SOLVED

Exchange 2016 EAC redirects to OWA

Highlighted
Frequent Contributor

Hi All

 

Hope everyone is keeping safe. Please can someone assist me with the following issue. For some reason I can no longer access the EAC on my Exchange 2016 server. I have tried different browsers and PCs but the result is still the same. I can get to the login screen and enter my details but then it gives an error. Refer to the attached images. Now I recently made a change to the OWA and ECP virtual directories because onboarding mailboxes to Office 365 was a problem. Not too sure if that broke something. I have rebooted the server since making those changes to the virtual directories.

 

 

14 Replies
Highlighted
Hello Navishkar,
I would suggest to set the correct permissions on the ECP and OWA virtual directory:
https://docs.microsoft.com/en-us/exchange/clients/default-virtual-directory-settings?view=exchserver...

And then recycle the ECP and OWA app pool via Application Pools in IIS, you can refer to this article on where to find App Pools.
Of course you shouldn't set a schedule for this.
https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/recyc...

It's also strange that onboarding didn't work properly, I would advice you to use the Office 365 ECP (outlook.office365.com/ecp) to create migration batches as the ECP within Exchange doesn't work properly sometimes (experienced this myself as well).
Highlighted
I forgot to add the most important bit. Currently in coexistence with Exchange 2010.
Highlighted
Hello Navishkar,

On which server is the mailbox of the admin account homed?

If it's placed on the Exchange 2010 server then it could be possible that Autodiscover or the back end virtual directory is not functioning properly.
Highlighted

@PvB91 

 

Hi there. I moved the admin mailbox to the 2016 server however that still didn't solve the problem. Been doing a lot of reading and it seems like definitely the authentication settings on the OWA and ECP virtual directories I changed recently. 

Highlighted

@PvB91 

"It's also strange that onboarding didn't work properly, I would advice you to use the Office 365 ECP (outlook.office365.com/ecp) to create migration batches as the ECP within Exchange doesn't work properly sometimes (experienced this myself as well)." --- About this.....so what happened was that Exchange online wasn't able to connect to the migration endpoint. The only time it was able to connect was when I change the authentication options on those virtual directories.

Highlighted
Hello Navishkar,

Aaah I have been dealing with this a lot lately, this is because for some reason the EWS directory isn't accessible through basic auth.
You can resolve this with the following PowerShell commands:
get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSproxyenabled $false
get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -basicauthentication $true
get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSproxyenabled $true

EWS is used by Office 365 to process mailbox onboarding.
Highlighted

@PvB91 Thanks for that info but I never had to change anything on the EWS virtual directory. Only after I made changes to the OWA directory was Office 365 able to connect to the migration endpoint.

Highlighted
Hello Navishkar,

That's strange that this was the solution but if it works it works ;)
Did you already change the virtual directory permissions to the article I've added in my previous message?
Highlighted

@PvB91 

 

Seems like those settings you want me to apply are already on there:

 

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server ttafdatvxmr2 | Select *auth*, *mrs*


CertificateAuthentication :
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MRSProxyEnabled : True

Highlighted

@PvB91 

 

Do you think running the HCW will help correct all the authentication settings on the virtual directories? We last ran the HCW on the 2010 server, we haven't done it since adding the 2016 box.

Also, I noticed in 2016 there's a "default web site" and then there's "exchange backend". Do I need to correct the authentication settings on both?

Highlighted

Ah yes this makes sense now, yes you should run the HCW on the Exchange 2016 server and also make sure your external ports are forwarding to your Exchange 2016 server.
When you are in a Hybrid scenario the Exchange server with the most recent version of Exchange should always be the Hybrid configured server.

 

And you should indeed also check both the virtual directories in IIS and via the get-owavirtualdirectory and get-ecpvirtualdirectory commands if these match.

Highlighted
Best Response confirmed by Navishkar Sadheo (Frequent Contributor)
Solution
Hello Navishkar,

These are from the EWS but could you check them for the OWA and ECP directories?
And do they match with IIS?
Also, could you recycle the IIS sites?
Highlighted

@PvB91 

 

Hi again. Thanks for all your assistance. I see the problem was that on the OWA virtual directory FormsAuthentication was set to false however on the ECP virtual directory it was set to true.

 

On the OWA virtual directory, I changed FormsAuthentication to true in order to match that of the ECP and now I can access the Exchange Admin Center.

 

Thanks you so much for all your assistance. Much appreciated.

 

2020-06-15 12_17_45-Connections - TTAFDATVXMR2 - Exchanges - Royal TS.png

2020-06-15 12_22_39-Connections - TTAFDATVXMR2 - Exchanges - Royal TS.png

 

 

Highlighted
Hello Navishkar,

This is very good news, you are most welcome!
I'm very glad I was able to help you!

May I ask you to mark my previous comment as the answer for future reference?
Have a nice day!