none
exchange 2010 test connectivity scripts failing RRS feed

  • Question

  • Having a problem with the test connectivity account in the exchange 2010.   The account keeps getting locked out,  which forces all the test connectivity scripts to fail.   

    If I run one of the test cmdlets manually I can see the account lockout warning:

    Test-WebServicesConnectivity -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true |fl

    RunspaceId          : 9dcedba9-bd6e-47a9-9d87-aa8d4732ea87
    Events              : {Source: MSExchange Monitoring WebServicesConnectivity Internal
                          Id: 1008
                          Type: Warning
                          Message: The test mailbox was not initialized. Run new-TestCasConnectivityUser.ps1 to ensure that
                           the test mailbox is created.
                          Detailed information:

                           Local Site:NAT-1

                          [Microsoft.Exchange.Monitoring.CasHealthUserNotFoundException]: The user wasn't found in Active D
                          irectory. UserPrincipalName: extest_3c0c80c38a654@newagetek.com. Additional error information: [S
                          ystem.Security.SecurityException]: The referenced account is currently locked out and may not be
                          logged on to.

    I then unlock the account in AD,  repeat the cmdlet above and it completes successfully, but ulimately starts failing again after the account lockout re-appears.  I've tried re-running the new-testcasconnectivityuser.ps1 script several times, but it doesn't stop the lockouts. 

    Why is this account getting locked out?   Is there something in the new correlation service that is referencing an old password?     

    Scott...

     

     

     

    Tuesday, April 13, 2010 2:36 PM

Answers

  • Wish I could help you out, but I'm having exactly the same problem. Installed the MP 2 days ago, ran the cmdlet and it completed successfully, but the account will get locked out after only a couple minutes. I've tried resetting the password for the account and restarting the Exchange Correlation service and it still gets locked out.

    Just hoping a bump in the thread might help, I'll post back if I find a solution.

    Cheers, Michael

    Tuesday, April 13, 2010 10:40 PM
  • I'll look into the lockout issue, but I'll note now that the correlation engine doesn't do anything with this account. It only processes state change data from monitors and raises alerts.

    Thursday, April 15, 2010 2:23 AM

All replies

  • Wish I could help you out, but I'm having exactly the same problem. Installed the MP 2 days ago, ran the cmdlet and it completed successfully, but the account will get locked out after only a couple minutes. I've tried resetting the password for the account and restarting the Exchange Correlation service and it still gets locked out.

    Just hoping a bump in the thread might help, I'll post back if I find a solution.

    Cheers, Michael

    Tuesday, April 13, 2010 10:40 PM
  • I'll look into the lockout issue, but I'll note now that the correlation engine doesn't do anything with this account. It only processes state change data from monitors and raises alerts.

    Thursday, April 15, 2010 2:23 AM
  • I found a conversation between one of our support folks and another customer in your situation - does this resovle your issue (did something else by now? : )

                                                                                      

    You are using SCOM 2007 R2 with CU1 and also Exchange 2010 Management Pack version 14.0.650.8 for monitoring SCOM Agents running Exchange 2010 on Windows Server 2008 R2.

     

    After configuring Test CAS Connectivity user, every time SCOM agent tries to run the connectivity test, it fails and the test account gets locked out.

     

    Based on my research from previous case on same issue, we need to make some changes in IIS for RPC and RPC with Cert virtual directories on CAS servers.

     

    We need to Enable ASP.Net Impersonation setting for both RPC and RPC with Cert virtual directories on each CAS servers and then restart IIS and SCOM Agent service on CAS server.

     

    And it seems you have tried doing this on your CAS server and you got below error on CAS server:

     

    Error Summary 

    HTTP Error 500.24 - Internal Server Error

    An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

    Detailed Error Information 

    Module   ConfigurationValidationModule

    Notification            BeginRequest

    Handler  StaticFile

    Error Code             0x80070032

    Requested URL     https://fegcncas01:443/

     

    Physical Path         C:\inetpub\wwwroot

    Logon Method       Not yet determined

    Logon User            Not yet determined

                                   

    Most likely causes: 

    •               system.web/identity@impersonate is set to true.

    Things you can try: 

    •               If the application supports it, disable client impersonation.

    •               If you are certain that it is OK to ignore this error, it can be disabled by setting system.webServer/validation@validateIntegratedModeConfiguration to false.

