Exchange 2007 OWA error page
We are running a very basic Exchange (newly updated from 2003 to 2007 w/srv pk1). Only one DC (Windows 2003), and a Linksys (RV042) Router. The mail flow in and out seems to be fine but we are not able to connect via OWA. When we try to connect, first we get a certificate error page and a choice (not recommended), to continue. The we get:
The website is unable to display the webpage
HTTP 501/HTTP 505
I have read a number of articles and most point to the iis and setting permissions but because some say the settings should be one way and others say the settings should be another way, I am at a loss as to what the settings SHOULD be if in fact that is the cause of our problems. Any help on this or other settings that I should check would be greatly appreciated.
August 21st, 2009 4:48am
HTTP 501/HTTP 505 (HTTP 501 Not Implemented or HTTP 505 Version Not Supported) means that the website you are visiting doesn't currently have the ability to display the webpage, or support the HTTP version used to request the page
Troubleshooting:
1. Please describe the current exchange topology, have the old exchange 2003 server been decommissioned? Is it a pure exchange 2007 environment now?
2. Does the issue happen to all users? Have the OWA worked before?
3. Is there any server between users machines and CAS server? please use Get-ExchangeCertificate to check the certificate for IIS
Get-ExchangeCertificate | Fl
4. Whats the error info in the certificate error windows?
5. Is there any error info in the application log on the CAS server?
6. Please refer this article to verify the default setting on the virtual directories
7. Please use Set-EventLogLevel to increase the logging of the following categories and reproduce the issue, and then check the application log on the exchange server for related event
MSExchange OWA\Core
MSExchange OWA\Configuration
8. Please try to access OWA directly on the CAS server. If the symptom still persists, please try to recreate OWA virtual directory (Step 3 in here)
Resources:
Error Message: Error 501/505: Not Implemented or Not Supported
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2009 6:12am
1. Please describe the current exchange topology, have the old exchange 2003 server been decommissioned? Is it a pure exchange 2007 environment now? No, the migration is only a week old and we were trying to make sure all worked on 2007 before removing 2003
2. Does the issue happen to all users? Have the OWA worked before?Yes, all users are affected. It worked when we were on Exchange 2003 using /exchange with no ssl
3. Is there any server between users machines and CAS server? please use Get-ExchangeCertificate to check the certificate for IIS
Get-ExchangeCertificate | FlThis is the result of running Get-ExchangeCertificate | FlWARNING: An unexpected error has occurred and debug information is beinggenerated: The process does not possess the 'SeSecurityPrivilege' privilegewhich is required for this operation.Get-ExchangeCertificate : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.At line:1 char:24+ Get-ExchangeCertificate <<<< | Fl
4. Whats the error info in the certificate error windows?
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
5. Is there any error info in the application log on the CAS server?The most recent are:msexchange IS 9874msexchange common 4999msexchange fbpublish 8207
6. Please refer this article to verify the default setting on the virtual directories
7. Please use Set-EventLogLevel to increase the logging of the following categories and reproduce the issue, and then check the application log on the exchange server for related event
MSExchange OWA\Core
MSExchange OWA\ConfigurationThis is the result from running Set-EventLogLevelMSExchange OWA\Corecmdlet Set-EventLogLevel at command pipeline position 1Supply values for the following parameters:Identity: MSExchange OWA\CoreLevel: 5Set-EventLogLevel : Cannot bind parameter 'Identity'. Cannot convert value " MSExchange OWA\Core" to type "Microsoft.Exchange.Configuration.Tasks.ECIdParameter". Error: "'Core' is not a valid value for the identity.Parameter name: Identity.EventSource"At line:1 char:17+ Set-EventLogLevel <<<<
8. Please try to access OWA directly on the CAS server. If the symptom still persists, please try to recreate OWA virtual directory (Step 3 in here)I get the same errors afterfollowing these steps
August 21st, 2009 3:10pm
Warning: An unexpected error has occurred and debug information is being generated: The process does not possess the 'SeSecurityPrivilege' privilegewhich is required for this operation
a. Please go to Default Domain Controllers Policy, expand to Computer Configuration> Windows Settings>Local Settings>Local Policies>User Rights Assignment
b. Go to Properties of Manage Auditing and Security Log, verify if only the following account/group exists
Administrators
Domain\Exchange Servers
c. Also, remove the right in the "Manage auditing and security log" on the Default Domain Policy
Error: There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority
Please see KB 931850. According to error, client doesnt trust the current certificate. Could you describe the certificate that installed on the CAS server? Whether its a third party commercial certificate, Self-signed certificate that auto-added during the exchange 2007 installation, or Windows CA certificate? Anyway, we shall fix the warning when attempting using Get-ExchangeCertificate, it would help to get more detailed info about the current certificate
Would you provide the detailed description about those error events (9874, 4999 and 8207)?
