locked
OWA and ECP not working - cannot display the page RRS feed

  • Question

  • So we have a simple environment with a single 2013 Exchange server.  Recently we had a second exchange server, migrated all the mail off of it to the new one, and uninstalled Exchange 2013 from the first.  Since then, OWA and ECP do not work.  I am presented with a logon page, but once I try to sign in, I get a HTTP 500 "website cannot display the page".

    I tried recreating the OWA virtual directory, resetting the certificate the backend 444 is bound to... nothing seems to be working.  Where is my issue?

    Monday, July 24, 2017 3:00 PM

Answers

  • It didn't help. Good news though, I applied CU17... yeah, now everything is peachy... no idea why.

    Thanks for all your help on this guys.
    • Proposed as answer by Niko.Cheng Monday, July 31, 2017 1:04 AM
    • Marked as answer by Ed CrowleyMVP Monday, July 31, 2017 2:59 AM
    Saturday, July 29, 2017 3:15 AM

All replies

  • What did you reset the Back End Web Site's certificate to?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, July 24, 2017 8:36 PM
  • To my externally purchased SSL exchange certificate. 
    Monday, July 24, 2017 9:41 PM
  • The Back End Web Site should have TCP port 444 bound to the self-signed certificate that is created when you installed Exchange (or you renewed when it expired).  Your purchased SSL certificate should be bound to TCP port 443 of the Default Web Site.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, July 25, 2017 12:32 AM
  • I just changed it back to that... did an iisreset... still same thing.
    Tuesday, July 25, 2017 12:45 AM
  • There are all sorts of things that can cause OWA 500 errors.  I recommend that you Bing "OWA 500" and start working down the list.  You might also try Binging "owa 500 site:social.technet.microsoft.com".

    Good luck.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, July 25, 2017 12:52 AM
  • I've been through several of them... no luck so far. I'm doing a little comparison here with a working exchange 2013 environment at another location. The one thing that I'm noticing that's odd, is how the URL changes.  At the working site, I type https://email.working.com/ecp, and the URL stays the same, even after logon.  At the non working site, I type https://email.nonworking.com/ecp, and the logon page still says Exchange Admin Center, but the URL has changed to https://email.nonwoking.com/owa/auth/login.aspx?replaceCurrent=1&url=http%3a%2f%2femail.nonworking.com@2fecp

    If I go to owa on the non-working server, I get a similar modified URL
    https://email.nonwoking.com/owa/auth/login.aspx?replaceCurrent=1&url=http%3a%2f%2femail.nonworking.com@2fowa%2fI have redirect turned off

    Tuesday, July 25, 2017 2:24 AM
  • RDWilderman,

    You mentioned "working site" did you try to use the same user when you login to OWA in the non-working site?

    Regards,

    Darwin

    Tuesday, July 25, 2017 5:01 AM
  • Hi RDWilderman.

    Please have a look at the following article and check if any helps:

    Exchange 2013 Troubleshooting: Error 500 when login ECP and OWA

    Solution 1: 

    1.  Go to the RUN window and type "cmd". Copy and paste the following command:

      %windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i

    2.  Go to the Console and then Tools. In Tools, click the Internet Information Service (IIS Manager).
    3. In the IIS Manager, go to the Application Pool. In the Application Pool, navigate to "MSExchangeOWAAppPool". Right-click on this service and then click Recycle.

    Solution 2:

    1.  Go to the RUN window and type "ADSIEDIT.msc"
    2.  After opening ADSIEDIT, go to the Action navigation. Connect to and then navigate to 
      1. "Select a Well known Naming Context"
    3. Select Configuration and select OK.
    4.  Go to CN=Configuration then CN=Services then CN=Microsoft Exchange then CN=Your DOMAIN Name and navigate to CN-Client Access 
    5.  Right-click 【CN=Client Access】and click Properties. Scroll down to look for values:
      1. msExchCanaryData0
      2. msExchCanaryData1
      3. msExchCanaryData2
      4. msExchCanaryData3
    6.  Take a backup to be safe and clear all these values to <not set>. If Values are already set to <not set> then try to do Solution 1.
    7. Open IIS Manager on your CAS server, go to "Application Pools", right-click MSExchangeOWAAppPool and click Recycle.

    Hope this helps,

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Niko.Cheng Tuesday, July 25, 2017 8:38 AM
    Tuesday, July 25, 2017 8:38 AM
  • ok, things have changed a bit.  After recreating virtual directories multiple times, verifying ssl and  http redirect settings, recycling app pools, the ECP page now works. Not sure exactly which step fixed things with the ECP page. The OWA page does not, but I have a different error now.  From internally, I get the OWA logon screen, then I get - page can't be displayed, make sure TLS and SSL are enabled.
    From external, I don't get the logon page - too many redirects.
    Tuesday, July 25, 2017 2:04 PM
  • it's also generating this event in the system log:
    Log Name:      System
    Source:        Schannel
    Date:          7/25/2017 4:41:21 PM
    Event ID:      36887
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      RHREXFS01.XXX.com
    Description:
    A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <EventID>36887</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-07-25T21:41:21.787016300Z" />
        <EventRecordID>321693</EventRecordID>
        <Correlation />
        <Execution ProcessID="692" ThreadID="11640" />
        <Channel>System</Channel>
        <Computer>RHREXFS01.XXX.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="AlertDesc">46</Data>
      </EventData>
    </Event>
    Tuesday, July 25, 2017 9:50 PM
  • I should also mention that the page worked fine until I decommissioned the old 2013 exchange server.
    Wednesday, July 26, 2017 3:23 AM
  • Do you have an old SPN in place?  Did you remove the old server's computer account?  If you can, try doing that.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, July 26, 2017 3:49 AM
  • Going back to Niko Cheng's earlier post, I cannot run aspnet_regiis.exe -i.  I get a message that states, "This option is not supported on this version of the operating system. Administrators should instead install/uninstall ASP.NET 4.5 with IIS8 using the "Turn Windows Features On/Off" dialog, the server manager management tool, or the dism.exe command line tool. 
    I'm not sure how to do this if this can be done.  Can I uninstall IIS on an exchange server, reinstall it and make it function properly?  This sounds like it could clear up my issue.

