChildDomain2.

    Active Directory in CD1 continued to hold a computer object for the Mailbox server which when the DC in the CD1 domain did a lookup it would find that server object and try to authenticate the SPNs for that server back to the CAS which failed because that wasn't the server.

    Long story short, by removing the Computer Object f(or the old mailbox server which was moved to CD2) in the CD1 domain the Domain Controller in CD1 was able to look outside the domain and get the correct SPNs and Computer Object in CD2.

    Enjoy


    BP
    Tuesday, March 17, 2009 4:03 PM

All replies

  • Update,  I have noticed that when a user tries to log in from the CAS in CD1 to the Mailbox Server in CD2 that the user is trying to authenticate as anonymous.... Not sure why but it would appear the domain credentials are not being passed over. 

    I am using FBA on the CAS server.

    I have found others having a similar problem but no solutions to those problems!

    I have also noticed that when trying to authenticate to the backend mail server in the other domain there is a NTLM authentication response rather then a Kerberos Auth. 

    Anyone?  Thoughts?

    BTW, I haven't had a chance to deploy the MB server in the same domain as the cAS server.  Still waiting for storage.

    BP
    Tuesday, March 10, 2009 4:24 PM
  • Hi,

    Whether any error message came up in the event log? And send me the IIS log at allensyr2003@hotmail.com

    Thanks

    Allen
    Wednesday, March 11, 2009 9:38 AM
  • Sent!  Thanks for time.

    BP
    Wednesday, March 11, 2009 5:04 PM
  • So after about four days I finally got this one resolved.

    As it would turn out it was an issue with the Domain and the SPN.

    What had occured is that when the server was created and configured it was deployed in the ChildDomain1.  Once the configuration was complete it was then moved to ChildDomain2.

    Active Directory in CD1 continued to hold a computer object for the Mailbox server which when the DC in the CD1 domain did a lookup it would find that server object and try to authenticate the SPNs for that server back to the CAS which failed because that wasn't the server.

    Long story short, by removing the Computer Object f(or the old mailbox server which was moved to CD2) in the CD1 domain the Domain Controller in CD1 was able to look outside the domain and get the correct SPNs and Computer Object in CD2.

    Enjoy


    BP
    Tuesday, March 17, 2009 4:03 PM