locked
EWS Failing with 'The request failed. The remote server returned an error: (403) Forbidden.' RRS feed

  • Question

  • I have a single exchange 2010 server that was migrated from 2003. Everything works fine .. except testing on remote analyzer. I can connect remotely from Outlook 2007/2010; owa works .. etc. EWS tests are failing. The Lync 2010 clients get a 2nd dialog box prompting, and the configuration shows no EWS available. I am also not ablet to connect via apple mail or test successfully via testexchangeconnectivity.com. I have rebuilt all VD's in IIS, removed & readded the CAS role .. nothing seems to rid this error. The mailbox used for testing is new and has never been logged into, so therefore contains nothing. I have verified the IIS permissions against 3 other working exchange 2010 servers. (not in this domain)

    EXCH01 - Original Exchange 2010 server .. errors on here
    EXCH02 - Recently added to test for any corruption. At first I did not get the error when testing, after migrating the users from EXCH01 to EXCH02(new CAS) .. i get the error again.

    I am wondering if it is something in AD that is causing the 403. I'm not sure where to look from here.

    Ensuring that the test mailbox folder is empty and accessible.
      ExRCA couldn't confirm that the folder is accessible and empty.
     
    Additional Details
      Exception details:
    Message: The request failed. The remote server returned an error: (403) Forbidden.
    Type: Microsoft.Exchange.WebServices.Data.ServiceRequestException
    Stack trace:
    at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
    at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
    at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet)
    at Microsoft.Exchange.Tools.ExRca.Tests.EnsureEmptyFolderTest.PerformTestReally()
    Exception details:
    Message: The remote server returned an error: (403) Forbidden.
    Type: System.Net.WebException
    Stack trace:
    at System.Net.HttpWebRequest.GetResponse()
    at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse()
    at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)

     


     

    [PS] C:\Windows\system32>Test-OutlookWebServices |fl


    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1013
    Type       : Error
    Message    : When contacting https://exch01.elcofnwflorida.org/EWS/Exchange.asmx received the error The request failed
                 with HTTP status 403: Forbidden.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1025
    Type       : Error
    Message    : [EXCH] Error contacting the AS service at https://exch01.elcofnwflorida.org/EWS/Exchange.asmx. Elapsed tim
                 e was 724 milliseconds.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1026
    Type       : Success
    Message    : [EXCH] Successfully contacted the UM service at https://exch01.elcofnwflorida.org/EWS/Exchange.asmx. The e
                 lapsed time was 15 milliseconds.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1013
    Type       : Error
    Message    : When contacting https://mail.elcnwf.org/ews/exchange.asmx received the error The request failed with HTTP
                 status 403: Forbidden.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1025
    Type       : Error
    Message    : [EXPR] Error contacting the AS service at https://mail.elcnwf.org/ews/exchange.asmx. Elapsed time was 31 m
                 illiseconds.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1026
    Type       : Success
    Message    : [EXPR] Successfully contacted the UM service at https://mail.elcnwf.org/ews/exchange.asmx. The elapsed tim
                 e was 0 milliseconds.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1113
    Type       : Error
    Message    : When contacting https://exch01.elcofnwflorida.org/ews/exchange.asmx received the error The request failed
                 with HTTP status 403: Forbidden.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1125
    Type       : Error
    Message    : [Server] Error contacting the AS service at https://exch01.elcofnwflorida.org/ews/exchange.asmx. Elapsed t
                 ime was 15 milliseconds.

    RunspaceId : c07a4fb9-8a44-4c78-9909-ca610646ab9f
    Id         : 1126
    Type       : Success
    Message    : [Server] Successfully contacted the UM service at https://exch01.elcofnwflorida.org/ews/exchange.asmx. The
                  elapsed time was 0 milliseconds.

     

    I've gone through and verified all SSL certificates and they test correctly.