    •               Move this application to an application pool using Classic .NET mode - for example, %SystemRoot%\system32\inetsrv\appcmd set app "Default Web Site/" /applicationPool:"Classic .NET AppPool"

    (You can set "Classic .NET AppPool" to the name of another application pool running in Classic managed pipeline mode)

     

     

    Based on this error it looks like the Application Pool used by default web site in IIS on CAS server is configured to be in Integrated managed pipeline mode. And ASP.Net Impersonation setting does not apply in this pipeline mode. Error recommends to try using Classic managed pipeline mode for the Application pool in order to use ASP.Net Impersonation.

     

    I think you should try using this settings and if it makes your CAS servers work without any errors and also makes SCOM Agent run connectivity tests fine, then we can get one more confirmation from product group if required and get KB article published as general guidelines for doing these steps.

     

    Wednesday, May 12, 2010 12:02 AM
  • LeRoy,

    I'm running SCOM SP1, not SCOM R2.      Is this still applicable in a scom SP1 enviornment? 

    Friday, May 14, 2010 3:45 PM
  • Hi,

     

    I tried this on two Exchange 2010 CAS/HUB servers but the test account is still getting locked out. Anyone else got some experience with this issue ?

     

    I am running SCOM SP1 still but I dont think that would be an issue regarding this.

    Thursday, May 27, 2010 8:45 PM
  • I am experiencing the same.  SCOM 2007 R2 installed.  Sure would like to see what the resolution is...

    Monday, June 14, 2010 7:02 PM
  • Please try this:

    Go in AD Users and Computers.
    Right click the extest user account (something like extest_a5a1dc3217etc)
    Go to the Account tab and under Account options check "Do not require Kerberos preauthentication".
    That fixed it for me.

    • Proposed as answer by Iain Burnley Thursday, July 22, 2010 7:21 AM
    Monday, June 14, 2010 7:06 PM
  • Sorry to bring this issue back up, but I found this article: http://support.microsoft.com/kb/2022687 and was wondering if using the extest_ user is still valid for SCOM to monitor connectivity?  Is there a better way?  We use Outlook from Anywhere, so requiring ASP.net impersonation is not an option for us.

    I have the exact issue above where the this account is getting locked out.  Are there any implications if I "Do not require Kerberos preauthentication" on the extest_ account?

     

    Monday, March 14, 2011 1:45 PM
  • Hi All,

    please check the AD permissions íf the Exchange Servers Group has the right to reset and change the password

    on the extest_123456478 account.

    With

    Test-ActiveSyncConnectivity -ResetTestAccountCredentials

    you can check if the password reset is working properly.

    Cheers,

    Mike

     

    Monday, March 21, 2011 2:43 PM
  • Hey Mike!

     

    Unfortunately reseting the PW did not work in our case. As soon as we start Health Service the account will be locked out.

    Any other hint regarding that?

     

    Thanks in advance,

    Patrick


    0101001101111001011100110111010001100101011011010100001101100101011011100111010001100101011100100101001001101111011000110110101101110011 http://www.systemcenterrocks.com | All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
    Tuesday, May 3, 2011 1:48 PM
  • Hi Patrick,

     

    Unfortunately the account gets locked out. Because the Health Service uses this command.

    First the Exchange Command must be working, then the Health Service can use this command.

     

    In my opinion, it is more an Exchange, AD Permission Issue.

    Try to reset the password with the -verbose and please post the result.

    Test-ActiveSyncConnectivity -ResetTestAccountCredentials -Verbose

     

    Cheers,

    Mike

    Friday, May 27, 2011 10:12 AM
  • I must also create the extest_ User Account with the powershell script new-TestCasConnectivityUser.ps1 in ExchangeInstallDir\Scripts

    Kind regards Joerg

    Wednesday, August 1, 2012 7:24 AM
  • Wish I could help you out, but I'm having exactly the same problem. Installed the MP 2 days ago, ran the cmdlet and it completed successfully, but the account will get locked out after only a couple minutes. I've tried resetting the password for the account and restarting the Exchange Correlation service and it still gets locked out.

    Just hoping a bump in the thread might help, I'll post back if I find a solution.

    Cheers, Michael

    How is it this response is marked as the answer?
    Saturday, July 30, 2016 2:16 PM