When logging on to OWA using a browser, receive a 503 error. In the Fiddler trace will see a more detailed response status code:
503 Failed authentication on backend server: Unauthorized
On the Exchange Server, see the following System event log (intermittently):
Event 4 Security-Kerberos
The Kerberos client received a KRB_APP_ERR_MODIFIED error from the server exchangeserver$.
The target name used was HTTP/exchangeserver.ad.root.
This indicates that the target server failed to decrypt the ticket provided by the client.
I hope someone only receives this in a lab environment!
Here is a link to enable Kerberos logging, which could be helpful as well: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging
After enabling Kerberos logging, would see the KRB_APP_ERR_MODIFIED error more frequently, whereas before would not be logged each time a logon attempt occurred.
The issue here (in the lab) was that a duplicate SPN for the Exchange Server in question was added erroneously to another server, causing a duplicate. This was due to trying to enable Kerberos delegation for a separate web application.
Although there could be a quicker way to do this, you can list the SPNs on each server to look for your erroneous exchangeserver record by running
setspn -l otherservername (this is a lower-case L)
And if you find that SPNs like http/exchangeserver or http/exchangeserver.ad.root are listed on another server (say 'otherservername'), you can carefully remove them by running
setspn -D http/exchangeserver otherservername
setspn -D http/exchangeserver.ad.root otherservername
I was able to logon to OWA immediately after the duplicate SPN was removed, without restarting any servers or services.
Check, if the bindings for Exchange Backend website in IIS is correctly configured. You can check this by visiting IIS console in the server and open bindings for Backend website for 443 port. See, if the certificate is assigned well
Also, check, if the Default website's binding is correct. It should have thirdparty SSL certificate assigned or the self signed certificate
If any of the bindings are incorrect, fix it and restart IIS (iisrest from cmd prompt). Check again
Related
I've got an odd problem.
I got my PC reimaged, and now it won't connect properly to the autodiscover service.
I cannot see free/busy information, cannot set my out of office, and don't get tooltips about other people who have out of office on when I am emailing them.
If I run the "Test email autoconfiguration" tool, it fails.
All of that used to work before my PC was reimaged.
Furthermore, if I log in to another PC (same OS, Win7) it does all work.
So I think the problem is specific to my PC, and not a problem with our Exchange setup.
If I browse to the url http://mail.mydomain/autodiscover/autodiscover.xml I get a 403 error.
Doing the above on the other PC works.
Weirdly, if I browse to https://mail.mydomain/autodiscover/autodiscover.xml on the PC with the problem it works OK.
So there's something configured wrong on my PC, but I don't know what. Maybe it's not passing my credentials properly.
Other sites that rely on my Windows credentials are working OK, so it's passing them correctly sometimes.
Any ideas, before I get them to reimage my PC again?
Thanks
When I run Test mail autoconfiguration, on the Results tab I get:
Autoconfiguration has started, this may take up to a minute
Autoconfiguration was unable to determine your settings!
The log is:
SMTP=my.email#my.domain
Attempting URL httpx://mail.my.domain/autodiscover/autodiscover.xml found through SCP
Autodiscover to httpx://mail.my.domain/autodiscover/autodiscover.xml starting
GetLastError=0; httpStatus=403
Autodiscover request completed with http status code 403
Autodiscover to httpx://mail.my.domain/autodiscover/autodiscover.xml failed (0x80004005)
Autodiscover to httpsx://mail.my.domain/autodiscover/autodiscover.xml starting
GetLastError=12007; httpStatus=0
Autodiscover to httpsx://mail.my.domain/autodiscover/autodiscover.xml failed (0x800C8203)
Autodiscover to httpsx://autodiscover.my.domain/autodiscover/autodiscover.xml starting
GetLastError=12007; httpStatus=0
Autodiscover to httpsx://autodiscover.my.domain/autodiscover/autodiscover.xml failed (0x800C8203)
Local autodiscover for my.domain starting
Local autodiscover for my.domain failed (0x8004010F)
Redirect check to httpx://autodiscover.my.domain/autodiscover/autodiscover.xml starting Redirect check to httpx://autodiscover.my.domain/autodiscover/autodiscover.xml starting
Srv Record lookup for httpx://my.domain starting
Srv Record lookup for my.domain Failed (0x8004010F)
Note I had to change http to httpx and https to httpsx to allow it to post.
Firstly, this is not a programming question. Secondly, try to run a test from https://testconnectivity.microsoft.com/
I have an issue to retrieve current sessions in Openam.
When I connect with the amAdmin user on the first server and go to the session item on the administration page, I cannot see the session on the second server.
I got the following error :
Failed to get the valid sessions from the specified server.
But sometimes I can see the sessions on the second server.
But when I connect with the amAdmin user on the second server and go to the session item, I can only see the open sessions on the second server (only the current sessions on the second server are displayed instead of the open sessions for the first server)
I have restarted web container after configuring both servers and also I have checked keystore.jk (it the same on both servers)
The session failover is configured as recommended in openam documentation.
After checking /sso/debug -> Session
I get the following message:
ERROR: Session:getValidSession :
com.iplanet.dpro.session.SessionException: AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..* Invalid session ID.AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..*
at com.iplanet.dpro.session.Session.getSessionResponseWithoutRetry(Session.java:1583)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1340)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1201)
at com.sun.identity.console.session.model.SMProfileModelImpl.initSessionsList(SMProfileModelImpl.java:111)
at com.sun.identity.console.session.model.SMProfileModelImpl.getSessionCache(SMProfileModelImpl.java:307)
at com.sun.identity.console.session.SMProfileViewBean.beginDisplay(SMProfileViewBean.java:190)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
Did you have any ideas to fix this issue?