     

    -- Jeremy McSpadden Flux Labs





    Thursday, December 22, 2011 2:09 AM

Answers

  • Set-OrgConfiguration -EwsApplicationAccessPolicy:$null

    Finally fixed it. This should have been set by default. In my opinion

    EwsApplicationAccessPolicy :

    As shown above, should mean $null.


    -- Jeremy McSpadden Flux Labs
    Monday, January 9, 2012 4:10 PM

All replies

  • Check for Firewall Rules - Exceptions Set

    Thursday, December 22, 2011 11:42 PM
  • Windows Firewall is disabled.
    -- Jeremy McSpadden Flux Labs
    Friday, December 23, 2011 12:13 AM
  • Hi Jeremy,

    From the test outcome, the internal URL of Availability service is not available. Error code 403 might be caused by various factors (See http://support.microsoft.com/kb/943891). I would suggest you test the URL in internal client via IE and then check the IIS log for the detailed error code.

    Besides, verify the permission and the certificate should be helpful. Refer to: http://blogs.technet.com/b/exchange/archive/2010/09/23/3411146.aspx.

     

     

     


    Fiona Liao

    TechNet Community Support

    Friday, December 23, 2011 7:09 AM
    Moderator
  • Hi Jeremy,

    From the test outcome, the internal URL of Availability service is not available. Error code 403 might be caused by various factors (See http://support.microsoft.com/kb/943891). I would suggest you test the URL in internal client via IE and then check the IIS log for the detailed error code.

    Besides, verify the permission and the certificate should be helpful. Refer to: http://blogs.technet.com/b/exchange/archive/2010/09/23/3411146.aspx.

     

    Thanks for the reply .. I have looked at these, and everything matches up. The only 403 errors I am seeing in IIS are:

    2011-12-23 19:12:29 10.0.0.231 POST /ews/exchange.asmx ;RC:34ac99aa-dd97-4659-a00e-fcb60bfad427;Init>>Conn:0,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_b69f82d3-7945-4e12-ba00-a6354ac7c108,Norm,Sub:5000/0;NoAccess.SoapAction=m:GetFolder;Version=1;RpcC=0;RpcL=0;LdapC=0;LdapL=0;End(0ms)>>Conn:1,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_b69f82d3-7945-4e12-ba00-a6354ac7c108,Norm,Sub:5000/0; 443 ELC\blank 207.46.14.52 ExchangeServicesClient/15.00.0224.000 403 0 0 148

     

    POST /ews/exchange.asmx ;RC:31533194-a7e1-4475-9c2b-a3e6a9b2918a;Init>>Conn:0,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:[Fallback],Norm,Sub:5000/0;NoAccess.End(0ms)>>Conn:1,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:[Fallback],Norm,Sub:5000/0; 443 ELC\EXCH01$ ::1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5448) 403 0 0 0

    The line that worries me is : ELC\EXCH01$ ::1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5448) 403 0 0 0

    Not sure why the computer account is getting a 403. I have reset the computer account and cannot see any errors in system logs regarding authentication to the domain.


    -- Jeremy McSpadden Flux Labs
    Friday, December 23, 2011 8:08 PM
  • Hi,
    What authentication methods do you have configured for EWS?
    Check with Get-WebServicesVirtualDirectory | fl Identity,*auth*
    Martina Miskovic - http://www.nic2012.com/
    Saturday, December 24, 2011 5:38 AM
  • Hi,
    What authentication methods do you have configured for EWS?
    Check with Get-WebServicesVirtualDirectory | fl Identity,*auth*
    Martina Miskovic - http://www.nic2012.com/

    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity,*auth*


    Identity                      : EXCH02\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Identity                      : EXCH01\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True



