Users is unable to access OWA options (ECP) in Exchange 2010 and 2013

This is not an especially new issue but there is not much information about it so here goes anyway.

The issue

Some users, but not all, of a customer of mine reported that they could not save their signatures in OWA. After some investigation I found that the users that could save their signature had the an Role Assignment Policy set, “Default Role Assignment Policy”. This was the only policy in use and all users should have that policy.

When I did a quick check online, some had reported that the following event with event ID 4 and the error message "The user "username" isn’t assigned to any management roles."  where logged in the Application Log on the CAS servers. However, my customer had no such events in the Application Logs on their CAS servers.

The users that could not save their signature had an empty Role Assignment Policy attribute set. Exchange needs to have the RoleAssignmentPolicy property (msExchRBACPolicyLink  attribute) to be able to determine which settings the users has the rights to change in ECP. This is based on RBAC and if you want to read up on Role Assignment Policies have a look here.

Lets have a look at this in more detail. I have got two users, Test User1 with no policy set. And Test User2 with the “Default Role Assignment Policy” set. We will start with the first user…

 

A broken Mailbox

Test User1 (no policy set)
Run the following command to view the RoleAssignmentPolicy property.

Get-Mailbox <identity> | Name,RoleAssignmentPolicy

Example:

OWASaveError03

As you can see, the RoleAssignmentPolicy property is empty. In ADSI Edit the attribute you should look for is called msExchRBACPolicyLink as shown below.

OWASaveError01

As you probably have guessed already, the attribute is empty for Test User1. If I go to OWA and try to change some of the options I receive the following error message “Sorry! Access Denied. You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again.”.

In both Exchange 2010 and 2013 the message looks like this.

OWASaveError05

 

A working mailbox

Test User2 (“Default Role Assignment Policy” set)

Again, run the following command to view the RoleAssignmentPolicy property:

Get-Mailbox <identity> | Name,RoleAssignmentPolicy

Example:

OWASaveError04

Much better as you can se, when we use ADSI Edit the msExchRBACPolicyLink contains the Distinguished Name of the “Default Role Assignment Policy”.

OWASaveError02

For Test User2 it works fine to change the settings in ECP.

 

Why did it happen?

I did some more investigating and found that the reason that this issue occurred for some users was that my customer create some mailboxes using AD Toolkit. When AD Toolkit creates the mailboxes the msExchRBACPolicyLink attribute is not set.

This can be achieved in AD Toolkit as well by adding an attribute when creating the mailboxes and specifying the msExchRBACPolicyLink attribute with a correct Role Assignment Policy.

 

Solution

Well the easiest way to solve the issues is to add a Role Assignment Policy for the affected mailboxes. To find all users with an empty msExchRBACPolicyLink attribute you can run the following command.

Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null}

Example:

OWASaveError07


To add a Role Assignment Policy for all the listed users run the following command:

Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”

Example:

OWASaveError08

And that should be it, all users should now be able to change their settings in ECP.

Thanks for reading and do not hesitate to let me me know if you run in to any issues!

Advertisements

Integrate OCS 2007 R2 with Exchange Server 2010 SP1 OWA

I have seen a number of posts in different forums with questions on how to integrate Office Communications Server2007 R2 with Outlook Web App in Exchange Server 2010 Service Pack 1. There are some changes made in SP1 that will cause your current integration to break. But this can be easily fixed with a couple of configuration changes.
 

Changes? Why Changes??

Well, changes in this case is good. What Microsoft has done is to move the Instant Messaging settings for the OWA virtual directory from web.config to Active Directory where it should be. It’s better to have all parameters for OWA virtual directory gathered in one place, right?
Below, I will walk you through the complete configuration process. If you only want to read about the configuration related to SP1, scroll down a bit to configuration!
 

