Exchange 2013: users can not login to OWA & outlook, Only administrator (domain\administrator) can login to OWA & outlook. Event viewer points to RBAC (Network Steve Forum)

Exchange 2013: users can not login to OWA & outlook, Only administrator (domain\administrator) can login to OWA & outlook. Event viewer points to RBAC

Setup details

Newly installed

Exchange 2013 sp1 cu9

Microsoft Windows Server 2008 R2 Standard SP1

Issue: Users can not login to OWA & outlook, Only administrator (domain\administrator) can login to OWA & outlook.

Errors:

Event ID; 15

Source: MSExchange RBAC

(Process w3wp.exe, PID 9696) "RBAC authorization returns Access Denied for user S-1-5-21-1638150355-3439293087-3538241838-1144. Reason: Call to NativeMethods.AuthzInitializeContextFromSid() failed when initializing the ClientSecurityContext. Exception: Microsoft.Exchange.Security.Authorization.AuthzException: AuthzInitializeContextFromSid failed for User SID: S-1-5-21-1638150355-3439293087-3538241838-1144. ---> System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.Authorization.ClientSecurityContext.InitializeContextFromSecurityAccessToken(AuthzFlags flags)
at Microsoft.Exchange.Security.Authorization.ClientSecurityContext..ctor(ISecurityAccessToken securityAccessToken, AuthzFlags flags)
at Microsoft.Exchange.Security.Authentication.GenericSidIdentity.CreateClientSecurityContext()
at Microsoft.Exchange.Security.Authentication.IIdentityExtensions.GetAccessToken(IIdentity identity)
at Microsoft.Exchange.Security.Authentication.IIdentityExtensions.GetGroupSIDs(IIdentity identity)
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.GetGroupAccountsSIDs(IIdentity logonIdentity). "

Event id: 23

Source: MSExchange RBAC

(Process w3wp.exe, PID 9696) "Exchange AuthZPlugin Fails to finish method GetApplicationPrivateData due to application exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The operation couldn't be performed because 'S-1-5-21-1638150355-3439293087-3538241838-1144' couldn't be found.
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.GetGroupAccountsSIDs(IIdentity logonIdentity)
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration..ctor(IIdentity logonIdentity, IIdentity impersonatedIdentity, ExchangeRunspaceConfigurationSettings settings, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, Boolean callerCheckedAccess, Boolean isPowerShellWebService, Boolean noCmdletAllowed, SnapinSet snapinSet)
at Microsoft.Exchange.Configuration.Authorization.ExchangeExpiringRunspaceConfiguration..ctor(IIdentity identity, ExchangeRunspaceConfigurationSettings settings, Boolean isPowerShellWebService)
at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.GetInitialSessionStateCore(PSSenderInfo senderInfo)
at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.<>c__DisplayClass4.<GetApplicationPrivateData>b__3()
at Microsoft.Exchange.Configuration.Authorization.AuthZLogHelper.HandleExceptionAndRetry[T](String methodName, Func`1 func, Boolean throwException, T defaultReturnValue)."

Event id: 258

Source: MSExchange RBAC

(Process 9696, PID w3wp.exe)"RemotePS Public API Func GetApplicationPrivateData throws Exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The operation couldn't be performed because 'S-1-5-21-1638150355-3439293087-3538241838-1144' couldn't be found.
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.GetGroupAccountsSIDs(IIdentity logonIdentity)
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration..ctor(IIdentity logonIdentity, IIdentity impersonatedIdentity, ExchangeRunspaceConfigurationSettings settings, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, Boolean callerCheckedAccess, Boolean isPowerShellWebService, Boolean noCmdletAllowed, SnapinSet snapinSet)
at Microsoft.Exchange.Configuration.Authorization.ExchangeExpiringRunspaceConfiguration..ctor(IIdentity identity, ExchangeRunspaceConfigurationSettings settings, Boolean isPowerShellWebService)
at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.GetInitialSessionStateCore(PSSenderInfo senderInfo)
at Microsoft.Exchange.Configuration.Authorization.ExchangeAuthorizationPlugin.<>c__DisplayClass4.<GetApplicationPrivateData>b__3()
at Microsoft.Exchange.Configuration.Authorization.AuthZLogHelper.HandleExceptionAndRetry[T](String methodName, Func`1 func, Boolean throwException, T defaultReturnValue)
at Microsoft.Exchange.Configuration.Authorization.AuthZLogHelper.<>c__DisplayClassc`1.<ExecuteWSManPluginAPI>b__8()
at Microsoft.Exchange.Diagnostics.CmdletInfra.Diagnostics.ExecuteAndLog[T](String funcName, Boolean missionCritical, LatencyTracker latencyTracker, ExEventLog eventLog, EventTuple eventTuple, Trace tracer, IsExceptionInteresting isExceptionInteresting, Action`1 onError, T defaultReturnValue, Func`1 func). fails with Exception %4 ."