    -- Jeremy McSpadden Flux Labs
    Monday, December 26, 2011 12:43 AM
  • 2011-12-29T16:30:59.533Z,Negotiate,True,ELC\extest_b6ae39ab94a54,,Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5448),fe80::d532:c87f:9a7b:20ef%11,EXCH02,,403,,,a6292a0005ca42328f31743fab2def0f,0,1,0,0,30000/30000/0%,30000/30000/0%,54000/54000/0%,54000/54000/0%,36000/36000/0%,36000/36000/0%,1000/0,1000/0,5000/0,5000/0,,,,,,,DefaultThrottlingPolicy_b69f82d3-7945-4e12-ba00-a6354ac7c108,,,0,0,0,0,15,,AuthError=User not allowed to access EWS;,ReportException_Message=Access is denied. Check credentials and try again.;ReportException_StackTrace=   at Microsoft.Exchange.Services.Wcf.MessageInspectorManager.AfterReceiveRequest(Message& request; IClientChannel channel; InstanceContext instanceContext)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.AfterReceiveRequestCore(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet);
    2011-12-29T16:30:59.549Z,Negotiate,True,ELC\extest_b6ae39ab94a54,,,fe80::d532:c87f:9a7b:20ef%11,EXCH02,,302,,,ea976f3f45e14a3a993e0320960f50bb,,,,,,,,,,,,,,,,,,,,,,,,,,,,15,,,
    2011-12-29T16:30:59.549Z,Negotiate,True,ELC\extest_b6ae39ab94a54,,Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5448),10.0.0.232,EXCH02,,403,,,f2cc2d4f4f2649d2b1c334b4ed0d282b,0,1,0,0,30000/30000/0%,30000/30000/0%,54000/54000/0%,54000/54000/0%,36000/36000/0%,36000/36000/0%,1000/0,1000/0,5000/0,5000/0,,,,,,,DefaultThrottlingPolicy_b69f82d3-7945-4e12-ba00-a6354ac7c108,,,0,0,0,0,0,,AuthError=User not allowed to access EWS;,ReportException_Message=Access is denied. Check credentials and try again.;ReportException_StackTrace=   at Microsoft.Exchange.Services.Wcf.MessageInspectorManager.AfterReceiveRequest(Message& request; IClientChannel channel; InstanceContext instanceContext)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.AfterReceiveRequestCore(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet);
    2011-12-29T16:30:59.564Z,Negotiate,True,ELC\extest_b6ae39ab94a54,,,10.0.0.232,EXCH02,,302,,,6aedd686db7948dabd0d9a828677e0a8,,,,,,,,,,,,,,,,,,,,,,,,,,,,15,,,

     

     

    AuthError=User not allowed to access EWS;,ReportException_Message=Access is denied. Check credentials and try again


    -- Jeremy McSpadden Flux Labs
    Thursday, December 29, 2011 4:36 PM
  • I cannot seem to get a -verbose output when running Test-OutlookWebServices cmdlet. Is there a way to debug this processes? I cannot find anything wrong with this configuration. I have spent days trying to track back what is going on, no luck. Anyone have any direction to go?

    The certificate contains both internal and external fqdn. They are both routable from external DNS as well. (point to same IP)

    exch01.domain.com, autodiscover.domain.com, mail.domain.com .. all route to same IP from external DNS. This shouldnt' cause an issue ..would it ?



    -- Jeremy McSpadden Flux Labs

    Thursday, December 29, 2011 4:46 PM
  • BUMP .. i really need to get this resolved. Does anyone have a direction to go? I have since removed EXCH01 and migrated all uses to EXCH02. I still get the same errors. I am thinking it has something to do with AD now. I have stripped the domain down to 1 DC/GC and 1 Exchange server, still get this error.
    -- Jeremy McSpadden Flux Labs
    Sunday, January 1, 2012 4:04 PM
  • [PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>Test-WebServicesConnectivity -UseAutodiscoverForClientAccessServer -MailboxCredential (Get
    -Credential ELC\blank.user) | FL


