OWA 2010 Proxy Issue
Hi
I'm hoping someone can help me here. I basically have eight Exchange 2010 SP1 servers located at different sites around the globe. The two servers at head office are exposed for owa and are set up for FBA. All other servers are just proxied to internally
and are set for integrated authentication.
This setup works fine for all but one of my servers. I have checked and double checked and all settings appear correct, but i get the following response
Request
Url: https://EXPOSED-ADDRESS :443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequest
User host address: CLIENT IP
User: USERNAME
EX Address: /o=ORG-NAME /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=USERNAME
SMTP Address: E-MAIL ADDRESS
OWA version: 14.1.218.13
Second CAS for proxy: https://PROXIED-SERVER-ADDRESS /owa
Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException
Exception message: The proxy CAS failed to authenticate to the second CAS (it returned a 401)
Call stack
No callstack available
Inner Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaAsyncOperationException
Exception message: ProxyPingRequest async operation failed
Call stack
Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.EndSend(IAsyncResult asyncResult)
Microsoft.Exchange.Clients.Owa.Core.ProxyEventHandler.SendProxyPingRequestCallback(IAsyncResult asyncResult)
Inner Exception
Exception type: System.Net.WebException
Exception message: The remote server returned an error: (401) Unauthorized.
Call stack
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
Microsoft.Exchange.Clients.Owa.Core.ProxyUtilities.EndGetResponse(HttpWebRequest request, IAsyncResult asyncResult, Stopwatch requestClock)
Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.GetResponseCallback(IAsyncResult asyncResult)
Inner Exception
Exception type: System.ComponentModel.Win32Exception
Exception message: The target principal name is incorrect
Call stack
System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)
System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials)
System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
System.Net.HttpWebRequest.CheckResubmitForAuth()
System.Net.HttpWebRequest.CheckResubmit(Exception& e)
Any help would be greatly appreciated
Thanks
Steven
November 22nd, 2010 5:12am
Hi Kopite,
If the user connects directly to the server with problem he can access owa?
Regards
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 6:47am
Hi Rafael
Thanks for your quick response.
Yeah i can confirm that login is successful if the user hits the server directly.
Thanks
Steven
November 22nd, 2010 6:54am
Hi Steven
Can you access the server with problem in port 443, from the two servers tha are exposed to owa?
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 6:59am
Yeah i can confirm that i can access this server fine over 443 from the exposed servers. It even suggests that i logon via the provided link for best performance. As my mailbox is located at head office
Which suggests proxying is configured correctly
However i have noticed the following error in the log of the server at head office (Proxying exposed server)
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 21/11/2010 18:12:18
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SERVER-PROXYIED-FROM
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVER-PROXYIED-TO. The target name used was HTTP/SERVER-PROXYIED-TO. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the
target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the
target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current
password. If the server name is not fully qualified, and the target domain (DIR.INNOVIAFILMS.COM) is different from the client domain (DIR.INNOVIAFILMS.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified
name to identify the server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="16384">4</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-21T18:12:18.000000000Z" />
<EventRecordID>15028</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>SERVER-PROXYIED-FROM</Computer>
<Security />
</System>
<EventData>
<Data Name="Server">SERVER-PROXYIED-TO$</Data>
<Data Name="TargetRealm">DOMAIN-NAME</Data>
<Data Name="Targetname">HTTP/SERVER-PROXYIED-TO</Data>
<Data Name="ClientRealm">DOMAIN-NAME</Data>
<Binary>
</Binary>
</EventData>
</Event>
I have checked the registered SPN's on both of the servers in the cluster at the remote site and everything appears to have been resgitered correctly
Thanks again
Ste
November 22nd, 2010 7:13am
Just FYI, below is another message i am receiving on the CAS server which is receiving the proxy request.
I have tried updating the OWA VDir settings, as its SP1 i have even tried resetting the virtual directory. No effect
However i haven't tried creating an SPN for this as the proxy to address (internal address of receiving server) is actually an CName and i'm not sure if it is possible to create a SPN for a CName?
Any help would be gratefully recieved
Thanks
Log Name: Application
Source: MSExchange OWA
Date: 22/11/2010 14:29:07
Event ID: 71
Task Category: Proxy
Level: Error
Keywords: Classic
User: N/A
Computer: SERVER-PROXYIED-FROM
Description:
Microsoft Exchange Client Access server https://SERVER-PROXYIED-FROM/owa tried to proxy Outlook traffic to Client Access server https://SERVER-PROXYIED-TO/owa. This failed because the authentication for the connection between the two Client Access servers failed.
This may be due to one of these configuration problems:
1. The host name in https://SERVER-PROXYIED-TO/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client
Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory"
task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional
SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting https://SERVER-PROXYIED-TO/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos)
authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange OWA" />
<EventID Qualifiers="49152">71</EventID>
<Level>2</Level>
<Task>6</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T14:29:07.000000000Z" />
<EventRecordID>162216</EventRecordID>
<Channel>Application</Channel>
<Computer>SERVER-PROXYIED-FROM</Computer>
<Security />
</System>
<EventData>
<Data>https://SERVER-PROXYIED-FROM/owa</Data>
<Data>https://SERVER-PROXYIED-TO/owa</Data>
</EventData>
</Event>
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 10:38am
:UPDATE:
After noticing that the proxying error only appears if proxying through a certain front end server i failed this over and restarted the box.
These errors now no longer appear and all is working correctly
Thanks
November 23rd, 2010 6:12am