I am trying to complete my Exchange 2007 to 2013 upgrade.  Mail is flowing for all my 2007 users.  OWA redirects nicely to the "legacy" site.  However, when I try to log into OWA as a new 2013 user I get the "something went wrong" page. What is noticeably wrong is the "time stamp" on the error is exactly 4 hours off from the current time. When you show more details it says:

X-Clientld: GOPY - N0EW -KJRE - XCJXW

X-FEServer: MYSERVER

Date: 8/8/2015 6:21:21 AM

...when it is "only" 2:21:21 AM

What time does the server say it is?  Does it have the right time zone configured?

Ed,

The server has the correct time and the correct time zone. 

more info:  CU9 is the version I installed.  Server 2012 R2 hyper-v on a host running Server 2012 R2  (also with correct time and time zone).

I would be remiss to not mention I am not certain CU9 completed installation successfully.  I was working on other servers while it finished installing.  When I returned to the server the installation was no longer running, by which I mean, it appeared to close on its own.  I never saw the final "complete" page.  I launched it again to see if it would pick up where it left off if indeed it ended prematurely.  Nothing ever started so I ended it.  Everything appeared to be installed so I assumed I closed the "complete" window unwittingly while switching between remote servers.

It might show UTC and not your server time.

Make sure VM is not syncing the time from Hyper-v. You should uncheck the checkbox to sync the time with hyper-v.

You might like to see this - https://support.microsoft.com/en-us/kb/2961715

Check the setup.log in the c drive to see if installation was completed.

thanks Prabhat,

I unchecked the checkbox.  Unlike the kb article, the time listed in the error is always 4 hours ahaead of the current time. the setup.log says the CU9 finished.

I'm pulling out the little hair I have left.

Thanks David,

I'll post my active-sync question on the forum you mention.

But to clarify, this OWA issue still exist.  The outlook client works but OWA does not.  Same issue as previously mentioned.

No, I do not see any events like that. Remember, 2007 users log on to OWA just fine.  I am getting ASP.NET warnings every 2-3 seconds (Event ID 1310).  he one below is for active Sync but others are for OWA, EWS,...just about every virtual directory.  Thanks again.

Event code: 3008

Event message: A configuration error has occurred.

Event time: 8/10/2015 10:52:57 PM

Event time (UTC): 8/11/2015 2:52:57 AM

Event ID: 73c386f4074c4db681e6c111bd7217a6

Event sequence: 1

Event occurrence: 1

Event detail code: 0

Application information:

    Application domain: /LM/W3SVC/2/ROOT/Microsoft-Server-ActiveSync-24-130837351774006595

    Trust level: Full

    Application Virtual Path: /Microsoft-Server-ActiveSync

    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync\

    Machine name: EXCH2013

Process information:

    Process ID: 16100

    Process name: w3wp.exe

    Account name: NT AUTHORITY\SYSTEM

are you able to open ECP/OWA for Exchange 2013 admin mailbox?

There can also be some issues with hardening of the server. You can run the following command to view all the groups denied permission

• Get-ADPermission -Identity <ExchangeServer> | where {($_.ExtendedRights -like ms-Exch-EPI-Token-Serialization) -and ($_.Deny -like True)} | ft -autosize User,ExtendedRights

If you see any deny then Remove the computer object from the restricted group.

My account which is a 2007 account can log onto ECP/OWA.  I made a new 2013 account and it can log onto ECP/OWA (but not "regular" OWA).  I don't want to mix problems but maybe this is connected. I looked at the Advanced setting for Autodiscover and the Physical path for autodiscover.xml says it is in ...V15\frontend\httpproxy\autodiscover  but it is not there.   I found it in ...v15\clientAccess\Autodiscover.  Same with OWA.  Is this normal?

OWA does not use autodiscover so no worries. you outlook is working so I am not worried about autodiscover.

Did you run the command to check the deny group?

FYI: I have an empty root domain with a child domain containing all objects

here is the output from your command:

User                                      ExtendedRights
----                                      --------------
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}
ROOT\Domain Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Schema Admins                        {ms-Exch-EPI-Token-Serialization}
ROOT\Enterprise Admins                    {ms-Exch-EPI-Token-Serialization}
ROOT\Exchange Organization Administrators {ms-Exch-EPI-Token-Serialization}
ROOT\Organization Management              {ms-Exch-EPI-Token-Serialization}

I understand this setup.

