locked
ECP login loop RRS feed

  • Question

  • Hi all,

    My environment : 2 exchange server 2013 CU 7 (CAS + MB roles on both)
    I used to login to https://webmail.mydomain.com/ecp successfully before , it suddenly not work today , I can login to OWA : https://webmail.mydomain.com/owa , then if I change url to https://webmail.mydomain.com/ecp it redirects me to https://webmail.mydomain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.mydomain.com%2fecp (login page with my username and null password)

    I have searched and tried to list down what might the issue that is causing on looping of my ECP page. While listing down, I have found two things

    1. SSL Certificate.
    2. Issue with configuration of Virtual Directory.

    How can I identify which one cause the issue ?
    I can login to https://idcexc003.localdomain.com/ecp successfully but same above things happen with https://idcexc004.localdomain.com/ecp
    This is ECP virtual directory configuration :

    Get-EcpVirtualDirectory | fl
    
    RunspaceId                      : 683ccbcd-4769-4a9d-a9f3-6d2216ead59b
    AdminEnabled                    : True
    OwaOptionsEnabled               : True
    Name                            : ecp (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Fba}
    MetabasePath                    : IIS://IDCEXC003.localdomain.com/W3SVC/1/ROOT/ecp
    BasicAuthentication             : True
    WindowsAuthentication           : False
    DigestAuthentication            : False
    FormsAuthentication             : True
    LiveIdAuthentication            : False
    AdfsAuthentication              : False
    OAuthAuthentication             : False
    DefaultDomain                   : localdomain.com
    GzipLevel                       : Low
    WebSite                         : Default Web Site
    DisplayName                     : ecp
    Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    AdminDisplayVersion             : Version 15.0 (Build 1044.25)
    Server                          : IDCEXC003
    InternalUrl                     : https://webmail.mydomain.com/ecp
    ExternalUrl                     : https://webmail.mydomain.com/ecp
    ExternalAuthenticationMethods   : {Fba}
    AdminDisplayName                :
    ExchangeVersion                 : 0.10 (14.0.100.0)
    DistinguishedName               : CN=ecp (Default Web Site),CN=HTTP,CN=Protocols,CN=IDCEXC003,CN=Servers,CN=Exchange
                                      Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                      Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=localdomain,DC=com
    Identity                        : IDCEXC003\ecp (Default Web Site)
    Guid                            : 5ecb18ac-c5cd-456b-bb26-adc022519159
    ObjectCategory                  : localdomain.com/Configuration/Schema/ms-Exch-ECP-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchECPVirtualDirectory}
    WhenChanged                     : 2/28/2016 9:03:47 AM
    WhenCreated                     : 2/28/2016 3:41:38 AM
    WhenChangedUTC                  : 2/28/2016 2:03:47 AM
    WhenCreatedUTC                  : 2/27/2016 8:41:38 PM
    OrganizationId                  :
    Id                              : IDCEXC003\ecp (Default Web Site)
    OriginatingServer               : IDCPDC001.localdomain.com
    IsValid                         : True
    ObjectState                     : Changed
    
