none
Unable to access ECP/OWA

    Question

  • I installed Exchange 2013 on 2 brand new Server 2012 virtual machines, one with the mailbox role and another with the CAS roles. The installation completed without errors but I cannot log on to the ECP (or OWA for that matter). As I enter my user/pass, the password field goes blank and a number of event log entries are added (see below).

    I'm using the default administrator account (also Enterprise Admin, Domain Admin and member of the Organization Management security groups). I mail-enabled the account with enable-mailuser + enable-mailbox. I can execute Exchange Powershell cmdlets when logged on with this account, so security looks good.

    The problem is OWA/ECP which consistenly logs the following errors when I attempt to access the OWA:

    [Ecp] An internal server error occurred. The unhandled exception was: System.Security.Cryptography.CryptographicException: Invalid provider type specified.

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

       at Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication)

       at Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClassa.<OnBeginRequest>b__9()

       at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)

    ---------------------------------------------------------------------

    [Owa] An internal server error occurred. The unhandled exception was: System.Security.Cryptography.CryptographicException: Invalid provider type specified.

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)

       at Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication)

       at Microsoft.Exchange.HttpProxy.ProxyModule.<>c__DisplayClassa.<OnBeginRequest>b__9()

       at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)

    ---------------------------------------------------------------------------

    Event code: 3005

    Event message: An unhandled exception has occurred.

    Event time: 28/11/2012 0:47:38

    Event time (UTC): 27/11/2012 23:47:38

    Event ID: 12c0aac14e0c45b093e860f6699b0d76

    Event sequence: 4

    Event occurrence: 3

    Event detail code: 0

    Application information:

        Application domain: /LM/W3SVC/1/ROOT/Rpc-2-129985330412727995

        Trust level: Full

        Application Virtual Path: /Rpc

        Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc\

        Machine name: <cleaned up>

    Process information:

        Process ID: 4848

        Process name: w3wp.exe

        Account name: NT AUTHORITY\SYSTEM

    Exception information:

        Exception type: HttpException

        Exception message: The client disconnected.

       at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result)

       at System.Web.HttpApplication.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar)

    Request information:

        Request URL: http://<cleaned up>/rpc/rpcproxy.dll?688b9c54-fc83-47a6-bf82-343799d288d5@falcora.net:6001

        Request path: /rpc/rpcproxy.dll

    User host address: fe80::d58e:d780:34ed:af68C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc\

        User: FALCORA\SM_29bd07d0480e4b41a

        Is authenticated: True

        Authentication Type: NTLM

        Thread account name: NT AUTHORITY\SYSTEM

    Thread information:

        Thread ID: 18

        Thread account name: NT AUTHORITY\SYSTEM

        Is impersonating: False

        Stack trace:    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.EndProcessRequest(IAsyncResult result)

       at System.Web.HttpApplication.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar)

     

    I have spent hours wading through log files and posts, and cannot get my head around this one. 

    Tuesday, November 27, 2012 11:59 PM

Answers

  • After countless hours of not giving up, I finally cracked this problem! This thread ended up pointing me in the right direction. The basic problem is that the Exchange code cannot properly handle X.509 certificates signed with the new and mighty Microsoft Software Key Storage Provider (which is kind of funny), you need to feed Exchange 2013 certificates with a key signed by the old faithfull Microsoft RSA SChannel Cryptographic Provider.

    You can check this by running: certutil -store my

    Create a new certificate template (Web server V3) with RSA, adjust your policy as needed, request new certificates and run enable-exchangecertificate -thumbprint "xxx" -services "IIS, IMAP, POP, SMTP" -server yyy on all your CAS and mailbox servers. Perform a quick reboot and you should be able to sign into ECP/OWA.

    Now onto the fun part of configuring E2013 :-)


    • Marked as answer by Rudi VT Thursday, November 29, 2012 11:42 PM
    • Edited by Rudi VT Friday, November 30, 2012 9:25 AM
    Thursday, November 29, 2012 11:42 PM

All replies

  • Hi,

    Does this issue occur when you accessing the ECP/OWA from IE on both the MBX and CAS server?

    You can try checking the IIS log and let us know the detailed error codes

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnfsl@microsoft.com

    Thanks,


    Simon Wu
    TechNet Community Support


    Wednesday, November 28, 2012 8:45 AM
    Moderator
  • Hi Simon,

    I am trying this on the CAS server. Per your email I attempted the same on the mailbox server using https://localhost:444/ecp which provides me with access to the user settings part of the ECP but I cannot access any of the server admin menus.