Best regards
OpenAM uses an HTTP url connection to the other instance url (listed under 'Servers & Sites' to retrieve the session information.
if the OpenAM server instance urls have scheme 'https', make sure the deployment container trusts the issuer of the cert ... that's plain JSSE (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html), not OpenAM related.
Session failover means 'failover', not session replication.
The issue has been resolved after modifing settings in the openam config file 'bootstrap'.
Some settings are not correctly saved in this file.
I am trying to setup a proxy configuration on a dev 853 domino server, so I can connect to a dev connections server from an XPage (using java).
It's an SSO environment, and both the domino server and connections server are protected by WebSEAL. I want to make server-side calls in java (using the Apache HTTP Client), so my XPages application can make a call across to the Connections server.
I followed some information I found in Niklas Heidloff's Social Enabler documentation: http://www.openntf.org/Projects/pmt.nsf/DA2F4D351A9F15B28625792D002D1F18/%24file/SocialEnabler111006.pdf
and also in here:
http://www.ibm.com/developerworks/lotus/library/inotes-full/index.html
I setup the proxy like this:
Context: /xsp/proxy/BasicProxy/
URL: https://connectionsserver.acompany.com
Actions: GET,HEAD,POST,DELETE,PUT
Cookies: -List of cookies-
Mime-types: *
Headers: User-Agent,Accept*,Content*,Authorization*,Set-Cookie
When I try the call, it gives me the following error:
2/28/13 12:34 PM: Exception Thrown
javax.servlet.ServletException: com.ibm.jsse2.util.g: No trusted certificate found
at com.ibm.domino.servlets.proxy.BasicProxy.throwServletException(BasicProxy.java:765)
at com.ibm.domino.servlets.proxy.BasicProxy.service(BasicProxy.java:357)..
...
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: No trusted certificate found
I thought that passing the cookies across in this way should work (the cookies should work between both the domino-webseal and connections-webseal environments).
The error suggests that I need to import a certificate. I don't have access to the domino server to allow me to import certificates, so before I request that, I wanted to check I wasn't missing something from somewhere else.
Is there something else I am missing? Or any suggestions on doing this a different way?
Thanks,
Pam.
You have to import the certificates if they are not present. That is what the error message is indicating. There is IBM Technote 21588966 describing the necessary steps.
Furthermore (that could become the next showstopper after you sorted out SSL) you have to have a hard look how WebSeal is configured. The challenge here: WebSeal is designed to accommodate any possible backends and it is easy to get it almost working - almost as in: works for direct access via browser but fails on server-2-server or Ajax etc. The super-highly-recommended-ignore-on-your-own-risk setting for Connections/Domino is to use WebSeal's LTPA capabilities and not some ludicrous code injection.
Hth
I've installed Web Deploy 2.1 on a Server 2008 R2 running under VMWare.
In the IIS Manager (Management Service applet) I can see that "Enable Remote Connections" is checked and the port is set to 8172. Under "IIS Manager Permissions" I've added my Windows account (CORP\ekkis) and under the "Authentication" applet (for IIS) I have enabled "Windows Authentication".
I've also turned off the firewall.
So from the command line I test the system to work like this:
C:\Program Files\IIS\Microsoft Web Deploy V2>msdeploy -verb:dump -source:contentPath=\temp,wmsvc=192.168.0.70,username=CORP\ekkis,password=MyPass,authType=Basic -allowUntrusted=True
and get this:
Info: Using ID '9b954a0f-ff07-4e77-ba2c-d27472f5fda0' for connections to the rem
ote server.
Error Code: ERROR_USER_UNAUTHORIZED
More Information: Connected to the destination computer ("192.168.0.70") using t
he Web Management Service, but could not authorize. Make sure that you are using
the correct user name and password, that the site you are connecting to exists,
and that the credentials represent a user who has permissions to access the sit
e.
Error: Object of type 'contentPath' and path '\temp' cannot be created.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.
I've also tried deploying with Visual Studio 2010 from the host OS with the following service urls (I haven't found proper documentation on how to form this url):
https://192.168.0.70/
https://192.168.0.70:8172/
https://192.168.0.70:8172/MsDeployAgentService/
https://192.168.0.70/MsDeployAgentService/
I've tried the non-secure versions as well but just cannot get it to work. What is the correct format for the url? and what permissions am I missing?
the errors from VS have varied depending on how I attempt it but below is a sample:
Could not complete the request to remote agent URL 'http://192.168.0.70:8172//MSDEPLOYAGENTSERVICE'.
The underlying connection was closed: An unexpected error occurred on a receive.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
An existing connection was forcibly closed by the remote host
Publish failed to deploy.
there really should be a guide out there to do this (yes, I've googled myself blue in the face)!
thanks - ekkis
ok, I've figured out that the correct url is:
https://192.168.0.70:8172/MsDeploy.axd
and that having the "Windows Authentication" enabled doesn't seem to make a difference. Also, having my account in the "Managers" list doesn't seem to make a difference either.
so the back end was all working fine (I've turned off the Web Deployment Agent Service). it was just the url I had wrong.
I have an annoying problem.
On every machine on the network, browsing to our internal MS CRM URL works fine. However, if I log into the actual server itself and try to connect the same credentials just do not work. I get this error:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I can't figure it out. They're on the same domain, everything should be fine. It's a big problem because there is an application running on the server that needs to connect to the CRM webservice - and fails.
Even with Basic Auth, I enter the username and password and it fails.
Any ideas?
You might be hitting the loopback security check. Read this KB article to see if you are, and how to disable it so things will work: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861