Exchange 2010 provisioning via FIM fails with a HTTP 403 error using WinRM RRS feed

  • Question

  • Hello,

    I am attempting to provision a mail enabled contact on Exchange 2010 using FIM 2010. FIM silently fails but I get an error in the Application log:

    Message: Connecting to remote server {cas array uri} failed with the following error message : The WinRM client received an HTTP status code of 403 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic.

    This is actually an improvement as it was failing with a Kerberos error previously until I setup an Alternate Service Account for my CAS Array. I can connect with Outlook via Kerberos so I know Kerberos is working. Also, since the error changed to a HTTP 403 it seems I am at least getting my credentials through but there is now a permission problem.

    The account that FIM is running under has AD permissions to create the object in the OU specified. I have also temporarily made it an Exchange Admin but I still get the error. I have not been able to find any info on permissions to grant or what else I might be doing wrong in this instance.

    I am using code provisioning: ExchangeUtils.CreateMailEnabledContact

    I can reproduce the error trying to manually establish a PSSession:

    $Ex2010Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://{cas-array-uri}/powershell/ -Authentication Kerberos -Credential (Get-Credential)

    This genetates the same error as above (HTTP 403)

    Any hints?

    Thank you!

    • Edited by karlmanlab Wednesday, March 12, 2014 8:42 PM
    Wednesday, March 12, 2014 3:59 PM

All replies

  • So, I have solved this but it brings up another question.

    I guess my issue the whole time was the Exchange 2010 RPS Uri setup in the AD Management Agent. I had set it to https://{cas-array-uri}/powershell

    This lead me down a long road of getting Kerberos setup for the array. After noticing it in a post I am not supposed to be using SSL. Simply changing it to http:// didn't help initially because our load balancing is auto redirecting to https. However, going straight to a CAS server using http:// works great!

    I guess I need to figure out why WinRM doesn't use SSL?


    Wednesday, March 12, 2014 9:19 PM