IIS IP restriction on CAS server destroys it
I have reproduced this problem in my test lab several times. I am curious if anyone else has experienced this problem and/or can independently reproduce it. Caution: this will make your CAS server inoperable. My scenario: I have (2) dedicated Exchange 2007 CAS servers which I intend to hide behind a hardware load balancing device which will also perform SSL offloading. To ensure that users do not access the CAS servers using non-SSL, I want to restrict the IP communication of the CAS web site to just the load balancing devices. (side question: Is there another / better way to accomplish this?) To accomplish this requirement, I go into IIS Manager and establish an IP restriction on the Default Web Site to include the load balancing devices (and any other Exchange 2007 servers / EMC management consoles from which I intend to manage the CAS servers). Everything works fine until the first time I attempt to manage the CAS server from an EMC that is NOT on an allowed IP address. After such an attempt, the CAS server is broken and all EMC management consoles (whether IP-restricted or not) give a pop-up error even when simply clicking on the CAS server in the Server Configuration/Client Access node of EMC. The error message is: Error: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Even removing the IP restriction does not fix the problem. My guess (but just a guess at this point) is that the IP-restricted EMC does something to the IIS metabase that makes the whole server unusable. After entering this failure state, any attempts to access the CAS server via HTTP also fail, presenting the web browser with the same error message (although a lot more verbiage, so Im including it at the bottom of this message). After entering this failure state, I cannot even uninstall Exchange 2007 from the server without getting the same error message above (0x80005008). The only procedure I have found to recover the server is the following: 1) Uninstall IIS (ripping it out from under the Exchange 2007 CAS role), 2) Reinstall IIS, 3) Uninstall the Exchange 2007 CAS role, 4) Reinstall Exchange 2007 CAS role, 5) Reconfigure the CAS server. After entering this failure state, web browsers see the following verbose error message: Request Url: https://owatest.company.com:443/owa/auth/error.aspx?url=https://owatest.company.com/owa&reason=0 User host address: 192.168.50.10 Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaInvalidConfigurationException Exception message: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Call stack Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager() Microsoft.Exchange.Clients.Owa.Core.Globals.InitializeApplication() Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e) Inner Exception Exception type: Microsoft.Exchange.Management.Metabase.IISGeneralCOMException Exception message: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Call stack Microsoft.Exchange.Management.Metabase.IisUtility.GetProperties(DirectoryEntry webObj) Microsoft.Exchange.Management.SystemConfigurationTasks.OwaVirtualDirectoryHelper.UpdateFromMetabase(ADOwaVirtualDirectory adOwaVirtualDirectory) Microsoft.Exchange.Clients.Owa.Core.Configuration..ctor(ADSystemConfigurationSession session, String virtualDirectory, String webSiteName, ADObjectId distinguishedName, Boolean isPhoneticSupportEnabled) Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.LoadConfiguration() Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager() Inner Exception Exception type: System.Runtime.InteropServices.COMException Exception message: Exception from HRESULT: 0x80005008 Call stack System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsPropertyList.Item(Object varIndex) System.DirectoryServices.PropertyCollection.KeysEnumerator.get_Current() Microsoft.Exchange.Management.Metabase.IisUtility.GetProperties(DirectoryEntry webObj)
May 2nd, 2007 12:51pm
I confirm this problem. I have one CAS server. I have restricted the IP communication, allowing only inner (i.e. 10.x.x.x) IP addresses. I receive absolutely same error logImportant: I never tried to manage the CAS server from an EMC that is NOT on an allowed IP address. I only managed it from the server consoleI cannot determine the moment when OWA and EMC stopped working though.
May 15th, 2007 6:24am
We have the same problem. After changing the Directory Security setting to Grant a range of IP Addresses, OWA fails with an error. Even if the PC is in the allowed access range, the same error - Outlook Web Access did not initialize.... Inner Exception: Unable to create IIS Directory Entry
May 16th, 2007 3:18am
Heh, it happened to me with just changing the Authentication Methods. Weak. I did what the Gent in the first post suggested and that fixed it as well. 1) Uninstall IIS (ripping it out from under the Exchange 2007 CAS role), 2) Reinstall IIS, 3) Uninstall the Exchange 2007 CAS role, 4) Reinstall Exchange 2007 CAS role, 5) Reconfigure the CAS server. Thanks!
June 5th, 2007 7:17pm
I too hit this problem. I inspected the MetaBase.xml and found three attributes labeled IpSecurity, with blank values: IpSecurity=""Stopping IIS, deleting these entries, saving the modified MetaBase.xml and restarting seems to have resolved the issue.
June 21st, 2007 10:52am
I have a similar issue, and attempted to go through the steps listed above. I was able to successfully uninstall and reinstall IIS, however my CAS will not uninstall. I get a message that says: Setup cannot use domain controller 'DC.DOMAIN.INT' because an override is set in the registry. Run setup again, and specify '/DomainController'. Any suggestions??
June 27th, 2007 11:30am
Tig Stone, this worked for mee too, thanks a lot !
June 28th, 2007 4:58am
We had the same error. Deleting the IPSecurity Entry in the Metabase solved the Problem, but we still could not enter IP Restrictions. So we started a Support Call with Microsoft. A Patch is published: http://support.microsoft.com/kb/939573 After Installing IP Restrictions and also OWA keeps working, but the error still appears in the Management Console. Microsoft did now recommend to install the Patch on all Exchange Servers and also on all Servers where the ESM is installed. (which means not only und CAS, also on all Hub Transport and Mailbox Servers). We will try that and see what happens.