    As far as setting the msExchCanaryData properties on CN=CLient Access, I did clear these values, didn't seem to change anything.

    In regards to Ed Crowley's latest post.  I can't remove the old server computer object, the server is still in place as a file and print server.  One of the objectives here was to separate that from the Exchange server.  As far as SPNs are concerned, here is what I have:

    tapinego/OLDSERVER.xxx.com
    tapinego/OLDSERVER
    IMAP4/OLDSERVER.xxx.com
    IMAP4/OLDSERVER
    IMAP/OLDSERVER.xxx.com
    IMAP/OLDSERVER
    POP3/OLDSERVER.xxx.com
    POP3/OLDSERVER
    POP/OLDSERVER.xxx.com
    POP/OLDSERVER
    exchangeMDB/OLDSERVER.xxx.com
    exchangeMDB/OLDSERVER
    exchangeAB/OLDSERVER.xxx.com
    exchangeAB/OLDSERVER
    exchangeRFR/OLDSERVER.xxx.com
    exchangeRFR/OLDSERVER
    SmtpSvc/OLDSERVER.xxx.com
    SmtpSvc/OLDSERVER
    SMTP/OLDSERVER.xxx.com
    SMTP/OLDSERVER
    TERMSRV/OLDSERVER.xxx.com
    TERMSRV/OLDSERVER
    WSMAN/OLDSERVER
    WSMAN/OLDSERVER.xxx.com
    RestrictedKrbHost/OLDSERVER
    HOST/OLDSERVER
    RestrictedKrbHost/OLDSERVER.xxx.com
    HOST/OLDSERVER.xxx.com


     tapinego/NEWSERVER.xxx.com
     tapinego/NEWSERVER
     IMAP4/NEWSERVER.xxx.com
     IMAP4/NEWSERVER
     IMAP/NEWSERVER.xxx.com
     IMAP/NEWSERVER
     POP3/NEWSERVER.xxx.com
     POP3/NEWSERVER
     POP/NEWSERVER.xxx.com
     POP/NEWSERVER
     exchangeMDB/NEWSERVER
     exchangeMDB/NEWSERVER.xxx.com
     exchangeAB/NEWSERVER.xxx.com
     exchangeAB/NEWSERVER
     exchangeRFR/NEWSERVER.xxx.com
     exchangeRFR/NEWSERVER
     SmtpSvc/NEWSERVER.xxx.com
     SmtpSvc/NEWSERVER
     SMTP/NEWSERVER.xxx.com
     SMTP/NEWSERVER
     WSMAN/NEWSERVER.xxx.com
     WSMAN/NEWSERVER
     RestrictedKrbHost/NEWSERVER
     HOST/NEWSERVER
     RestrictedKrbHost/NEWSERVER.xxx.com
     HOST/NEWSERVER.xxx.com


    Which ones need to go for the old server?  I assume these?  Any others?
    IMAP4/OLDSERVER.xxx.com
    IMAP4/OLDSERVER
    IMAP/OLDSERVER.xxx.com
    IMAP/OLDSERVER
    POP3/OLDSERVER.xxx.com
    POP3/OLDSERVER
    POP/OLDSERVER.xxx.com
    POP/OLDSERVER
    exchangeMDB/OLDSERVER.xxx.com
    exchangeMDB/OLDSERVER
    exchangeAB/OLDSERVER.xxx.com
    exchangeAB/OLDSERVER
    exchangeRFR/OLDSERVER.xxx.com
    exchangeRFR/OLDSERVER
    SmtpSvc/OLDSERVER.xxx.com
    SmtpSvc/OLDSERVER
    SMTP/OLDSERVER.xxx.com
    SMTP/OLDSERVER

    Thursday, July 27, 2017 2:49 AM
  • The error I'm getting when accessing OWA now is "too many redirects", from both inside and outside.
    Thursday, July 27, 2017 3:09 AM
  • Have you configured HTTP Redirect in IIS?  Disable it on the Default Web Site and on all child virtual directories.  If you've configured it on the Back End Web Site (which you shouldn't) do the same.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, July 27, 2017 4:15 AM
  • Hi RDwilderman,

    Make sure enable "Require SSL" and disable HTTP Redirect on both web sites and virtual directories, as below:

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 27, 2017 9:29 AM
  • I do have HTTP redirect set up. You're saying turn it off completely?
    Thursday, July 27, 2017 5:55 PM
  • Try it and see.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, July 28, 2017 6:43 AM
  • It didn't help. Good news though, I applied CU17... yeah, now everything is peachy... no idea why.

    Thanks for all your help on this guys.
    • Proposed as answer by Niko.Cheng Monday, July 31, 2017 1:04 AM
    • Marked as answer by Ed CrowleyMVP Monday, July 31, 2017 2:59 AM
    Saturday, July 29, 2017 3:15 AM
  • Hi RDWilderman,

    Glad you solved the issue, please mark it as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well. 

    Thanks for your understanding.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 31, 2017 1:06 AM