    Here is the part of the IIS log file for the CAS server:

    <quote>2012-11-28 12:07:02 192.168.248.78 POST /owa/auth.owa - 443 domainname\administrator 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 31 2012-11-28 12:07:02 192.168.248.78 GET /ecp - 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 15 2012-11-28 12:07:02 192.168.248.78 GET /owa/auth/logon.aspx url=https%3a%2f%2fbezoesw078.domainname.net%2fecp&reason=0 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 200 0 0 0 2012-11-28 12:07:02 192.168.248.78 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - 200 0 0 0 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Kxc/L 80 - fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 0 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Kxc/L 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 46 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/L 80 - fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 0 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/L 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 156 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/L 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 15 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/L 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 31 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/K 80 - fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 0 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/K 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 31 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/K 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 15 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/L 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 500 0 64 93 2012-11-28 12:07:04 fe80::d58e:d780:34ed:af68%12 POST /powershell PSVersion=3.0&sessionID=Version_15.0_(Build_515.0)=rJqNiZqNgb26pbC6rKjPyMjRmZ6TnJCNntGRmouBzsbLzsbGyc/MyYHNx9DOztDNz87N387Nxc7Ixc/K 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 Microsoft+WinRM+Client - 200 0 0 15 2012-11-28 12:07:06 ::1 GET /OWA/Calendar/resource - 443 - ::1 AMProbe/Local/ClientAccess - 200 0 0 0 2012-11-28 12:07:10 192.168.248.78 POST /owa/auth.owa - 443 domainname\administrator 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 0 2012-11-28 12:07:10 192.168.248.78 GET /ecp - 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 15 2012-11-28 12:07:10 192.168.248.78 GET /owa/auth/logon.aspx url=https%3a%2f%2fbezoesw078.domainname.net%2fecp&reason=0 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 200 0 0 0 2012-11-28 12:07:10 192.168.248.78 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - 200 0 0 0 2012-11-28 12:07:15 ::1 GET /ecp/ReportingWebService/ - 443 - ::1 AMProbe/Local/ClientAccess - 302 0 0 0 2012-11-28 12:07:15 ::1 GET /OAB/ - 443 domainname\SM_29bd07d0480e4b41a ::1 AMProbe/Local/ClientAccess - 200 0 0 15 2012-11-28 12:07:23 192.168.248.78 POST /owa/auth.owa - 443 administrator@domainname.net 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 64 46 2012-11-28 12:07:23 192.168.248.78 POST /owa/auth.owa - 443 administrator@domainname.net 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 47 2012-11-28 12:07:23 192.168.248.78 GET /ecp - 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 0 2012-11-28 12:07:23 192.168.248.78 GET /owa/auth/logon.aspx url=https%3a%2f%2fbezoesw078.domainname.net%2fecp&reason=0 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 200 0 0 0 2012-11-28 12:07:23 192.168.248.78 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - 200 0 0 0 2012-11-28 12:07:31 ::1 GET /PowerShell/ - 443 - ::1 AMProbe/Local/ClientAccess - 401 111 0 15 2012-11-28 12:07:31 ::1 GET /PowerShell/ - 443 - ::1 AMProbe/Local/ClientAccess - 401 111 0 0 2012-11-28 12:07:35 ::1 GET /Microsoft-Server-ActiveSync/default.eas - 443 HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net ::1 AMProbe/Local/ClientAccess - 200 0 0 0 2012-11-28 12:07:35 ::1 RPC_IN_DATA /RPC/rpcproxy.dll &RequestId=39c4a41e-a1b7-4b14-950f-613c00003c21 443 domainname\SM_29bd07d0480e4b41a ::1 AMProbe/Local/ClientAccess - 200 0 0 4764 2012-11-28 12:07:37 ::1 GET /AutoDiscover/ - 443 domainname\SM_29bd07d0480e4b41a ::1 AMProbe/Local/ClientAccess - 200 0 0 0 2012-11-28 12:07:40 ::1 POST /OWA/auth.owa - 443 HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net ::1 AMProbe/Local/ClientAccess - 302 0 0 0 2012-11-28 12:07:45 ::1 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net ::1 TestActiveSyncConnectivity - 200 0 0 31 2012-11-28 12:07:45 ::1 