• Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Event ID 71 CAS to CAS proxy issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> Event ID 71 CAS to CAS proxy issue Page: [1]
Message << Older Topic   Newer Topic >>
Event ID 71 CAS to CAS proxy issue - 30.Jul.2009 7:15:03 AM   


Posts: 11
Joined: 5.Mar.2009
Status: offline

I am having afairly major issue with my OWA. Yesterday we changed the layout of our domain and put each DC (and exchange server) into its own site.

Then any mailbox on the second exchange server was no longer accessible. Mailbox on the first server work fine.

So i did alittle checking around and found the document (http://technet.microsoft.com/en-us/library/bb310763.aspx)on setting up CAS to CAS proxy. On the second CAS the internalURL is configured to:

http://2ndservername/OWA as per the document with right kind of authentication.

Yet now when a user tries to access there mailbox on the second server they get this error message:

Outlook Web Access is not currently available for this mailbox because it could not authenticate the connection to the Microsoft Exchange Client Access server that should be used for mailbox access. If the problem continues, contact technical support for your organization.

With this in the information:

Url: https://mail.domainanme.co.uk:443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequest
User host address: external ip address
User: David Grant
EX Address: /o=Domain Name/ou=First Administrative Group/cn=Recipients/cn=Mailbox Name
SMTP Address: Mailbox.name@domainname.co.uk
OWA version: 8.1.375.2
Second CAS for proxy: http://2ndservername/OWA

Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException
Exception message: The proxy CAS failed to authenticate to the second CAS (it returned a 401)

Call stack
No callstack available
Inner Exception
Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaAsyncOperationException
Exception message: ProxyPingRequest async operation failed

Call stack
Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.EndSend(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyEventHandler.SendProxyPingRequestCallback(IAsyncResult asyncResult)
Inner Exception
Exception type: System.Net.WebException
Exception message: The remote server returned an error: (401) Unauthorized.

Call stack
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyUtilities.EndGetResponse(HttpWebRequest request, IAsyncResult asyncResult, Stopwatch requestClock) Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.GetResponseCallback(IAsyncResult asyncResult)
Also in the event log:

Log Name:      Application
Source:        MSExchange OWA
Date:          30/07/2009 11:52:11
Event ID:      71
Task Category: Proxy
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      1stservername.orwelltrucks.intra
Client Access server https://mail.domainname.co.uk/owa attempted to proxy Outlook Web Access traffic to Client Access server http://2ndservername/OWA. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in http://2ndservername/OWA may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web Access virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the "set-owavirtualdirectory" Exchange admin task. If you don't want to change the "internalURL" configuration for the Outlook Web Access virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting http://2ndservername/OWA may be configured not to allow Kerberos authentication. It might be set to use Windows Integrated authentication for the Outlook Web Access virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Windows Integrated authentication. See the IIS documentation for additional troubleshooting steps if you suspect this may be the cause of the failure.

To be honest i'm completely stuck now and any help would be greatly appreciated.


Post #: 1
RE: Event ID 71 CAS to CAS proxy issue - 31.Jul.2009 1:01:59 PM   
John Weber


Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
Just to be sure the basics are  being done right...

On the internet facing CAS, you have FBA.
One the internal CAS, you need to get FBA turned off and do Windows Integrated.

As to the SPN, when you moved the server from site to site, did they site change involve a domain move also?


John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to marky1984)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> Event ID 71 CAS to CAS proxy issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Follow TechGenix on Twitter