Quantcast
Channel: Exchange Server 2013 - Outlook, OWA, POP, and IMAP Clients forum
Viewing all articles
Browse latest Browse all 10580

2010/2013 CoExistence OWA Proxy 403

$
0
0

Hi All,

I'm currently looking at implementing Exchange 2013 CU3 into the production environment, currently labbing up with restored backup of prod AD/Exchange 2010 SP3 RU4. Both servers are all on one in terms of roles. 2013 has been configured with the external address and 2010 has only internal configured, autodiscover reset to exchange 2013. Valid internal CA certificates exist on both servers.

Everything seems to be working well from what I've tested; other than OWA proxy authentication on Exchange 2010 which returns the generic IIS 403 Forbidden: Access is Denied. Accessing Exchange 2010 ECP via 2013 proxy works, etc.

2010/2013 are set to forms authentication and in various threads people have suggested enabling ntlm which has been done.

I have also performed resets on both servers virtual directories and no application/system event logs are generated when this occurs. 

Here are authentication methods from get-owavirtualdirectory

2013 Authentication Methods
InternalAuthenticationMethods: {Basic, Fba}
BasicAuthentication: True 
WindowsAuthentication: False 
DigestAuthentication: False 
FormsAuthentication: True 

2010 Authentication Methods 
InternalAuthenticationMethods: {Basic, Fba, Ntlm, WindowsIntegrated}
BasicAuthentication: True 
WindowsAuthentication: True 
DigestAuthentication: False 
FormsAuthentication: True


The following are the event logs related to a proxy authentication attempt.
IIS on Exchange 2013 CAS

2014-02-07 07:58:59 exchange13IP GET /owa/ &cafeReqId=ec71e67e-f8c5-4e43-a30f-cbc39d0ff681; 443 username clientIP Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) https://exchange13/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fexchange13%2fowa 403 0 0 218

Urlhttps://exchange13:443/owa/
App PoolMSExchangeOWAAppPool
AuthenticationBasic
User from tokendomain\user
Final Status 403 



Exchange 2013 front end http proxy log

2014-02-07T07:58:59.916Z,ec71e67e-f8c5-4e43-a30f-cbc39d0ff611,15,0,775,22,,Owa,exchange2013,/owa/,,FBA,True,domain\user,,Sid~S-1-5-21-621953752-4987982589-4033148515-6952,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E),10.160.12.53,exchange2013,403,403,,GET,Proxy,exchange2010.domain,14.03.0123.000,IntraForest,WindowsIdentity-ServerCookie,Server~exchange2010.domain~1937997947~02/07/2014 08:08:59,,,0,1233,1,,1,0,,0,,0,,0,0,15.6109,0,,,,10,1,0,0,13,1,12,3,4,5,15,,,BeginRequest=2014-02-07T07:58:59.901Z;ProxyToDownLevel=True;BeginGetResponse=2014-02-07T07:58:59.901Z;OnResponseReady=2014-02-07T07:58:59.916Z;EndGetResponse=2014-02-07T07:58:59.916Z;,WebExceptionStatus=ProtocolError;ResponseStatusCode=403;WebException=System.Net.WebException: The remote server returned an error: (403) Forbidden.    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass20.<OnResponseReady>b__1e();



IIS on Exchange 2010 CAS

2014-02-07 07:58:59 exchange2010IP GET /owa/ - 443 Domain\Exchange13$ exchange2013IP Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E) 403 0 0 15

Urlhttps://exchange2010.fqdn:443/owa/
App PoolMSExchangeOWAAppPool
AuthenticationNegotiate
User from tokenDomain\Exchange13$

Final Status 403 

-AUTH_SUCCEEDED
AuthTypeNT
NTLMUsedfalse
RemoteUserNameDomain\Exchange13$
AuthUserName Domain\Exchange13$
TokenImpersonationLevelImpersonationImpersonate


From what I can see everything points to authentication methods or something fundamental that I've missed, though it seems I've been through the majority of sensible configurations via ECP and set-Xvirtualdirectory, even causing the 403 to 401.2 in certain variations.


Does anyone have suggestions or if possible a working configuration for 2010/2013 coexistence?

Thank you for your time

Edit: Missed URL's - 2010 Internal URL: https://server.domain.local/owa ; ExternalURL:$null   - Exchange2013 InternalURL: https://server.domain.local/owa; ExternalURL: https://mail.external.name/owa [I've also tried exchange 2013 internal to reflect external]



Viewing all articles
Browse latest Browse all 10580

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>