Pre-requirements

OCS 2007 R2 Web Service Provider found here:
http://www.microsoft.com/downloads/details.aspx?familyid=CA107AB1-63C8-4C6A-816D-17961393D2B8&displaylang=en

Hotfix for the OCS 2007 R2 Web Service Provider:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=45C94403-39FA-44D3-BE23-07F25A2D25C7

Update Unified Communications Managed API 2.0 Redist (64 Bit) Hotfix KB 2282949:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1F565A42-71D2-4FBD-8AE0-4B179E8F02AB

When running Exchange2010 Sp1 on a Windows 2008 R2, include the following UCMAREDIST Update, available here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b3b02475-150c-41fa-844a-c10a517040f4

Installation

The installation of the Web Service Provider is quite straight forward:
  1. Download and execute CWAOWASSPMain.msi to you Exchange Server 2010 CAS.
  2. In Windows Explorer, navigate to the directory where the files from CWAOWASSPMain.msi were placed. The default location is C:\Web Services Provider Installer Package\.
  3. Execute and install vcredist_x64.exe.
  4. Execute and install UcmaRedist.msi.
  5. Go to Start > All Programs > Accessories, right-click Command Prompt, and then click Run as Administrator.
  6. Go to the directory where the files from CWAOWASSPMain.msi were placed and run CWAOWASSP.msi.
  7. Install the other updates listed under pre-requirements above.
Done, you should now have all the required components installed on you Exchange Server 2010 CAS.
 

Configuration

 
Certificate
First we will configure the certificate. We start of by getting the thumbprint of the certificate by using the following command:
get-ExchangeCertificate | fl
 
Your thumbprint should look something like this:
4DC1EE3506E06E971FF82AC8DD60015EAC11B21E
 
To apply this to our configuration use the following command:
Set-OwaVirtualDirectory -Identity <"WebSiteIdentity"> –InstantMessagingCertificateThumbprint <CertificateThumbprint>
 
Example:
Set-OwaVirtualDirectory -Identity "SUNDIS-EX01\owa (Default Web Site)" -InstantMessagingCertificateThumbprint 4DC1EE3506E06E971FF82AC8DD60015EAC11B21E
ocsintegration1
 
Server Name
Next we set the server name for the OCS server, this should be the FQDN of the OCS server. Use the following command:
Set-OwaVirtualDirectory -Identity <"WebSiteIdentity"> –InstantMessagingServerName <ServerFQDN>
 
Example:
Set-OwaVirtualDirectory -Identity "SUNDIS-EX01\owa (Default Web Site)" -InstantMessagingServerName sundis-ocs01.sundis.local
ocsintegration2
 
Set type and Enable
Next we set the type of Instant Messaging Server to OCS by using this command:
Set-OwaVirtualDirectory -Identity "SUNDIS-EX01\owa (Default Web Site)" -InstantMessagingType OCS
ocsintegration3
 
And last but not least we enable Instant Messaging Server by using the following command:
Set-OwaVirtualDirectory -Identity "SUNDIS-EX01\owa (Default Web Site)" -InstantMessagingEnabled $true
ocsintegration4
 
Finish the configuration by doing a get to se the changes we made with the following command:

Get-OwaVirtualDirectory | fl InstantMessagingCertificatethumbprint, InstantMessagingServerName, InstantMessagingType, InstantMessagingEnabled
ocsintegration9

Well I almost forgot, the last thing you should do after all these configuration changes is to restart IIS by entering the following command:
iisreset /noforce
 
Now you should be all set!
 
OCS Settings
You do however need to make one last finishing touch on the Office Communications Server. That is to add the FQDN of the certificate that you specified in the Set-OwaVirtualDirectory command above as a trusted host in you OCS server. To do this Navigate to the pool or server in OCS, right click on your pool or server and select Properties and then Forest End Properties.ocsintegration5
 
Open the  Host Authorization tab and then click Add.ocsintegration6
 
Enter the FQDN found on the certificate you added in the previous step and make sure that you check Throttle AS Server and Treat As Authenticated, when finished click Ok. The FQDN will most certainly include a external domain in your case. In my case it’s an internal domain for testing purposes.ocsintegration7
 
Make sure that all settings are correct, when finished click Ok.ocsintegration8
 
Give OSC a moment to apply the settings and then head of to OWA and enjoy!
 