June 28th, 2015 10:20am

Hi Rajesh,

Make sure that you cover installing all the pre-requisites for Exchange 2013 fro Windows 2008 R2: https://technet.microsoft.com/en-us/library/bb691354(v=exchg.150).aspx

Free Windows Admin Tool Kit Click here and download it now

June 28th, 2015 12:30pm

Hi Rajesh,

Thank you for your question.

In order to troubleshoot, we could make sure the following things firstly:

Create AD account in ADUC
Create Email address on Exchange server
Exchange connect to DC without any problems (include PING and NSLookUp)
We could run the following command to check if enable OWA and outlook for user:

Get-CASMailbox Identity <mailbox>

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

June 28th, 2015 10:16pm

There are no connectivity issues with domaincontroller. Everything works as

expected for administrator mailbox (OWA & Outlook). logged as administrator

and can open other mailboxes.

created user mailbox (admin1) and granted all the privileges that administrator mailbox has,

I was not able to login to OWA & Outlook using admin1. Issue seems to be with RBAC, earlier I

have also posted errors and event ID related to RBAC.

Usermailbox:

[PS] C:\Windows\system32>Get-CASMailbox -Identity vsu1

Name ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled
---- ----------------- ---------- ---------- ----------- -----------
VSU1 True True True True True

Free Windows Admin Tool Kit Click here and download it now

June 28th, 2015 11:13pm

Hi Rajesh,

Have you modify the account ago which is VSU1?

We could make sure AD replication without any problems, then create a new AD account with new email address to check if the issue persist.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

June 29th, 2015 5:12am

I haven't modified account VSU1.

created new AD account with new email address, issue persist. Still there are RBAC error.

Regards

Rajesh

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2015 7:32am

Are there any known issues with Exchange 2013 on windows 2008 r2 os?

Similar issue reported here, but no solution.

-------------------------------------------------------

http://enterpriseit.co/microsoft-exchange/2013/install-cu5/

Hello
I install an AD on win2k8R2SP1 enterprise on a server.
then I install all exchange2013 prerequisite on another win2k8R2SP1 joined to AD and reboot.
Next I install exchange2013 cu5 successfully and reboot.
Now when I try to connect to OWA using administrator user, any thing is right.
But when I create a new user by ECP and tty yo connect to OWA, I see error message: :-( something went wrong. Please help me what should i do to correct this problem.
remember that all windows are clear initially.

June 29th, 2015 10:29am

Hi Rajesh,

Restart the DC
Restart Exchange
Login owa on Exchange server with https://localhost/owa to check if the issue persist.
Check if the new account was existed in ADUC and email address in ECP

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2015 10:06pm

This is not issue with domain controller or exchange. we did all basic trouble shooting.

I created user mailbox and granted access to administrator mailbox. I logged in with administrator credentials

and can open user mailbox.

can connect to OWA and outlook using administrator, no issue.

can not connect to OWA and outlook using user, same issue with all the user mailboxes.

Note: only works for Administrator mailbox. I have granted domain admin & org admin to user, but still can not login to OWA and outlook.

This is nothing to do with DC replication or connectivity issue.

Issue is related to RBAC, if you are not sure about RBAC errors, please check wit you colleges and update me.

June 30th, 2015 6:05pm

Hi Rajesh,

Thank you for your question.

From the error The operation couldn't be performed because 'S-1-5-21-1638150355-3439293087-3538241838-1144' couldn't be found., when we create a new account or the current account who didnt login OWA, we could check if the parameter of objectSID is missing by the following steps:

Logon DC, run ADSiedit.msc in RUN
Navigate to ADSI Edit->connect to->Default naming context
Then navigate to user account and right click property
Check if the value of property is missing

By the way, if there are something which was cloned in organization(include the server and client operation systems)

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

June 30th, 2015 10:04pm

Verified no property is missing.

By the way, if there are something which was cloned in organization(include the server and client operation systems)? no

VERBOSE: Connected to DevVSExchAgent.MMVSAD.com.
[PS] C:\Windows\system32>Get-Mailbox -Identity vsu3 |fl