    RunspaceId                      : 683ccbcd-4769-4a9d-a9f3-6d2216ead59b
    AdminEnabled                    : True
    OwaOptionsEnabled               : True
    Name                            : ecp (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Fba}
    MetabasePath                    : IIS://IDCEXC004.localdomain.com/W3SVC/1/ROOT/ecp
    BasicAuthentication             : True
    WindowsAuthentication           : False
    DigestAuthentication            : False
    FormsAuthentication             : True
    LiveIdAuthentication            : False
    AdfsAuthentication              : False
    OAuthAuthentication             : False
    DefaultDomain                   : localdomain.com
    GzipLevel                       : Low
    WebSite                         : Default Web Site
    DisplayName                     : ecp
    Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    AdminDisplayVersion             : Version 15.0 (Build 1044.25)
    Server                          : IDCEXC004
    InternalUrl                     : https://webmail.mydomain.com/ecp
    ExternalUrl                     : https://webmail.mydomain.com/ecp
    ExternalAuthenticationMethods   : {Fba}
    AdminDisplayName                :
    ExchangeVersion                 : 0.10 (14.0.100.0)
    DistinguishedName               : CN=ecp (Default Web Site),CN=HTTP,CN=Protocols,CN=IDCEXC004,CN=Servers,CN=Exchange
                                      Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                      Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=localdomain,DC=com
    Identity                        : IDCEXC004\ecp (Default Web Site)
    Guid                            : 18d91679-7e89-4cf9-8e4d-fe3e09eba1cc
    ObjectCategory                  : localdomain.com/Configuration/Schema/ms-Exch-ECP-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchECPVirtualDirectory}
    WhenChanged                     : 4/24/2017 3:35:58 PM
    WhenCreated                     : 4/24/2017 1:03:12 PM
    WhenChangedUTC                  : 4/24/2017 8:35:58 AM
    WhenCreatedUTC                  : 4/24/2017 6:03:12 AM
    OrganizationId                  :
    Id                              : IDCEXC004\ecp (Default Web Site)
    OriginatingServer               : IDCPDC001.localdomain.com
    IsValid                         : True
    ObjectState                     : Changed

    This is Exchange certificate :

    Get-ExchangeCertificate | fl
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {webmail.mydomain.com, autodiscover.mydomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=GeoTrust SHA256 SSL CA, O=GeoTrust Inc., C=US
    NotAfter           : 8/10/2018 6:59:59 AM
    NotBefore          : 5/10/2017 7:00:00 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 2252EBB7D9BD31ACA48E2FA129082374
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=webmail.mydomain.com, OU=ICT, O=COMPANY, L=Ho Chi Minh, S=Ho Chi Minh,
                         C=VN
    Thumbprint         : 9E08453A173C033C4302D9290FB079F641D08FAF
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {IDCEXC004, IDCEXC004.localdomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=IDCEXC004
    NotAfter           : 4/24/2022 12:49:28 PM
    NotBefore          : 4/24/2017 12:49:28 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 19C25DA364CD6E94489E0D376C749B47
    Services           : SMTP
    Status             : Valid
    Subject            : CN=IDCEXC004
    Thumbprint         : 0D28AEBC99B15A0DAD02853A79FF8980A3981708
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-IDCEXC004}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-IDCEXC004
    NotAfter           : 4/21/2027 12:18:07 PM
    NotBefore          : 4/23/2017 12:18:07 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 773A04AC371DB1AF424D0D7A11557093
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-IDCEXC004
    Thumbprint         : 6FBE185C509E734000945DC0C90E2CD4E9FA3E58
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {webmail.mydomain.com, autodiscover.mydomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US
    NotAfter           : 7/8/2017 6:59:59 AM
    NotBefore          : 4/7/2016 7:00:00 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 43883D2C9B2223C13A0C97F4DA4AA372
    Services           : IMAP, POP, SMTP
    Status             : DateInvalid
    Subject            : CN=webmail.mydomain.com, OU=ICT, O=COMPANY, L=Ho Chi Minh, S=Ho Chi Minh,
                         C=VN
    Thumbprint         : 0AD9F49A0D0C048082A2EC122AFAA753F859B593
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {Federation}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=Federation
    NotAfter           : 3/29/2018 6:12:54 AM
    NotBefore          : 3/29/2013 6:12:54 AM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 17C408A335DE378D495F45AE3F7A799C
    Services           : SMTP, Federation
    Status             : Valid
    Subject            : CN=Federation
    Thumbprint         : E55D0249039F842C39DE180280818DA95CB4B142
    
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule,
                         System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=Microsoft Exchange Server Auth Certificate
    NotAfter           : 2/21/2018 2:44:06 PM
    NotBefore          : 3/19/2013 2:44:06 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 69735CFE7C4E86A34E6B872B612A8AED
    Services           : SMTP
    Status             : Valid
    Subject            : CN=Microsoft Exchange Server Auth Certificate
    Thumbprint         : 09E7BAF2C80502F362E49600B35859D96C899AA0

    Some certificates are created automatically when installed Exchange so I leave them , Certificate thumbprint 9E08453A173C033C4302D9290FB079F641D08FAF is valid and using now.
    Certificate thumbprint 0AD9F49A0D0C048082A2EC122AFAA753F859B593 is expired but when I try to remove it says 
    "The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate."So I leave it too with hope "Exchange uses the latest certificate which was binding with Exchange services."