Thanks for reading and don’t hesitate to comment if you have any further questions or thoughts about the post!

Update 973917 causes "Service Unavailable" in OWA, ActiveSync and application pools to automaticly disabled in Exchange Server 2003 and repeated login prompts in Exchange Server 2007

or, “How to type a long topic…”

Long description (shorter solution presented below…)

Today an issue occurred on a customers Exchange Server 2003. The Outlook Web Access and ActiveSync had stopped working and when accessing OWA the error “Service Unavailable” where displayed. After a quick look in IIS Manager I noticed that the two application pools configured for Exchange Server 2003 had stopped.

I tried iisreset and the pools came back up. As soon as OWA or ActiveSync was accessed the pools stopped again.

The following Events where logged in the System Log:

Event Type:    Error
Event Source:    W3SVC
Event Category:    None
Event ID:    1002
Description:
Application pool ‘ExchangeApplicationPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    1009
Description:
A process serving application pool ‘ExchangeApplicationPool’ terminated unexpectedly. The process id was ‘5892’. The process exit code was ‘0xffffffff’.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    1009
Description:
A process serving application pool ‘ExchangeApplicationPool’ terminated unexpectedly. The process id was ‘1276’. The process exit code was ‘0xffffffff’.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    1009
Description:
A process serving application pool ‘ExchangeApplicationPool’ terminated unexpectedly. The process id was ‘3884’. The process exit code was ‘0xffffffff’.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    1009
Description:
A process serving application pool ‘ExchangeApplicationPool’ terminated unexpectedly. The process id was ‘2212’. The process exit code was ‘0xffffffff’.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    1009
Description:
A process serving application pool ‘ExchangeApplicationPool’ terminated unexpectedly. The process id was ‘3960’. The process exit code was ‘0xffffffff’.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I also noticed that these errors started to occurred directly after the installation of a couple of updates for Windows. After uninstalling one update at the time it finally worked, the update causing this issue where “Update for Windows Server 2003 (973917)”.

After uninstalling the update i got a Windows Authentication login prompt when accessing OWA. I looked at the Application Pools again and they where set to run by “Network Service”. I changes this to “Local System” an the problem was solved.

Short Solution

  1. Uninstall Microsoft Update for Windows Server 2003 (973917)
  2. Restart the server
  3. Make sure that the correct user is set to run the application pools. Follow these steps:
    1.  In Internet Information Services (IIS) Manager, expand Application Pools.
    2.  Right-click ExchangeApplicationPool, and then click Properties.
    3.  Click the Identity tab, and then in the Select a security account for this application pool list, click Local System.
    4.  Click Apply, and then click OK.
  4. Restart IIS
  5. OWA and ActiveSync should now be working.

Let me know if you bump in to any other issues!

EDIT 2009-12-13
Microsoft has published a KB (KB973917) on this issue and recommends an reinstall of Windows Server 2003 SP2. See this page for more information: http://support.microsoft.com/?kbid=2009746. This is a larger operation then just uninstalling the update but with this solution you will also get the security changes included in the 973917 update.
Thanks Wes for providing the link!

Please do also note that Microsofts suggested solution of reinstalling SP2 for Windows Server 2003 enables Scalable Networking pack. You can find more information on this issue and a link to the hotfix that disables SNP on the Microsoft Exchange Team blog: http://msexchangeteam.com/archive/2008/03/12/448421.aspx

EDIT 2009-12-18
According to a good friend of mine over at Mailmaster this is also an issue on Exchange Server 2007. The symptoms here is repeated login prompts and SP1 Rollup 9 is the fix for you running Exchange Server 2007. More info at Magnus blogg: http://mailmaster.se/blog/?p=392.

EDIT 2009-12-22
Just thought I should add a link to where you can find more info on SP1 Rollup 9: http://technet.microsoft.com/en-us/library/ee221166(EXCHG.80).aspx 
And if you want you can download it from here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=55320be2-c65c-48bb-bab8-6335aa7d008c.