    RunspaceId                  : 08d25a6a-4b05-4ae7-9295-81fd324bd076
    Scenario                    : GetFolder
    ScenarioDescription         : Issue an Exchange Web Services GetFolder call to retrieve a folder.
    PerformanceCounterName      : CreateItem Latency
    Result                      : Failure
    Error                       : [System.Net.WebException]: The request failed with HTTP status 403: Forbidden.
    UserName                    : blank.user
    StartTime                   : 1/2/2012 11:35:06 PM
    Latency                     : -00:00:01
    EventType                   : Error
    LatencyInMillisecondsString :
    Identity                    :
    IsValid                     : True

     


    -- Jeremy McSpadden Flux Labs
    Tuesday, January 3, 2012 5:35 AM
  • Hi Jeremy,

    Does this issue only occurs in one or some special migrated user mailbox? or all migrated mailbox are affected?

    Please run "Get-CASmailbox" for the problematic user account to see if OWAEnabled  is set to be true.

    Besides, check the application log when the issue occurs, and run Get-Mailbox for the problematic user and the none-affected user to see if there are any different.

    Thanks.


    Fiona Liao

    TechNet Community Support

    Tuesday, January 3, 2012 8:23 AM
    Moderator
  • Hi Jeremy,

    Does this issue only occurs in one or some special migrated user mailbox? or all migrated mailbox are affected?

    Please run "Get-CASmailbox" for the problematic user account to see if OWAEnabled  is set to be true.

    Besides, check the application log when the issue occurs, and run Get-Mailbox for the problematic user and the none-affected user to see if there are any different.

    Thanks.


    Fiona Liao

    TechNet Community Support


    By the way, verify your DefaultThrottlingPolicy settings and make sure users are allowed to access EWS. Hope it is helpful.

    Fiona Liao

    TechNet Community Support

    Tuesday, January 3, 2012 8:25 AM
    Moderator
  • Hi Jeremy,

    Does this issue only occurs in one or some special migrated user mailbox? or all migrated mailbox are affected?

    Please run "Get-CASmailbox" for the problematic user account to see if OWAEnabled  is set to be true.

    Besides, check the application log when the issue occurs, and run Get-Mailbox for the problematic user and the none-affected user to see if there are any different.

    Thanks.


    Fiona Liao

    TechNet Community Support


    All mailboxes. OWA is enabled on all users.

    EWSMaxConcurrency                         : 10
    EWSPercentTimeInAD                        : 50
    EWSPercentTimeInCAS                       : 90
    EWSPercentTimeInMailboxRPC                : 60
    EWSMaxSubscriptions                       : 5000
    EWSFastSearchTimeoutInSeconds             : 60
    EWSFindCountLimit                         : 1000


    -- Jeremy McSpadden Flux Labs
    Tuesday, January 3, 2012 1:49 PM
  • Update:

    I have since setup a new 02, migrated all accounts from broken (seemingly) 01. The new 02 had the same issues. I removed 01 and setup a new 01, migrated all of 02 back to 01. Still same issues. A clean install (out of the box) and it works just fine, If I apply the updates, it breaks.

    It is KB2407113 Update Rollup 5 for Exchange 2010 and Standard Anti-Spam filter Updates v3.3.10826.460 that get installed after a clean install.

    Is anyone else having this issue? SP2 does not fix it.

     

     PS] C:\Windows\system32>Test-WebServicesConnectivity -ClientAccessServer EXCHA -MailboxCredential (Get-Credential ELC\test) |fl


    RunspaceId                  : 95e4230c-ab5f-4684-ad51-dbe84258dd52
    LocalSite                   : PanamaCity
    SecureAccess                : True
    VirtualDirectoryName        :
    Url                         :
    UrlType                     : Unknown
    Port                        : 0
    ConnectionType              : Plaintext
    ClientAccessServerShortName : excha
    LocalSiteShortName          : PanamaCity
    ClientAccessServer          : excha.elcofnwflorida.org
    Scenario                    : GetFolder
    ScenarioDescription         : Issue an Exchange Web Services GetFolder call to retrieve a folder.
    PerformanceCounterName      : CreateItem Latency
    Result                      : Failure
    Error                       : [System.Net.WebException]: The request failed with HTTP status 403: Forbidden.
    UserName                    : test
    StartTime                   : 1/4/2012 12:13:38 PM
    Latency                     : -00:00:01
    EventType                   : Error
    LatencyInMillisecondsString :
    Identity                    :
    IsValid                     : True