August 29th, 2007 2:19pm
Tig Stone, this worked for mee too, thanks a lot !
July 5th, 2008 12:56am
hi please do as the following step to resolve the issue ; (1)click start, type " net stop iisadmin" (1)right-click start , click explorer ,then click window\system32\inetsrv\metabase.xml (2)open metabase.xml by notepad (3)click CTRL+F ,type"IsapiRestrictionList" ,search <Custom Name="IsapiRestrictionList" ID="2163" Value="0 C:\WINDOWS\system32\inetsrv\asp.dll" Type="MULTISZ" UserType="IIS_MD_UT_SERVER" Attributes="NO_ATTRIBUTES"> (4)click CTRL+S , quit notepas; (5)click start, type " netstart iisadmin" please test again , whether it's OK ; if anything is unclear,please free time to let me know , thanks; hope it helps ; -Jack
July 7th, 2008 9:19pm
Hey Guys, I am getting this error after I accidently denied access to my domain within the Directory Security, IP Address and Domain name restrictions ( I was trying to grant access not deny it!). Now I am recieving the foolowing error when I open it my Exchange 2007 console. So what do I do to fix this problem. Should I uninstallIIS from under the Exchange and then install it again thenuninstall the CAS and reinstall it? Or shoudl I try the hot fix? I'm confused as what to do? --------------------------------------------------------Microsoft Exchange Error--------------------------------------------------------The following error(s) were reported while loading topology information: Get-OWAVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 Get-ActiveSyncVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 Get-OabVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 --------------------------------------------------------OK-------------------------------------------------------- Thanks James
August 8th, 2008 12:56pm
Thank you so much!!! That worked Tig Stone!
October 25th, 2008 11:06pm
I have the same problem... however, I am running windows 2008. The IpSecurity information is not in my Metabase.xml file. Has anyone else seen this issue with 2008?
December 8th, 2008 5:35pm
I'm having same problem with 2008 and exchange 2007 has anybody had any joy with this config
January 21st, 2009 1:43pm
Yes, Fixed it: WWW and IIS Admin service was disabled. Set them to Automatic - start the services.Edit: This was on Server 2008 with Exchange 2007 SP1Dr.Watson
February 20th, 2009 7:23am
Thank you Tig Stone, I worked for me too.
April 5th, 2009 8:05am
install this hot fix http://support.microsoft.com/kb/939573/en-us
May 21st, 2009 4:08am
I too hit this problem. I inspected the MetaBase.xml and found three attributes labeled IpSecurity, with blank values: IpSecurity="" Stopping IIS, deleting these entries, saving the modified MetaBase.xml and restarting seems to have resolved the issue. Can anyone give me some help with these instructions. I have two IpSecurity="" in my xml file but what do I delete??If I just delete this line IpSecurity="" the xml is no good when i try to restart IIS. If I delete the piece containing<>IpSecurity="" </>Still no restart, Can someone help please OWA not working...
May 22nd, 2009 11:09pm
Does anyone know if there is a 64 bit version for the patch? Thanks!
June 5th, 2009 11:53am
I too had this issue when trying to Upgrade from Exchange 2007 SP 1 to Exchange 2007 SP 3. It kept crashing on the upgrade for the CAS Role with error: Unable to create Internet Information Services (IIS) directory entry. Error message is: Exception from HRESULT: 0x80005008. HResult = -2147463160. Exception from HRESULT: 0x80005008. I did have IP Restrictions and even removing them didn't help. Then found this article and delete the: IpSecurity="" lines from my MetaBase.xml file and restarting IIS Admin Service an then launching the SP 3 installer worked with 0 issues. I would have NEVER figured this out without probably a 4 hour MS Tech Support call for $250, unitil coming accross this article. THANK YOU THANK YOU THANK YOU. You save me many hours of headache and panic.
August 7th, 2010 8:42pm
This worked for me on Exchange 2007 Enterprise running on Windows 2003x64 R2 SP2. There were three of the entries to delete. No need to install a patch. Should I?
December 13th, 2011 12:21pm
Where is the metabase.xml located on the disk? (SBS 2011)R, J
December 21st, 2011 6:43pm
After spending 3hrs on the phone with MS the solution was rather simple: open a cmd prompt with administrative rights. Navigate to C:\Inetpub\AdminScripts on the CAS/HUB server and run the following command: cscript adsutil.vbs find w3svc/IpSecurity This will identify if you have any IP security still in place. in my case it came back with the following entries: Property IpSecurity found at: w3svc/1/ROOT w3svc/2/ROOT w3svc/Info/Templates/Public Web Site/Root w3svc/Info/Templates/Secure Web Site/Root Running the following command from the same location cleared the IP security info from the default web site: cscript adsutil.vbs delete w3svc/1/ROOT/IpSecurity Hope that helps, PS this was on Exchange 2007 enterprise sp1 with a Windows 2003 R2 sp2 standard server.
March 26th, 2012 5:16pm
Add me to the list that Tig Stone's post fixed. Found 3 instances of IpSecurity="", deleted them, restarted IIS and now I can see OWA in the management consle again and "Get-OWAVirtualDirectory" works again. Thanks for the post!
June 26th, 2012 4:34pm