And the diagnostic logging, please use the format likes below:
Set-EventLogLevel -Identity " MSExchange OWA\Core" -Level High
Notes: Please dont forget to lower the level of logging after the testing
Resources:
Manage auditing and security log
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2009 6:25am
I am still trying to resove this. No changes so far. Thanks
August 26th, 2009 3:41pm
OK. Please post at here if theres any update
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2009 4:12am
I am going to sign on with Microsofts fee based support to try to resolve this. At this point I think that it may be something simple but I can't figure out what it is. Tried everything.Thanks
August 28th, 2009 5:09am
Here are the notes for the Microsoft Technician that resolved our issue.
During the EA session, we have recreated the OWA directories successfully. Below is the summary:
1. we restore the IIS to the backup point named recreate OWA.
2. Deleted the orphan virtual directories objects in AD within ADSIEdit.MSC
1)CN=OWA(Default web site)
2)CN=Exchange(Default web site)
3)CN=Exchweb(Default web site)
4) CN=Public(Default web site)
3. Remove the virtual directories within IIS Manger.
4. Run below commands one by one to recreate the Virtual directories
New-OwaVirtualDirectory "exchange" -OwaVersion Exchange2003or2007 -VirtualDirectoryType Mailboxes -WebSiteName "Default Web Site"
New-OwaVirtualDirectory "public" -OwaVersion Exchange2003or2007 -VirtualDirectoryType PublicFolders -WebSiteName "Default Web Site"
New-OwaVirtualDirectory "exchweb" -OwaVersion Exchange2003or2007 -VirtualDirectoryType Exchweb -WebSiteName "Default Web Site"
New-OwaVirtualDirectory -name "owa" -OwaVersion Exchange2007 -WebSiteName "Default Web Site"
5. Test Https://localhost /owa. Result=> can login mailbox.
6. Test https://MSI-Exchange/OWA. Result => can login mailbox without problem
7. Test https://mail.ourcompany.net/owa , still not work. It warns certificate is mismatch or not be trusted. When we continue to view the website, it displays Http 501/505 error.
8. Ping mail.ourcompany.net, get the external IP 001.003.004.005.
Based on our previous troubleshooting, It seems that the external IP 001.003.004.005 not forward the http traffic to the static IP address assigned on the IIS.
Our next action was to confirm if the external traffic can reach internal static IP address. To verify it, we needed to collect the latest IIS log.
Once repaired, OWA still did not work. from the IIS log, he did find external Http traffic (on 09-08 IIS log) to reach the default web site. However, it seems that Http requests only get to the IIS default web site but not get the OWA folder.
It was strange that the external request to get /Prx.Php page which is not OWA files. Thats why he suspected that http traffic may be misrouted to wrong internal IP address. If thats the truth, it would involve our network team or router\firewall vender to configure the ACL rule correctly.
Since internal OWA is now working properly, we can conclude that the OWA component is fine. The current situation may be related to router layer issue. so I suggested to check the rules on the router first to ensure that the https or http based 443 or 80 port will be forwarded to the correct internal IP address.
We got the firewall vendor involved and resolved the issue so that the http based 443 or 80 port was forwarded to the correct internal IP address. OWA is now working from the outside.
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2009 5:12am