    How can I use only Certificate thumbprint 9E08453A173C033C4302D9290FB079F641D08FAF for all services and remove others ? (to exclude SSL certificate possibility ?)
    Should I restart IIS service to see if it back to normal ?
    Please give me some advice, thank you very much.

    Update : This is flapping issue , sometimes in day I can login to ecp and sometimes I can't , where is log location should I looking for ? I will try restart IIS service on both server this weekend to see if it back to normal.

    • Edited by Jack Chuong Friday, December 1, 2017 4:07 AM
    Thursday, November 30, 2017 7:06 AM

Answers

  • Hi,

    Basd on your description, I know that you cannot login ECP in Exchange 2013 CU7 randomly. However OWA works fine.

    For traoubleshooting:

    1. Restart the MSExchangeECPAppPool in IIS manager.
    2. In IIS manager -> right-click Default Web Site -> Edit Bindings, check if the correct certificate is binding to 127.0.0.1 and All Unassigned for port 443.
    3. If issue remains, we could reset the ECP VD then run IISReset.
     

    Meanwhile, if you have the concern that the expired certificate may cause the issue, we could firsly disconnect it from all the services, then remove it.

    Any questions, be free to post back!

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Jack Chuong Saturday, December 2, 2017 3:03 PM
    Friday, December 1, 2017 6:13 AM

All replies

  • Hi,

    Basd on your description, I know that you cannot login ECP in Exchange 2013 CU7 randomly. However OWA works fine.

    For traoubleshooting:

    1. Restart the MSExchangeECPAppPool in IIS manager.
    2. In IIS manager -> right-click Default Web Site -> Edit Bindings, check if the correct certificate is binding to 127.0.0.1 and All Unassigned for port 443.
    3. If issue remains, we could reset the ECP VD then run IISReset.
     

    Meanwhile, if you have the concern that the expired certificate may cause the issue, we could firsly disconnect it from all the services, then remove it.

    Any questions, be free to post back!

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Jack Chuong Saturday, December 2, 2017 3:03 PM
    Friday, December 1, 2017 6:13 AM
  • Thank you for your reply Manu Meng,

    1. Restart the MSExchangeECPAppPool in IIS manager : stop then start it or recycle it are same effect right ?
    2. I have checked and found something that interests me :
    IDCEXC003 :


    IDCEXC004:


    "Certificate 2017" is correct certificate , at time I checked : the SSL certificate of "https 127.0.0.1 port 443" on IDCEXC004 (last binding record) was not correct, I have changed it to "Certificate 2017".
    I concern if these binding records are right and if they are not how should I change them ?

    3. I will , at this weekend.

    I cannot disconnect the expired certificate from all the services


    Run Powershell command "Enable-ExchangeCertificate -Services None -Thumbprint ..." will not effect too (no error).


    • Edited by Jack Chuong Friday, December 1, 2017 7:13 AM
    Friday, December 1, 2017 7:12 AM
  • Restart the MSExchangeECPAppPool in IIS manager will fix this issue or at least improve it.
    I can access to https://idcexc004.localdomain.com/ecp , https://idcexc003.localdomain.com/ecp and https://webmail.mydomain.com/ecp now - tested with IE , Firefox , Chrome many times , sometimes it doesn't let me access directly , must go to owa first then change url but it's ok for me.
    Saturday, December 2, 2017 3:08 PM