     

    [PS] C:\Windows\system32>Test-WebServicesConnectivity -ClientAccessServer EXCHB -MailboxCredential (Get-Credential ELC\test)

    CasServer  LocalSite     Scenario        Result  Latency(MS) Error
    ---------  ---------     --------        ------  ----------- -----
    exchb      PanamaCity    GetFolder       Success       31.28
    exchb      PanamaCity    SyncFolderItems Success      218.97
    exchb      PanamaCity    CreateItem      Success       46.92
    exchb      PanamaCity    SyncFolderItems Success       15.64
    exchb      PanamaCity    DeleteItem      Success       78.20
    exchb      PanamaCity    SyncFolderItems Success       46.92

    EXCHA is new 01, running version 14.2 (Build 247.5) - SP2 (broken)
    EXCHB is new 02, running version 14.0 (Build 639.21) - RU5 (working)

     

     


    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 6:21 PM
  • Hi,
    Do you also have problem to use ECP and are any redirection configured in IIS?
    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 6:26 PM
  • Hi,
    Do you also have problem to use ECP and are any redirection configured in IIS?
    Martina Miskovic - http://www.nic2012.com/

    No, ECP works fine. No redirects either. I've literally replaced both servers in this environment. OOF, busy free .. etc all work without a problem.
    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 6:29 PM
  • Can you run this again: Get-WebServicesVirtualDirectory | fl Identity,*auth*

    If BasicAuthentication is still set to False, please enable it.


    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 6:37 PM
  • Can you run this again: Get-WebServicesVirtualDirectory | fl Identity,*auth*

    If BasicAuthentication is still set to False, please enable it.


    Martina Miskovic - http://www.nic2012.com/


    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory |fl Identity,*auth*


    Identity                      : EXCHA\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
    ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : False
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : True
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Identity                      : EXCHB\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

     

    [PS] C:\Windows\system32>Test-WebServicesConnectivity -ClientAccessServer EXCHA -MailboxCredential (Get-Credential ELC\test) |fl


    RunspaceId                  : 95e4230c-ab5f-4684-ad51-dbe84258dd52
    LocalSite                   : PanamaCity
    SecureAccess                : True
    VirtualDirectoryName        :
    Url                         :
    UrlType                     : Unknown
    Port                        : 0
    ConnectionType              : Plaintext
    ClientAccessServerShortName : excha
    LocalSiteShortName          : PanamaCity
    ClientAccessServer          : excha.elcofnwflorida.org
    Scenario                    : GetFolder
    ScenarioDescription         : Issue an Exchange Web Services GetFolder call to retrieve a folder.
    PerformanceCounterName      : CreateItem Latency
    Result                      : Failure
    Error                       : [System.Net.WebException]: The request failed with HTTP status 403: Forbidden.
    UserName                    : test
    StartTime                   : 1/4/2012 1:15:20 PM
    Latency                     : -00:00:01
    EventType                   : Error
    LatencyInMillisecondsString :
    Identity                    :
    IsValid                     : True

     

    It works on B and Basic is disabled. How do I enable WSSecurity ?


    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 7:16 PM
  • Hi,
    I looks like you have configured authentication in IIS and not in EMS.

    Run this:
    set-WebServicesVirtualDirectory -id "EXCHA\EWS (Default Web Site)" -WSSecurityAuthentication $True 

    ...and when done, recycle the applicationpool MSExchangeSyncAppPool in IIS and run a IISReset
    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 7:22 PM
  • Hi,
    I looks like you have configured authentication in IIS and not in EMS.

