Hello, I am facing a situation where a small organization hosted on a on-premises Exchange 2013, for some newly created users they can't access OWA (outlook access is O.K). When I try to open their mailbox I get the below:

X-OWA-Error: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
X-OWA-Version: 15.0.995.28
These mailboxes are created through the ECP console and are OWA enabled (which is the default option).
This error seems not very clear and would appreciate some ideas of where to start troubleshooting. Out of 70 mailboxes only the two newly created have this problem. In  fact any user created from now on has this issue.
Thanks.

Hello Jsof;

Just make sure these users have the following option in your active directory.

Right click on user --- properties ---Security---Advanced.

Have you checked eventvwr on this server? You can also dig through IIS Logs and see what is happening when they try to connect. When did this issue begin (what changed?).

Also try to clear your cache/ cookies in your browser, Have them try another browser or another machine. Try to give yourself permission of their account and access their mailbox from OWA. Can you also paste the full error "Show Details"?

Hi,

Run this command on not worked users

Get-Mailbox UserName| FL ExchangeVersion

If the value is 0.0, run this command

Set-Mailbox UserName ApplyMandatoryProperties 

Best Regards.

Can you please post the error which you are getting for these two users.

Hello

Follow the below steps.

1- Try to lgin via one user and you will get error.

2-Go to IIS logs and check the OWA logs for that date. Scrol to the bottom and start searching by user name upwards.

send the 20 above and bottom logs of that user to me for analysis

Hello, 

IIS logs are disabled on the exchange server for disk usage saving - I understand that to some this may sound not good but there are limitations applied which I can not control :)

I will re-enable the IIS logs just for the sake of troubleshooting.

The event viewer is not so clear on the subject but I will try to get a view on it when the issue happens.

Already tried clearing cache in browser that didn't help.

I will post again my findings (if any) soon including the shell commands suggested above.

Thanks to all of you for your answers and suggestions.

- The IIS logs are in the form - the error page occurs when you try to set the timezone (1st time OWA run):

2015-08-06 08:21:53 10.0.0.247 GET /owa/auth/errorfe.aspx httpCode=500&msg=198161982&owaError=Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException&owaVer=15.0.995.28&be=SERVER&ts=130833229137126455&CorrelationID=<empty>;&cafeReqId=79fd5aef-13f3-47ef-af7b-246f0cae0304; 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://server.domain.com/owa/userX@domain.com/languageselection.aspx?url=/owa/UserX@domain.com/?offline%3ddisabled 200 0 0 46

- In the event viewer among numerous other entries this seemed the most relevant (timestamp wise too):

[Process:Microsoft.Exchange.RpcClientAccess.Service PID:3096 Thread:21] Error occurred while resolving the Active Directory object for from email address field: '/o=Domain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=b345dd298b51c4ea38370abfc0281b0eb-Domain Acc'. Audit log will not be generated for this case. Exception details:
Microsoft.Exchange.Data.Storage.ObjectNotFoundException: The Active Directory user wasn't found.
   at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(IRecipientSession session, String proxyAddress, RemotingOptions remotingOptions)
   at Microsoft.Exchange.Data.Storage.ExchangePrincipalFactory.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress, RemotingOptions remotingOptions)
   at Microsoft.Exchange.Data.Storage.ExchangePrincipal.FromProxyAddress(ADSessionSettings adSettings, String proxyAddress)
   at Microsoft.Exchange.Data.Storage.COWAudit.GetSubmitEffectiveMailboxOwner(MailboxSession session, CallbackContext callbackContext)

* The user is present in the directory

- The command Get-Mailbox UserName| FL ExchangeVersion does not return 0.0

- Last but not least the domain controllers are windows 2003. :)

Any ideas will be greatly appreciated.

Hello. Repeat the setup.exe / PrepareAD / IAcceptExchangeServerLicenseTerms. Check replication to all domain controllers (DcDiag and repadmin /syncall).  You will need to reboot the Exchange server after PrepareAD. Create a user

Can you verify these mailboxes are  enabled?

Hello 

This problem occurs because the discretionary access control list (DACL) inheritance is disabled on the user account in Active Directory. 

To resolve this problem, follow these steps:

1. Open Active Directory Users and Computers.
2. Click View, and then click Advanced Features.
   
   Note To make the Security tab available at both the user level and the organizational unit level, you must enable the Advanced Features option in Active Directory Users and Computers. This option is available under the Viewmenu.
3. Open the properties for both the user level and the organizational unit level that the users are located in, and then locate the Security tab.
4. Click Advanced.
5. Make sure that the following check box is selected: Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
6. Force Active Directory replication.

you also need atleast one 2008 std/ent domain controller as says below article.

http://blogs.technet.com/b/theexchangeguy/archive/2012/08/24/preparing-active-directory-and-schema-for-exchange-2013-release-preview.aspx

Hello all,

@Oleg: well this isn't a new installation and already there are about 60 users already configured and working as expected long ago, so it shouldn't be AD schema related. :)

@Josh: yes it was enabled and getting mail normally in outlook

@Prem: yes checked this too and the permissions were inherited from the parent.

I also cross-checked this user with ADSIedit against an "OWA working one" basically for the protocollsetting attribute and this was ok too.

In fact the problem has been reported in a contradictory manner hence the false alarm. The actual problem was that there were no fullaccess permissions given on an administrative user to open this mailbox and configure it - the problem WAS NOT that the user himself not getting OWA as initially I had thought. So I just ran the appropriate cmdlet and problem was solved.

Still I want to thank you all for your support and contribution to my troubleshooting efforts. Definitely I have learned a thing or two from those very helpful answers of yours. =)

• Marked as answer by jsof 20 hours 21 minutes ago