I guess servers and admin users are in the root domain.

so are you saying the problem is only with the child domain users and not with root domain users.

Did you preparedomain in the Child domain for Exchange 2013?

The empty root domain is exactly that...empty.  Just the forest domain administrator is in there.  Every user/computer/server is in the child domain.  I'm telling you this because the results from your script has all root\something

Any other ideas? 

As of now, an Exchange 2007 user logs onto OWA successfully.  By that I mean, they are presented with the Exchange 2013 logon page (HTTPS redirection works), they log in and the legacy OQA application loads. However, when a new 2013 users logs on hey get this: (the time stamp on the page is 4 hours ahead of the current time)

---------------------------------

something went wrong

Sorry, we can't get that information right now. Please try again later.  If the problem...

X-Clientld: TXYS - 0FKY - BEED - KYYVPXQ9W

X-FEServer: EXCH2013

Date: 8/10/2015 1:19:17 AM

are you getting the following event id in the application log of the exchange server.

Log Name:      Application
Source:        MSExchange Control Panel
Event ID:      4
Task Category: General
Level:         Error
Description:
Request for URL https://server.domain.com:444/ecp/default.aspx(https:/CASserver.domain.com/ecp/) failed with the following error:
Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user domain.com/Computers/CAS1 isnt assigned to any management roles.

What is the 2013 users time zone? First time login users get timezone selection. Check 2013 user properties. Make sure you had created mailbox and database i

Thank you Prabhat for your efforts helping me.

I checked the user properties.  A mailbox has been created and the database is mounted.  In fact, I created an Outlook profile and that works fine.  I did not see where a user's time zone is set.  If it helps, I created the user with in 2013 ECP. Should I also mention, active sync is not working.  All 2003 users need to change to legacy.domain.com instead of mail.domain.com.  I'll start a new thread with that issue, but I thought I would bring it to your attention.

Thanks again

No, I do not see any events like that. Remember, 2007 users log on to OWA just fine.  I am getting ASP.NET warnings every 2-3 seconds (Event ID 1310).  he one below is for active Sync but others are for OWA, EWS,...just about every virtual directory.  Thanks again.

Event code: 3008

Event message: A configuration error has occurred.

Event time: 8/10/2015 10:52:57 PM

Event time (UTC): 8/11/2015 2:52:57 AM

Event ID: 73c386f4074c4db681e6c111bd7217a6

Event sequence: 1

Event occurrence: 1

Event detail code: 0

Application information:

    Application domain: /LM/W3SVC/2/ROOT/Microsoft-Server-ActiveSync-24-130837351774006595

    Trust level: Full

    Application Virtual Path: /Microsoft-Server-ActiveSync

    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync\

    Machine name: EXCH2013

Process information:

    Process ID: 16100

    Process name: w3wp.exe

    Account name: NT AUTHORITY\SYSTEM

Hi,

I have noticed the issue was solved  when you created a new outlook profile.

As for your activesync issue, I suggest we can ask a question in Exchange ActiveSync forum for more help:

https://social.technet.microsoft.com/Forums/exchange/enUS/home?forum=exchangesvrmobilitylegacy  

Regards,

David

I opened a ticket with Microsoft:

Problem: OWA fails when new 2013 user accounts attempt to log on

Fix 1: %systemroot%\Program Files\Microsoft\Exchange Server\V15\ClientAccess\SharedWebConfig.config was missing.  The tech created an empty file and copied the contents from the same file from his lab environment

Fix 2: In IIS on the 2013 server, he removed the HTTP Redirect from the Exchange Back End site

Problem: both 2007 users and 2013 users cannot get email on their mobile devices due to autodiscover and active-sync issues

Fix:

• With Fix 1 and 2 being already applied, ExRCA now only produced a 403 error on Active-Sync.In
• IIS on Exchange 2013 server, the 2 binding for 127.0.0.1 were missing.  One for port 80 and the other for port 443. Be sure to apply the 3rd party certificate for mail.mydomain.com to 443
• On 2007 Exchange CAS server, in Exchange Management Console, removed the external URL from Microsoft-Server-ActiveSync found in Server Configuration - Client Access - Exchange ActiveSync
• On 2007 Exchange CAS Server Enabled Windows Authentication on Active Sync via:

Get-ActiveSyncVirtualDirectory -Server exchcas01 | Set-ActiveSyncVirtualDirectory -WindowsAuthEnabled $true

• Marked as answer by bassoml 19 hours 10 minutes ago