Hi I'm hoping someone can help me here. I basically have eight Exchange 2010 SP1 servers located at different sites around the globe. The two servers at head office are exposed for owa and are set up for FBA. All other servers are just proxied to internally and are set for integrated authentication. This setup works fine for all but one of my servers. I have checked and double checked and all settings appear correct, but i get the following response Request Url: https://EXPOSED-ADDRESS :443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequest User host address: CLIENT IP User: USERNAME EX Address: /o=ORG-NAME /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=USERNAME SMTP Address: E-MAIL ADDRESS OWA version: 14.1.218.13 Second CAS for proxy: https://PROXIED-SERVER-ADDRESS /owa Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException Exception message: The proxy CAS failed to authenticate to the second CAS (it returned a 401) Call stack No callstack available Inner Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaAsyncOperationException Exception message: ProxyPingRequest async operation failed Call stack Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.EndSend(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyEventHandler.SendProxyPingRequestCallback(IAsyncResult asyncResult) Inner Exception Exception type: System.Net.WebException Exception message: The remote server returned an error: (401) Unauthorized. Call stack System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyUtilities.EndGetResponse(HttpWebRequest request, IAsyncResult asyncResult, Stopwatch requestClock) Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.GetResponseCallback(IAsyncResult asyncResult) Inner Exception Exception type: System.ComponentModel.Win32Exception Exception message: The target principal name is incorrect Call stack System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials) System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) System.Net.HttpWebRequest.CheckResubmitForAuth() System.Net.HttpWebRequest.CheckResubmit(Exception& e) Any help would be greatly appreciated Thanks Steven

Hi Kopite, If the user connects directly to the server with problem he can access owa? Regards

Hi Rafael Thanks for your quick response. Yeah i can confirm that login is successful if the user hits the server directly. Thanks Steven

Hi Steven Can you access the server with problem in port 443, from the two servers tha are exposed to owa?

Yeah i can confirm that i can access this server fine over 443 from the exposed servers. It even suggests that i logon via the provided link for best performance. As my mailbox is located at head office Which suggests proxying is configured correctly However i have noticed the following error in the log of the server at head office (Proxying exposed server) Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 21/11/2010 18:12:18 Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: SERVER-PROXYIED-FROM Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVER-PROXYIED-TO. The target name used was HTTP/SERVER-PROXYIED-TO. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DIR.INNOVIAFILMS.COM) is different from the client domain (DIR.INNOVIAFILMS.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" /> <EventID Qualifiers="16384">4</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-21T18:12:18.000000000Z" /> <EventRecordID>15028</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>SERVER-PROXYIED-FROM</Computer> <Security /> </System> <EventData> <Data Name="Server">SERVER-PROXYIED-TO$</Data> <Data Name="TargetRealm">DOMAIN-NAME</Data> <Data Name="Targetname">HTTP/SERVER-PROXYIED-TO</Data> <Data Name="ClientRealm">DOMAIN-NAME</Data> <Binary> </Binary> </EventData> </Event> I have checked the registered SPN's on both of the servers in the cluster at the remote site and everything appears to have been resgitered correctly Thanks again Ste

Just FYI, below is another message i am receiving on the CAS server which is receiving the proxy request. I have tried updating the OWA VDir settings, as its SP1 i have even tried resetting the virtual directory. No effect However i haven't tried creating an SPN for this as the proxy to address (internal address of receiving server) is actually an CName and i'm not sure if it is possible to create a SPN for a CName? Any help would be gratefully recieved Thanks Log Name: Application Source: MSExchange OWA Date: 22/11/2010 14:29:07 Event ID: 71 Task Category: Proxy Level: Error Keywords: Classic User: N/A Computer: SERVER-PROXYIED-FROM Description: Microsoft Exchange Client Access server https://SERVER-PROXYIED-FROM/owa tried to proxy Outlook traffic to Client Access server https://SERVER-PROXYIED-TO/owa. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems: 1. The host name in https://SERVER-PROXYIED-TO/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory" task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication. 2.The server hosting https://SERVER-PROXYIED-TO/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MSExchange OWA" /> <EventID Qualifiers="49152">71</EventID> <Level>2</Level> <Task>6</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T14:29:07.000000000Z" /> <EventRecordID>162216</EventRecordID> <Channel>Application</Channel> <Computer>SERVER-PROXYIED-FROM</Computer> <Security /> </System> <EventData> <Data>https://SERVER-PROXYIED-FROM/owa</Data> <Data>https://SERVER-PROXYIED-TO/owa</Data> </EventData> </Event>

:UPDATE: After noticing that the proxying error only appears if proxying through a certain front end server i failed this over and restarted the box. These errors now no longer appear and all is working correctly Thanks