    Run this:
    set-WebServicesVirtualDirectory -id "EXCHA\EWS (Default Web Site)" -WSSecurityAuthentication $True 

    ...and when done, recycle the applicationpool MSExchangeSyncAppPool in IIS and run a IISReset
    Martina Miskovic - http://www.nic2012.com/


    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory |fl Identity,*auth*


    Identity                      : EXCHA\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : True
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Identity                      : EXCHB\EWS (Default Web Site)
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : True
    DigestAuthentication          : False
    WindowsAuthentication         : True

     

    [PS] C:\Windows\system32>Test-WebServicesConnectivity -ClientAccessServer EXCHA -MailboxCredential (Get-Credential ELC\test)

    CasServer  LocalSite     Scenario        Result  Latency(MS) Error
    ---------  ---------     --------        ------  ----------- -----
    excha      PanamaCity    GetFolder       Failure             [System.Net.WebExcept...


    [PS] C:\Windows\system32>Test-WebServicesConnectivity -ClientAccessServer EXCHB -MailboxCredential (Get-Credential ELC\test)

    CasServer  LocalSite     Scenario        Result  Latency(MS) Error
    ---------  ---------     --------        ------  ----------- -----
    exchb      PanamaCity    GetFolder       Success       15.62
    exchb      PanamaCity    SyncFolderItems Success      421.87
    exchb      PanamaCity    CreateItem      Success       78.12
    exchb      PanamaCity    SyncFolderItems Success       15.62
    exchb      PanamaCity    DeleteItem      Success       62.50
    exchb      PanamaCity    SyncFolderItems Success       78.12


    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 7:35 PM
  • Hi,
    It's never a good idea to configure authentication for Exchange virtualdirectorys in IIS (for next time).

    I would set WindowsAuthentication to False using EMS, run IISReset and then set it back to True and see if that helps.


    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 7:40 PM
  • Hi,
    It's never a good idea to configure authentication for Exchange virtualdirectorys in IIS (for next time).

    I would set WindowsAuthentication to False using EMS, run IISReset and then set it back to True and see if that helps.


    Martina Miskovic - http://www.nic2012.com/

    [PS] C:\Windows\system32>Set-WebServicesVirtualDirectory -id "EXCHA\EWS (Default Web Site)" -WindowsAuthentication $False
    WARNING: Outlook Web App won't function correctly if you disable Integrated Windows authentication on the EWS virtual directory "EXCHA\EWS (Default
    Web Site)".

    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 7:43 PM
  • Well, that's only for 30 seconds until you enable it again.
    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 7:44 PM
  • Same .. 403. i am going to reset every VD using EMC. will reply shortly.
    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 7:48 PM
  • All VDs on EXCHA were reset. I set basic & wssecurity to true via EMC shell. Still 403.

    IIS log:

    2012-01-04T20:10:53.100Z,Negotiate,True,ELC\test,,WebServicesConnectivityTest/2010 (MSEXCHMON 14.0),fe80::f83f:d89f:af6b:32bb%11,EXCHA,,403,,,ce15052488704fb8804bf2aed84e87ee,0,1,0,0,30000/30000/0%,30000/30000/0%,54000/54000/0%,54000/54000/0%,36000/36000/0%,36000/36000/0%,1000/0,1000/0,5000/0,5000/0,,,,,,,DefaultThrottlingPolicy_b69f82d3-7945-4e12-ba00-a6354ac7c108,,,0,0,0,0,31,,AuthError=User not allowed to access EWS;,ReportException_Message=Access is denied. Check credentials and try again.;ReportException_StackTrace=   at Microsoft.Exchange.Services.Wcf.MessageInspectorManager.AfterReceiveRequest(Message& request; IClientChannel channel; InstanceContext instanceContext)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.AfterReceiveRequestCore(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc)    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet);

     

    Same test on EXCHB works fine.