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Settings&User=HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net&DeviceId=EASProbeDeviceId140&DeviceType=EASProbeDeviceType 443 HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net ::1 TestActiveSyncConnectivity - 200 0 0 31 2012-11-28 12:07:46 192.168.248.78 POST /owa/auth.owa - 443 domainname\rvantigchelt 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 156 2012-11-28 12:07:46 192.168.248.78 GET /ecp - 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 302 0 0 0 2012-11-28 12:07:46 192.168.248.78 GET /owa/auth/logon.aspx url=https%3a%2f%2fbezoesw078.domainname.net%2fecp&reason=0 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) https://bezoesw078.domainname.net/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 200 0 0 0 2012-11-28 12:07:46 192.168.248.78 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fbezoesw078.domainname.net%2fecp 443 - 192.168.0.70 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.2;+WOW64;+Trident/6.0) - 200 0 0 15 2012-11-28 12:07:48 ::1 GET /ecp/ - 443 - ::1 AMProbe/Local/ClientAccess - 302 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/ - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/auth/logon.aspx url=https%3a%2f%2flocalhost%2fowa%2f&reason=0 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 200 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/ - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/auth/logon.aspx url=https%3a%2f%2flocalhost%2fowa%2f&reason=0 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 200 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2flocalhost%2fowa%2f 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 200 0 0 15 2012-11-28 12:07:52 ::1 GET /owa/auth/15.0.516/scripts/premium/flogon.js - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 200 0 0 0 2012-11-28 12:07:52 ::1 POST /owa/auth.owa - 443 HealthMailbox05cc5165625d48ed9b2a389c9a93bddf@domainname.net ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 15 2012-11-28 12:07:52 ::1 GET /owa/ - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0 2012-11-28 12:07:52 ::1 GET /owa/auth/logon.aspx url=https%3a%2f%2flocalhost%2fowa%2f&reason=0 443 - ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 200 0 0 0 2012-11-28 12:07:57 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll 688b9c54-fc83-47a6-bf82-343799d288d5@domainname.net:6001&RequestId=565da176-2fcf-4510-a753-22b584ec6467 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 0 2012-11-28 12:07:57 ::1 GET /ews/ - 443 domainname\SM_29bd07d0480e4b41a ::1 AMProbe/Local/ClientAccess - 200 0 0 0 2012-11-28 12:07:58 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll 688b9c54-fc83-47a6-bf82-343799d288d5@domainname.net:6001&RequestId=ee2712f3-8601-453a-b0c9-e91f5805d1f4 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 MSRPC - 200 0 0 1015 2012-11-28 12:07:58 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll 688b9c54-fc83-47a6-bf82-343799d288d5@domainname.net:6001&RequestId=fa7f3d36-8824-4d96-9f1f-a6c96cb4292d 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 0 2012-11-28 12:07:58 fe80::d58e:d780:34ed:af68%12 RPC_OUT_DATA /rpc/rpcproxy.dll 688b9c54-fc83-47a6-bf82-343799d288d5@domainname.net:6001&RequestId=3a4c74ad-6d5a-489d-8d2a-34a244f8766d 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 0 2012-11-28 12:08:03 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll b182ea7a-21b5-471a-a24f-13dfbf7d5c56@domainname.net:6001&RequestId=e23195c3-b7e6-4f86-abef-d95394ef0445 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 0 2012-11-28 12:08:03 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll b182ea7a-21b5-471a-a24f-13dfbf7d5c56@domainname.net:6001&RequestId=304cfabd-2c85-4310-a1cb-3a43fcc23afe 80 domainname\SM_29bd07d0480e4b41a fe80::d58e:d780:34ed:af68%12 MSRPC - 200 0 0 62 2012-11-28 12:08:03 fe80::d58e:d780:34ed:af68%12 RPC_IN_DATA /rpc/rpcproxy.dll b182ea7a-21b5-471a-a24f-13dfbf7d5c56@domainname.net:6001&RequestId=98598c38-8f6b-47eb-9283-98ad6a464e30 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 0 2012-11-28 12:08:03 fe80::d58e:d780:34ed:af68%12 RPC_OUT_DATA /rpc/rpcproxy.dll b182ea7a-21b5-471a-a24f-13dfbf7d5c56@domainname.net:6001&RequestId=7cafff1d-31ab-45a6-9cf4-0663dfaa9fea 80 - fe80::d58e:d780:34ed:af68%12 MSRPC - 401 1 2148074254 15 </quote>

    <quote><quote>Thanks</quote></quote>

    Wednesday, November 28, 2012 12:26 PM
  • Hi,

    From the IIS log, I find most of the error code is “302 0”. I would like to ask whether you set any redirections on the default web site before?

