IIS IP restriction on CAS server destroys it
I have reproduced this problem in my test lab several times. I am curious if anyone else has experienced this problem and/or can independently reproduce it. Caution: this will make your CAS server inoperable. My scenario: I have (2) dedicated Exchange 2007 CAS servers which I intend to hide behind a hardware load balancing device which will also perform SSL offloading. To ensure that users do not access the CAS servers using non-SSL, I want to restrict the IP communication of the CAS web site to just the load balancing devices. (side question: Is there another / better way to accomplish this?) To accomplish this requirement, I go into IIS Manager and establish an IP restriction on the Default Web Site to include the load balancing devices (and any other Exchange 2007 servers / EMC management consoles from which I intend to manage the CAS servers). Everything works fine until the first time I attempt to manage the CAS server from an EMC that is NOT on an allowed IP address. After such an attempt, the CAS server is broken and all EMC management consoles (whether IP-restricted or not) give a pop-up error even when simply clicking on the CAS server in the Server Configuration/Client Access node of EMC. The error message is: Error: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Even removing the IP restriction does not fix the problem. My guess (but just a guess at this point) is that the IP-restricted EMC does something to the IIS metabase that makes the whole server unusable. After entering this failure state, any attempts to access the CAS server via HTTP also fail, presenting the web browser with the same error message (although a lot more verbiage, so Im including it at the bottom of this message). After entering this failure state, I cannot even uninstall Exchange 2007 from the server without getting the same error message above (0x80005008). The only procedure I have found to recover the server is the following: 1) Uninstall IIS (ripping it out from under the Exchange 2007 CAS role), 2) Reinstall IIS, 3) Uninstall the Exchange 2007 CAS role, 4) Reinstall Exchange 2007 CAS role, 5) Reconfigure the CAS server. After entering this failure state, web browsers see the following verbose error message: Request Url: https://owatest.company.com:443/owa/auth/error.aspx?url=https://owatest.company.com/owa&reason=0 User host address: 192.168.50.10 Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaInvalidConfigurationException Exception message: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Call stack Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager() Microsoft.Exchange.Clients.Owa.Core.Globals.InitializeApplication() Microsoft.Exchange.Clients.Owa.Core.Global.ExecuteApplicationStart(Object sender, EventArgs e) Inner Exception Exception type: Microsoft.Exchange.Management.Metabase.IISGeneralCOMException Exception message: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Call stack Microsoft.Exchange.Management.Metabase.IisUtility.GetProperties(DirectoryEntry webObj) Microsoft.Exchange.Management.SystemConfigurationTasks.OwaVirtualDirectoryHelper.UpdateFromMetabase(ADOwaVirtualDirectory adOwaVirtualDirectory) Microsoft.Exchange.Clients.Owa.Core.Configuration..ctor(ADSystemConfigurationSession session, String virtualDirectory, String webSiteName, ADObjectId distinguishedName, Boolean isPhoneticSupportEnabled) Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.LoadConfiguration() Microsoft.Exchange.Clients.Owa.Core.OwaConfigurationManager.CreateAndLoadConfigurationManager() Inner Exception Exception type: System.Runtime.InteropServices.COMException Exception message: Exception from HRESULT: 0x80005008 Call stack System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsPropertyList.Item(Object varIndex) System.DirectoryServices.PropertyCollection.KeysEnumerator.get_Current() Microsoft.Exchange.Management.Metabase.IisUtility.GetProperties(DirectoryEntry webObj)
May 2nd, 2007 7:51pm

I confirm this problem. I have one CAS server. I have restricted the IP communication, allowing only inner (i.e. 10.x.x.x) IP addresses. I receive absolutely same error logImportant: I never tried to manage the CAS server from an EMC that is NOT on an allowed IP address. I only managed it from the server consoleI cannot determine the moment when OWA and EMC stopped working though.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2007 1:24pm

We have the same problem. After changing the Directory Security setting to Grant a range of IP Addresses, OWA fails with an error. Even if the PC is in the allowed access range, the same error - Outlook Web Access did not initialize.... Inner Exception: Unable to create IIS Directory Entry
May 16th, 2007 10:18am

Heh, it happened to me with just changing the Authentication Methods. Weak. I did what the Gent in the first post suggested and that fixed it as well. 1) Uninstall IIS (ripping it out from under the Exchange 2007 CAS role), 2) Reinstall IIS, 3) Uninstall the Exchange 2007 CAS role, 4) Reinstall Exchange 2007 CAS role, 5) Reconfigure the CAS server. Thanks!
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2007 2:17am

I too hit this problem. I inspected the MetaBase.xml and found three attributes labeled IpSecurity, with blank values: IpSecurity=""Stopping IIS, deleting these entries, saving the modified MetaBase.xml and restarting seems to have resolved the issue.
June 21st, 2007 5:52pm

