Hi All,
I'm currently looking at implementing Exchange 2013 CU3 into the production environment, currently labbing up with restored backup of prod AD/Exchange 2010 SP3 RU4. Both servers are all on one in terms of roles. 2013 has been configured with the external address
and 2010 has only internal configured, autodiscover reset to exchange 2013. Valid internal CA certificates exist on both servers.
Everything seems to be working well from what I've tested; other than OWA proxy authentication on Exchange 2010 which returns the generic IIS 403 Forbidden: Access is Denied. Accessing Exchange 2010 ECP via 2013 proxy works, etc.
2010/2013 are set to forms authentication and in various threads people have suggested enabling ntlm which has been done.
I have also performed resets on both servers virtual directories and no application/system event logs are generated when this occurs.
Here are authentication methods from get-owavirtualdirectory
2013 Authentication Methods
InternalAuthenticationMethods: {Basic, Fba}
BasicAuthentication: True
WindowsAuthentication: False
DigestAuthentication: False
FormsAuthentication: True
2010 Authentication Methods
InternalAuthenticationMethods: {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication: True
WindowsAuthentication: True
DigestAuthentication: False
FormsAuthentication: True
The following are the event logs related to a proxy authentication attempt.
IIS on Exchange 2013 CAS
2014-02-07 07:58:59 exchange13IP GET /owa/ &cafeReqId=ec71e67e-f8c5-4e43-a30f-cbc39d0ff681; 443 username clientIP Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E)
https://exchange13/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fexchange13%2fowa 403 0 0 218
Urlhttps://exchange13:443/owa/
App PoolMSExchangeOWAAppPool
AuthenticationBasic
User from tokendomain\user
Final Status 403
Exchange 2013 front end http proxy log
2014-02-07T07:58:59.916Z,ec71e67e-f8c5-4e43-a30f-cbc39d0ff611,15,0,775,22,,Owa,exchange2013,/owa/,,FBA,True,domain\user,,Sid~S-1-5-21-621953752-4987982589-4033148515-6952,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E),10.160.12.53,exchange2013,403,403,,GET,Proxy,exchange2010.domain,14.03.0123.000,IntraForest,WindowsIdentity-ServerCookie,Server~exchange2010.domain~1937997947~02/07/2014
08:08:59,,,0,1233,1,,1,0,,0,,0,,0,0,15.6109,0,,,,10,1,0,0,13,1,12,3,4,5,15,,,BeginRequest=2014-02-07T07:58:59.901Z;ProxyToDownLevel=True;BeginGetResponse=2014-02-07T07:58:59.901Z;OnResponseReady=2014-02-07T07:58:59.916Z;EndGetResponse=2014-02-07T07:58:59.916Z;,WebExceptionStatus=ProtocolError;ResponseStatusCode=403;WebException=System.Net.WebException:
The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass20.<OnResponseReady>b__1e();
IIS on Exchange 2010 CAS
2014-02-07 07:58:59 exchange2010IP GET /owa/ - 443 Domain\Exchange13$ exchange2013IP Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E)
403 0 0 15
Urlhttps://exchange2010.fqdn:443/owa/
App PoolMSExchangeOWAAppPool
AuthenticationNegotiate
User from tokenDomain\Exchange13$
Final Status 403
-AUTH_SUCCEEDED
AuthTypeNT
NTLMUsedfalse
RemoteUserNameDomain\Exchange13$
AuthUserName Domain\Exchange13$
TokenImpersonationLevelImpersonationImpersonate
From what I can see everything points to authentication methods or something fundamental that I've missed, though it seems I've been through the majority of sensible configurations via ECP and set-Xvirtualdirectory, even causing the 403 to 401.2 in certain
variations.
Does anyone have suggestions or if possible a working configuration for 2010/2013 coexistence?
Thank you for your time
Edit: Missed URL's - 2010 Internal URL: https://server.domain.local/owa ; ExternalURL:$null - Exchange2013 InternalURL: https://server.domain.local/owa; ExternalURL: https://mail.external.name/owa [I've also tried exchange 2013 internal to reflect external]