RunspaceId : bd26ebb4-9831-48a2-9775-8fe1f84138c0
Database : DB1
MailboxProvisioningConstraint :
MessageCopyForSentAsEnabled : False
MessageCopyForSendOnBehalfEnabled : False
MailboxProvisioningPreferences : {}
UseDatabaseRetentionDefaults : True
RetainDeletedItemsUntilBackup : False
DeliverToMailboxAndForward : False
IsExcludedFromServingHierarchy : False
IsHierarchyReady : True
LitigationHoldEnabled : False
SingleItemRecoveryEnabled : False
RetentionHoldEnabled : False
EndDateForRetentionHold :
StartDateForRetentionHold :
RetentionComment :
RetentionUrl :
LitigationHoldDate :
LitigationHoldOwner :
LitigationHoldDuration : Unlimited
ManagedFolderMailboxPolicy :
RetentionPolicy :
AddressBookPolicy :
CalendarRepairDisabled : False
ExchangeGuid : 3e286890-5801-427c-8c64-abe08c385252
MailboxContainerGuid :
UnifiedMailbox :
MailboxLocations : {1;3e286890-5801-427c-8c64-abe08c38525
2;Primary;MMVSAD.com;c6859d69-0687-41d
f-8ef3-3ef26f8afd8b}
AggregatedMailboxGuids : {}
ExchangeSecurityDescriptor : System.Security.AccessControl.RawSecur
ityDescriptor
ExchangeUserAccountControl : None
AdminDisplayVersion : Version 15.0 (Build 1104.5)
MessageTrackingReadStatusEnabled : True
ExternalOofOptions : External
ForwardingAddress :
ForwardingSmtpAddress :
RetainDeletedItemsFor : 14.00:00:00
IsMailboxEnabled : True
Languages : {en-US}
OfflineAddressBook :
ProhibitSendQuota : Unlimited
ProhibitSendReceiveQuota : Unlimited
RecoverableItemsQuota : 30 GB (32,212,254,720 bytes)
RecoverableItemsWarningQuota : 20 GB (21,474,836,480 bytes)
CalendarLoggingQuota : 6 GB (6,442,450,944 bytes)
DowngradeHighPriorityMessagesEnabled : False
ProtocolSettings : {RemotePowerShell1}
RecipientLimits : Unlimited
ImListMigrationCompleted : False
IsResource : False
IsLinked : False
IsShared : False
IsRootPublicFolderMailbox : False
LinkedMasterAccount :
ResetPasswordOnNextLogon : False
ResourceCapacity :
ResourceCustom : {}
ResourceType :
RoomMailboxAccountEnabled :
SamAccountName : vsu3
SCLDeleteThreshold :
SCLDeleteEnabled :
SCLRejectThreshold :
SCLRejectEnabled :
SCLQuarantineThreshold :
SCLQuarantineEnabled :
SCLJunkThreshold :
SCLJunkEnabled :
AntispamBypassEnabled : False
ServerLegacyDN : /o=first organization/ou=Exchange
Administrative Group (FYDIBOHF23SPDLT)
/cn=Configuration/cn=Servers/cn=DEVVSE
XCHAGENT
ServerName : devvsexchagent
UseDatabaseQuotaDefaults : True
IssueWarningQuota : Unlimited
RulesQuota : 64 KB (65,536 bytes)
Office :
UserPrincipalName : vsu3@MMVSAD.com
UMEnabled : False
MaxSafeSenders :
MaxBlockedSenders :
NetID :
ReconciliationId :
WindowsLiveID :
MicrosoftOnlineServicesID :
ThrottlingPolicy :
RoleAssignmentPolicy : Default Role Assignment Policy
DefaultPublicFolderMailbox :
SharingPolicy : Default Sharing Policy
RemoteAccountPolicy :
MailboxPlan :
ArchiveDatabase :
ArchiveGuid : 00000000-0000-0000-0000-000000000000
ArchiveName : {}
JournalArchiveAddress :
ArchiveQuota : 100 GB (107,374,182,400 bytes)
ArchiveWarningQuota : 90 GB (96,636,764,160 bytes)
ArchiveDomain :
ArchiveStatus : None
ArchiveState : None
IsAuxMailbox : False
AuxMailboxParentObjectId :
ChildAuxMailboxObjectIds : {}
MailboxRelationType : None
RemoteRecipientType : None
DisabledArchiveDatabase :
DisabledArchiveGuid : 00000000-0000-0000-0000-000000000000
QueryBaseDN :
QueryBaseDNRestrictionEnabled : False
MailboxMoveTargetMDB :
MailboxMoveSourceMDB :
MailboxMoveFlags : None
MailboxMoveRemoteHostName :
MailboxMoveBatchName :
MailboxMoveStatus : None
MailboxRelease :
ArchiveRelease :
IsPersonToPersonTextMessagingEnabled : False
IsMachineToPersonTextMessagingEnabled : True
UserSMimeCertificate : {}
UserCertificate : {}
CalendarVersionStoreDisabled : False
ImmutableId :
PersistedCapabilities : {}
SKUAssigned :
AuditEnabled : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems,
SoftDelete, HardDelete, FolderBind,
SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete,
SendAs, Create}
AuditOwner : {}
WhenMailboxCreated : 6/26/2015 8:54:57 AM
SourceAnchor :
UsageLocation :
IsSoftDeletedByRemove : False
IsSoftDeletedByDisable : False
IsInactiveMailbox : False
IncludeInGarbageCollection : False
WhenSoftDeleted :
InPlaceHolds : {}
GeneratedOfflineAddressBooks : {}
Extensions : {}
HasPicture : False
HasSpokenName : False
AcceptMessagesOnlyFrom : {}
AcceptMessagesOnlyFromDLMembers : {}
AcceptMessagesOnlyFromSendersOrMembers : {}
AddressListMembership : {\Mailboxes(VLV), \All
Mailboxes(VLV), \All Recipients(VLV),
\Default Global Address List, \All
Users}
Alias : VSU3
ArbitrationMailbox :
BypassModerationFromSendersOrMembers : {}
OrganizationalUnit : mmvsad.com/Users
CustomAttribute1 :
CustomAttribute10 :
CustomAttribute11 :
CustomAttribute12 :
CustomAttribute13 :
CustomAttribute14 :
CustomAttribute15 :
CustomAttribute2 :
CustomAttribute3 :
CustomAttribute4 :
CustomAttribute5 :
CustomAttribute6 :
CustomAttribute7 :
CustomAttribute8 :
CustomAttribute9 :
ExtensionCustomAttribute1 : {}
ExtensionCustomAttribute2 : {}
ExtensionCustomAttribute3 : {}
ExtensionCustomAttribute4 : {}
ExtensionCustomAttribute5 : {}
DisplayName : vsu3
EmailAddresses : {SMTP:VSU3@mmvsad.com}
GrantSendOnBehalfTo : {}
ExternalDirectoryObjectId :
HiddenFromAddressListsEnabled : False
LastExchangeChangedTime :
LegacyExchangeDN : /o=first organization/ou=Exchange
Administrative Group (FYDIBOHF23SPDLT)
/cn=Recipients/cn=5c407df709064418a142
b0f9161e811f-vsu3
MaxSendSize : Unlimited
MaxReceiveSize : Unlimited
ModeratedBy : {}
ModerationEnabled : False
PoliciesIncluded : {a79de871-1a39-4f97-82cc-c1452ed684f6,
{26491cfc-9e50-4857-861b-0cb8df22b5d7
}}
PoliciesExcluded : {}
EmailAddressPolicyEnabled : True
PrimarySmtpAddress : VSU3@mmvsad.com
RecipientType : UserMailbox
RecipientTypeDetails : UserMailbox
RejectMessagesFrom : {}
RejectMessagesFromDLMembers : {}
RejectMessagesFromSendersOrMembers : {}
RequireSenderAuthenticationEnabled : False
SimpleDisplayName :
SendModerationNotifications : Always
UMDtmfMap : {emailAddress:8783,
lastNameFirstName:87838783,
firstNameLastName:87838783}
WindowsEmailAddress : VSU3@mmvsad.com
MailTip :
MailTipTranslations : {}
Identity : MMVSAD.com/Users/vsu3
IsValid : True
ExchangeVersion : 0.20 (15.0.0.0)
Name : vsu3
DistinguishedName : CN=vsu3,CN=Users,DC=MMVSAD,DC=com
Guid : 25e99b73-cabc-41d5-bf94-6d16110a87f9
ObjectCategory : MMVSAD.com/Configuration/Schema/Person
ObjectClass : {top, person, organizationalPerson,
user}
WhenChanged : 6/27/2015 4:04:22 AM
WhenCreated : 6/26/2015 8:54:58 AM
WhenChangedUTC : 6/27/2015 8:04:22 AM
WhenCreatedUTC : 6/26/2015 12:54:58 PM
OrganizationId :
Id : MMVSAD.com/Users/vsu3
OriginatingServer : DevVSADAgent.MMVSAD.com
ObjectState : Unchanged

[PS] C:\Windows\system32>

June 30th, 2015 10:59pm

Hi Rajesh,

Is there error to reminder when we type usename and password by OWA?

Post the snapshot to ibsexc@microsoft.com.

We could type https://localhost/owa on Exchange, then check if we could login with new account.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

July 1st, 2015 5:27am

No error

July 1st, 2015 10:32am

Can you please search your Knowledgeable base and look for event ID's that I have mentioned.

Free Windows Admin Tool Kit Click here and download it now

July 1st, 2015 2:16pm

Hi JIm,

Please let me know if you need any additional details?

July 1st, 2015 10:29pm

Hi Rajesh,

We could refer to Manus suggestion to re-install all pre-requisites, then click if user could login.

We could create a new database with new account to check if user could login.

If the issue persist, we suggest you open a thread to Microsoft.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now

July 2nd, 2015 4:28am

This topic is archived. No further replies will be accepted.