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnfsl@microsoft.com


    Simon Wu
    TechNet Community Support

    Thursday, November 29, 2012 8:38 AM
    Moderator
  • Hi Simon,

    No redirections were set. This was a cleanly installed Windows 2012 server (+ windows updates), installed UCMA + 2 Office prerequisites. All other required Windows 2012 roles and features were installed by the Exchange setup. No manual changes were made to IIS.

    Thanks

    Thursday, November 29, 2012 12:09 PM
  • After countless hours of not giving up, I finally cracked this problem! This thread ended up pointing me in the right direction. The basic problem is that the Exchange code cannot properly handle X.509 certificates signed with the new and mighty Microsoft Software Key Storage Provider (which is kind of funny), you need to feed Exchange 2013 certificates with a key signed by the old faithfull Microsoft RSA SChannel Cryptographic Provider.

    You can check this by running: certutil -store my

    Create a new certificate template (Web server V3) with RSA, adjust your policy as needed, request new certificates and run enable-exchangecertificate -thumbprint "xxx" -services "IIS, IMAP, POP, SMTP" -server yyy on all your CAS and mailbox servers. Perform a quick reboot and you should be able to sign into ECP/OWA.

    Now onto the fun part of configuring E2013 :-)


    • Marked as answer by Rudi VT Thursday, November 29, 2012 11:42 PM
    • Edited by Rudi VT Friday, November 30, 2012 9:25 AM
    Thursday, November 29, 2012 11:42 PM
  • I think, This is a "default" problem of Exchange 2013... I hope MS release a proper installation package which is running.
    Wednesday, December 26, 2012 12:05 AM
  • You saved me today! That really helped :) Persistence always wins.

    Ignoring what everybody else out there suggested to reinstall CAS server, reinstall IIS server (which I was never going to do) after all the hardwork done for post installation of exchange only your post helped me figure out what the issue was.

    Cheers,

    Nazim

    Monday, February 04, 2013 7:11 AM
  • Thanks for sharing this Rudi ! Had the exact issue here.
    Thursday, May 02, 2013 8:41 AM
  • Bang on!  Fixed my issue with the ECP\OWA many thanks
    • Edited by jclissold Tuesday, August 06, 2013 10:25 AM
    Tuesday, August 06, 2013 10:24 AM
  • saved me hours, thanks a lot!

    www.sccmfaq.ch

    Sunday, April 13, 2014 1:05 PM
  • Here's what i did that fixed this.

    set-ecpvirtualdirectory -Identity "ecp (default web site)" -windowsauthentication $true -formsauthentication $false

    do an IISreset

    log in to your ecp with https://servername/ecp/?exchclientver=15

    Thursday, December 11, 2014 7:23 AM
  • I had also the invalid password problem.
    I wish to thank you, this solution solved my problem.

    Best Regards
    Saturday, January 17, 2015 7:32 PM
  • Based on the other replies this looks like exactly the solution I need.  The only thing that would make it better... is if you told us how to do it.

    "Create a new certificate template (Web server V3) with RSA, adjust your policy as needed, request new certificates and run enable-exchangecertificate -thumbprint "xxx" -services "IIS, IMAP, POP, SMTP" -server yyy on all your CAS and mailbox servers. Perform a quick reboot and you should be able to sign into ECP/OWA."

    Looks very useful, but I have no idea how to do it.

    -Kendall

    Monday, June 01, 2015 1:10 AM
  • Oh Kendall,

    You beat me to it !!!!!

    I have just installed Server 2012 and now put exchange 2013 on but can get no further that the ecp login..  it takes the username and password put stays on the logon screen ! ??

    Monday, July 13, 2015 2:46 PM
  • Hi all,

    If still needed. All is explained in: 

    https://blogs.technet.microsoft.com/jasonsla/2015/01/15/the-one-with-the-fba-redirect-loop

    Cheers, Manfred

    Monday, July 10, 2017 8:41 PM