     


    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 8:12 PM
  • Do you have any errors in Event Viewer, like in the below thread?

    Exchange 2010 SP2 IndexOutOfRangeException
    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/88ddaf28-de7a-4048-af27-4972b11a212a?prof=required


    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 8:30 PM
  • No, thats the thing. There are no errors in the logs.
    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 9:10 PM
  • The certificate contains both internal and external fqdn. They are both routable from external DNS as well. (point to same IP)

    exch01.domain.com, autodiscover.domain.com, mail.domain.com .. all route to same IP from external DNS. This shouldnt' cause an issue ..would it ?


    -- Jeremy McSpadden Flux Labs

    Can you please explain the above a bit?

    Is your internal domain name elcofnwflorida.org or something else?
    Any HLB or WNLB configured?
    What is the name of the servers...EXCHA/B or EXCH01/02?

    Any proxy server on the network?
    Martina Miskovic - http://www.nic2012.com/
    Wednesday, January 4, 2012 9:46 PM
  • I was just saying the cert information.

    yes, the internal domain is elcofnwflorida.org

    There is no HLB or WNLB.
    EXCHA & EXCHB .. i renamed from 01 & 02 on new servers
    No proxy .. very simple network design.

     

     


    -- Jeremy McSpadden Flux Labs
    Wednesday, January 4, 2012 10:42 PM
  • I applied SP1 and now it is back to a 403 on the working exchange server. This is starting to piss me off.
    -- Jeremy McSpadden Flux Labs
    Thursday, January 5, 2012 9:20 AM
  • Hi Jeremy,

    Does this issue only occurs in one or some special migrated user mailbox? or all migrated mailbox are affected?

    Please run "Get-CASmailbox" for the problematic user account to see if OWAEnabled  is set to be true.

    Besides, check the application log when the issue occurs, and run Get-Mailbox for the problematic user and the none-affected user to see if there are any different.

    Thanks.


    Fiona Liao

    TechNet Community Support


    By the way, verify your DefaultThrottlingPolicy settings and make sure users are allowed to access EWS. Hope it is helpful.

    Fiona Liao

    TechNet Community Support


    EwsEnabled                         :
    EwsAllowOutlook                    :
    EwsAllowMacOutlook                 :
    EwsAllowEntourage                  :
    EwsApplicationAccessPolicy         :
    EwsAllowList                       :
    EwsBlockList                       :

    Setting True to EwsEnabled seems to have no effect.


    -- Jeremy McSpadden Flux Labs
    Thursday, January 5, 2012 2:18 PM
  • Set-OrgConfiguration -EwsApplicationAccessPolicy:$null

    Finally fixed it. This should have been set by default. In my opinion

    EwsApplicationAccessPolicy :

    As shown above, should mean $null.


    -- Jeremy McSpadden Flux Labs
    Monday, January 9, 2012 4:10 PM
  • I am having exact same issue with same enviornment that you have mentioned above. Same error logs.

    When I take a look at get-orgenizationconfig , it shows  EwsApplicationAccessPolicy : set to $Null already.

    Tried resetting EWS and changing auth from EMS and tried everything that was mentioned in this thread.

    I am not getting any success. Can any one guide me to troubleshoot this further?

    Thanks in advnance.


    zzz

    Wednesday, April 18, 2012 7:20 PM
  • I am having exact same issue with same enviornment that you have mentioned above. Same error logs.

    When I take a look at get-orgenizationconfig , it shows  EwsApplicationAccessPolicy : set to $Null already.

    Tried resetting EWS and changing auth from EMS and tried everything that was mentioned in this thread.

    I am not getting any success. Can any one guide me to troubleshoot this further?

    Thanks in advnance.


    zzz

    Monday, April 23, 2012 8:27 PM
  • Same issue has been resolved after disabling all authentications except "Anonymous and Windows Authentication" for EWS in IIS.
    Friday, May 24, 2013 11:30 PM