Good morning all. I've got a very odd problem that I have not been able to figure out after almost 30 hours of work, so I thought I'd ask the masses...OK, I've been putting off building a 2010 Exchange server, due to lack of time. I finally had time last weekend, so I built a new environment. There is NO CONNECTION to our existing domain at all. New DC, new Exchange 2010 server.So, new DC running 2k8r2, that install was cake. Ran all the OS Updates. New exchange server also 2k8r2 (yes, bound to DC). Also ran all the OS updates. Ran pre-req script for all 4 major roles (including UM). Equally, cake....Server comes up fine - can access via IMAP and OWA. However, ANY client trying to use EWS (Outlook 2k7, Apple Mail with Exchange Support, Entourage EWS Edition) can't connect - EVER....In exploring (representing almost 15 hours of wasted time), discovered the EWS virtual directory wasn't prompting for credentials, and instead always returns an ERR-403. So, apparently this is "common" to OWA on Exchange 2k7 - thought I'd apply the same repair logic. Removing/Creating a new WebServicesVirtualDirectory sovled the ERR-403.Now visiting the site prompts for creds. However, they're never any good. Now, it repeatedly prompts for credentials, even though the exact same creds work great for OWA. Security log shows a bad password, as if I entered it wrong. I DIDN'T enter it wrong. Remember, works on OWA.Now, I haven't even gotten into anything fancy with authentication (assuming domain name for basic auth, etc.). I have tried disabling SSL, but obviously that didn't help.Ran Exchangd 2k10 Update Rollup 1. No change. Ran Exchangd 2k10 Update Rollup 2. No change.So, after all that, I decided to rebuild. Correction-Wipe and rebuild the entire environment. May be drastic, but it is also the least time-consuming process of everything I've done so far.Same EXACT PROBLEM!!!!Haven't found much online to help with this.ANYONE have any thoughts? I'm guessing this is an issue with Exchangd 2010 on OS 2008R2. I didn't want to have to try 2008 Standard, but in an effort to protect what little hair I have left, I may do that next.

Hello,Try setting Autodiscover virtual directory with Basic and Integrated and set the EWS virtual directory with Windows Integrated Isaac Oben MCITP:EA, MCSE

No luck. Autodiscover set for Basic & Integrated (basic - tried both assuming domain name and not). EWS already had Integrated, also activated basic (with and without domain). No change. :(

Can you post the results of www.testexchangeconnectivity.comActive Directory, 4th Edition - www.briandesmond.com/ad4/

Actually, its not public-facing as of yet, so I can't :( This will replace our existing server.I guess my main question is....When visiting the server's EWS page, I get the prompt over and over, telling me its a bad password.https://192.168.200.42/EWS/Exchange.asmxAlso tried internal machine name in place of IP in case the site is validating that.Since my original post, I've wiped/rebuilt the stupid thing again. This time, holding off on the Client Access role until installation completed, then going back and adding it (in case there's some bug in the install script when you add all of them at once). No change.Now, when I turned on Digest Auth, that seemed to help it for a short while, then it went back to causing issues. So, I re-disabled Digest Auth.2k7 was cake. 2k10 has been nothing but a pain.

Hello,Go to the IIS manager, default web site, select EWS, on right panel, double click on Authentication..Make sure Anonymous Authentication is Enabled and Windows Authentication is Enabled. Right click on the Windows Authentication, select Pproviders, and make sure Negotiate and NTLM are both there..Negotiate first and NTLM secondIsaac Oben MCITP:EA, MCSE

Isaac,Just did this - no change. I keep getting re-prompted for the creds everytime I try to load the page. I did do an IISReset -noforce also, still no change. :(Of course, I've also checked the Exchange.asmx file - confirmed security settings on it allow Authenticated Users to read the file.I'm thinking this is specific to the underlying OS being 2k8R2. Toying with building it as a 2k8Standard, as much as I don't want to do that.Kris

Kris,do you still get the bad password or just a prompt for the credentials? Try login using Administrator and see if any difference. If this persist you may have to go to the \Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\ews and look at the web config file ..sometimes permission set at the IIS are not saved in this file for some reason Isaac Oben MCITP:EA, MCSE

Hmmm. You're onto something. Reprompt for credentials. Admin account worked fine (I see the xml now).So, if that file isn't taking updates (which actually I show the last time it was modified was last night at 3:30am (man, was I tired), can I just delete it and use IIS Admin to rebuild?[EDIT]There's also an "old" web.config file in there, presumably from the installer (based on the date - probably when DVD was pressed).I also tried renaming that file (prefixed with "OLD--") and restarted IIS service. Tried making some auth changes, and saving them (in IIS Manager). Didn't see a new file created. It seems its only authenticating local users (still works fine for OWA) - and yes it is bound to the domain (obviously or all kinds of stuff would be really broken). :)

Hi, First please check if ISUR account has been select when you enable anonymous access. 1) Please right click “Anonymous Authentication” and select edit. 2) Please check whether ISUR account there. If it is there, then please try to follow the steps below to reset the ISUR account. 1. Please open “Computer management” (Note:”Start”-“Control Panel”-“Administrative Tools”-“Computer management”), 2. Expand to “local users and groups ”Right click on IUSR_<computername> and choose set password, 3. Click proceed (where computername is your computer name),provide a new password and confirm. 4. Please run the below command form a command prompt. It will change the to the required directory cd C:\inetpub\adminscripts cscript adsutil.vbs set w3svc/anonymoususerpass <new password> (where the new password is the same as what you set in step 1) 5. Open MMC for IIS, put in the IUSR account and the new password for EWS virtual directory. Regards, Xiu

Hello, Go to the IIS manager, default web site, select EWS, on right panel, double click on Authentication..Make sure Anonymous Authentication is Enabled and Windows Authentication is Enabled. Right click on the Windows Authentication, select Pproviders, and make sure Negotiate and NTLM are both there..Negotiate first and NTLM second Isaac Oben MCITP:EA, MCSE Thanks for this tip. I had two Exchange 2010 installs that were giving me these prompts. But it was ONLY when the pc/laptop was joined to the domain and off the network. I bashed my head in for days until I saw this post here. I would venture to say that this is clearly a bug in the Exchange 2010 RTM install as I had it happen twice on me. NTLM was just completely missing from the providers list, adding it back fixed the prompt issues.