Exchange Server Forums
My Profile |
My Subscription |
My Forums |
Address Book |
Member List |
Ticket List |
Event ID 71 CAS to CAS proxy issue
Users viewing this topic:
|Logged in as: Guest
| Login || |
Event ID 71 CAS to CAS proxy issue - 30.Jul.2009 7:15:03 AM
I am having afairly major issue with my OWA. Yesterday we changed the layout of our domain and put each DC (and exchange server) into its own site.
Then any mailbox on the second exchange server was no longer accessible. Mailbox on the first server work fine.
So i did alittle checking around and found the document (http://technet.microsoft.com/en-us/library/bb310763.aspx)on setting up CAS to CAS proxy. On the second CAS the internalURL is configured to:
http://2ndservername/OWA as per the document with right kind of authentication.
Yet now when a user tries to access there mailbox on the second server they get this error message:
Outlook Web Access is not currently available for this mailbox because it could not authenticate the connection to the Microsoft Exchange Client Access server that should be used for mailbox access. If the problem continues, contact technical support for your organization.
With this in the information:
User host address: external ip address
User: David Grant
EX Address: /o=Domain Name/ou=First Administrative Group/cn=Recipients/cn=Mailbox Name
SMTP Address: Mailbox.firstname.lastname@example.org
OWA version: 8.1.375.2
Second CAS for proxy: http://2ndservername/OWA
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException
Exception message: The proxy CAS failed to authenticate to the second CAS (it returned a 401)
No callstack available
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaAsyncOperationException
Exception message: ProxyPingRequest async operation failed
Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.EndSend(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyEventHandler.SendProxyPingRequestCallback(IAsyncResult asyncResult)
Exception type: System.Net.WebException
Exception message: The remote server returned an error: (401) Unauthorized.
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyUtilities.EndGetResponse(HttpWebRequest request, IAsyncResult asyncResult, Stopwatch requestClock) Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.GetResponseCallback(IAsyncResult asyncResult)
Also in the event log:
Log Name: Application
Source: MSExchange OWA
Date: 30/07/2009 11:52:11
Event ID: 71
Task Category: Proxy
Client Access server https://mail.domainname.co.uk/owa attempted to proxy Outlook Web Access traffic to Client Access server http://2ndservername/OWA. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in http://2ndservername/OWA may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web Access virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the "set-owavirtualdirectory" Exchange admin task. If you don't want to change the "internalURL" configuration for the Outlook Web Access virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting http://2ndservername/OWA may be configured not to allow Kerberos authentication. It might be set to use Windows Integrated authentication for the Outlook Web Access virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Windows Integrated authentication. See the IIS documentation for additional troubleshooting steps if you suspect this may be the cause of the failure.
To be honest i'm completely stuck now and any help would be greatly appreciated.
RE: Event ID 71 CAS to CAS proxy issue - 31.Jul.2009 1:01:59 PM
From: Portland, Oregon
Just to be sure the basics are being done right...
On the internet facing CAS, you have FBA.
One the internal CAS, you need to get FBA turned off and do Windows Integrated.
As to the SPN, when you moved the server from site to site, did they site change involve a domain move also?
John Weber [Lync MVP] http://tsoorad.blogspot.com
| New Messages
|| No New Messages
| Hot Topic w/ New Messages
|| Hot Topic w/o New Messages
| Locked w/ New Messages
|| Locked w/o New Messages
| Post New Thread
Reply to Message
Post New Poll
Delete My Own Post
Delete My Own Thread