I have a similar issue, and attempted to go through the steps listed above. I was able to successfully uninstall and reinstall IIS, however my CAS will not uninstall. I get a message that says: Setup cannot use domain controller 'DC.DOMAIN.INT' because an override is set in the registry. Run setup again, and specify '/DomainController'. Any suggestions??
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2007 6:30pm

Tig Stone, this worked for mee too, thanks a lot !
June 28th, 2007 11:58am

We had the same error. Deleting the IPSecurity Entry in the Metabase solved the Problem, but we still could not enter IP Restrictions. So we started a Support Call with Microsoft. A Patch is published: http://support.microsoft.com/kb/939573 After Installing IP Restrictions and also OWA keeps working, but the error still appears in the Management Console. Microsoft did now recommend to install the Patch on all Exchange Servers and also on all Servers where the ESM is installed. (which means not only und CAS, also on all Hub Transport and Mailbox Servers). We will try that and see what happens.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2007 9:19pm

Tig Stone, this worked for mee too, thanks a lot !
July 5th, 2008 7:56am

hi please do as the following step to resolve the issue ; (1)click start, type " net stop iisadmin" (1)right-click start , click explorer ,then click window\system32\inetsrv\metabase.xml (2)open metabase.xml by notepad (3)click CTRL+F ,type"IsapiRestrictionList" ,search <Custom Name="IsapiRestrictionList" ID="2163" Value="0 C:\WINDOWS\system32\inetsrv\asp.dll" Type="MULTISZ" UserType="IIS_MD_UT_SERVER" Attributes="NO_ATTRIBUTES"> (4)click CTRL+S , quit notepas; (5)click start, type " netstart iisadmin" please test again , whether it's OK ; if anything is unclear,please free time to let me know , thanks; hope it helps ; -Jack
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2008 4:19am

Hey Guys, I am getting this error after I accidently denied access to my domain within the Directory Security, IP Address and Domain name restrictions ( I was trying to grant access not deny it!). Now I am recieving the foolowing error when I open it my Exchange 2007 console. So what do I do to fix this problem. Should I uninstallIIS from under the Exchange and then install it again thenuninstall the CAS and reinstall it? Or shoudl I try the hot fix? I'm confused as what to do? --------------------------------------------------------Microsoft Exchange Error--------------------------------------------------------The following error(s) were reported while loading topology information: Get-OWAVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 Get-ActiveSyncVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 Get-OabVirtualDirectoryFailedError:Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160 Exception from HRESULT: 0x80005008 --------------------------------------------------------OK-------------------------------------------------------- Thanks James
August 8th, 2008 7:56pm

Thank you so much!!! That worked Tig Stone!
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2008 6:06am

I have the same problem... however, I am running windows 2008. The IpSecurity information is not in my Metabase.xml file. Has anyone else seen this issue with 2008?
December 9th, 2008 1:35am

I'm having same problem with 2008 and exchange 2007 has anybody had any joy with this config
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2009 9:43pm

Yes, Fixed it: WWW and IIS Admin service was disabled. Set them to Automatic - start the services.Edit: This was on Server 2008 with Exchange 2007 SP1Dr.Watson
February 20th, 2009 3:23pm

Thank you Tig Stone, I worked for me too.
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2009 3:05pm

install this hot fix http://support.microsoft.com/kb/939573/en-us
May 21st, 2009 11:08am

I too hit this problem. I inspected the MetaBase.xml and found three attributes labeled IpSecurity, with blank values: IpSecurity="" Stopping IIS, deleting these entries, saving the modified MetaBase.xml and restarting seems to have resolved the issue. Can anyone give me some help with these instructions. I have two IpSecurity="" in my xml file but what do I delete??If I just delete this line IpSecurity="" the xml is no good when i try to restart IIS. If I delete the piece containing<>IpSecurity="" </>Still no restart, Can someone help please OWA not working...
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2009 6:09am

Does anyone know if there is a 64 bit version for the patch? Thanks!
June 5th, 2009 6:53pm

I too had this issue when trying to Upgrade from Exchange 2007 SP 1 to Exchange 2007 SP 3. It kept crashing on the upgrade for the CAS Role with error: Unable to create Internet Information Services (IIS) directory entry. Error message is: Exception from HRESULT: 0x80005008. HResult = -2147463160. Exception from HRESULT: 0x80005008. I did have IP Restrictions and even removing them didn't help. Then found this article and delete the: IpSecurity="" lines from my MetaBase.xml file and restarting IIS Admin Service an then launching the SP 3 installer worked with 0 issues. I would have NEVER figured this out without probably a 4 hour MS Tech Support call for $250, unitil coming accross this article. THANK YOU THANK YOU THANK YOU. You save me many hours of headache and panic.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2010 3:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics