FIM Warning - Cannot Access Exchange Web Service RRS feed

  • Question

  • Hi,

     I'm using FIM to create AD users and mailboxes. Exchange email notifications and distribution group management is not being used.

    I'm running Exchange 2010 SP 2 (ht,cas and mbx on a single server) with FIM 2010 R2 (both Exchange and FIM are running on Windows 2008 R2).

    The problem I have is that FIM is logging warnings in the event log (Cannot connect to Exchange web service).

    On Exchange I've configured integrated windows and forms based authentication with SSL (these settings are required to publish OWA via TMG and allow users to change their password).

    The FIM service account has a mailbox, which it can logon to. 

    In Microsoft.ResourceManagement.Service.config.exe I have the mailserver key configured as:

    < add key="mailServer" value="" />
    <add key="isExchange" value="1" />
    <add key="SendAsAddress" value="" />
    <add key="synchronizationServerName" value="SvrFIM01" />

    On the FIM server, if I open IE by performing a runas using the FIM service account and browse to I'm prompted for logon credentials - once I've entered I and accepted the IE warning to "show all content" I'm presented with the Exchange XML information.

    1. Is there a way to stop this warning from being logged? Presumably I would need to re-configure the OWA authentication settings (something I'm not keen to do).
    2. If I'm not using email notifications, what impact does a failure to contact Exchange web services have?


    • Edited by Aetius2012 Monday, January 26, 2015 11:50 AM
    Monday, January 26, 2015 11:46 AM

All replies

  • Are you able to provision mailboxes successfully??

    Is anything failing, besides the log noise?

    Nosh Mernacaj, Identity Management Specialist

    Monday, January 26, 2015 3:15 PM
  • Mailboxes are successfully created and nothing is failing, so yes, it just seems to be log noise.

    I'm wondering how many people have similar issues when publishing OWA

    IT Support/Everything

    Monday, January 26, 2015 4:20 PM
  • These errors are, indeed, very common.  So here is what I suggest you do.

    1. Check if the Exchange Certificate has been installed, try the link logged as FIM Service account.

    If you get certificate error, install it in Trusted People Store of this service account. 

    2. Make sure the name of the CAS Server or alias matches the one of given in the Cert.

    Nosh Mernacaj, Identity Management Specialist

    Monday, January 26, 2015 4:28 PM
  • The Exchange cert has been installed and is trusted. The issue I'm getting when I try to browse using IE is that IE prompts for a login (even if iexplore.exe is running as the FIM service account). The certificate SAN matches.

    The only IE related warning I'm receiving isn't certificate related (see below)

    • Edited by Aetius2012 Monday, January 26, 2015 5:05 PM
    Monday, January 26, 2015 5:04 PM
  • there is no SSO and you have to provide creds always.

    Nosh Mernacaj, Identity Management Specialist

    Monday, January 26, 2015 5:13 PM
  • That's just not true, you should be able to browse to and be presented with the relevant XML by Exchange without requiring a logon (I've tested in a second FIM environment and it works)

    IT Support/Everything

    Tuesday, January 27, 2015 9:05 AM
  • I was referring to OWA, not the asmx page.

    Nosh Mernacaj, Identity Management Specialist

    Tuesday, January 27, 2015 4:45 PM
  • What if the URL presents a Logon prompt? As I am getting the prompt to access the URL and can see same error in the event logs.

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    • Proposed as answer by Nosh Mernacaj Wednesday, August 1, 2018 1:25 PM
    • Unproposed as answer by Nosh Mernacaj Wednesday, August 1, 2018 1:25 PM
    Friday, July 20, 2018 3:30 PM
  • login with the creds of service account.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, August 1, 2018 1:26 PM