User cannot login - Exchange 2007
Hello!
I installed a new Exchange server in a new domain yesterday. Everything went well and I can (as a administrator) access mailboxes in OWA. Today I tried toadd as a standard user from the AD. The login went well, he was getting the option to choose language but after that he doent get any further. The error message was:RequestUrl: http://localhost:80/owa/lang.owaUser host address: 127.0.0.1ExceptionException type: Microsoft.Exchange.Data.Storage.StoragePermanentExceptionException message: There was a problem accessing Active Directory.Call stack
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner ExceptionException type: Microsoft.Exchange.Data.Directory.ADOperationExceptionException message: Active Directory operation failed on aksad1.aksgroup. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Call stack
Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Inner ExceptionException type: System.DirectoryServices.Protocols.DirectoryOperationExceptionException message: The user has insufficient access rights.Call stack
System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
January 18th, 2007 11:33am
By any chance is this new user a domain admin?
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2007 1:40am
I am having the exact same problem with the exact same error. I only have this problem with my account (so far). I can login with domain admin account, new accounts created after exchange was loaded and from existing users that I created a mailbox for. I have removed my mailbox and tried to recreate it with the same results.Any clues?
January 20th, 2007 3:35am
This fixed my problemOriginal post: http://blog.justinho.com/SyndicationService.asmx/GetRssCategory?categoryName=Exchange%202007Update: Fix 'em permissionsIf your Exchange 2007 OWA is failing for a user after the mailbox is migrated fromExchange 2003 to Exchange 2007, the user account should be checked on the securitytab under advanced to see if it has "Allow inheritable permissions from the parentto propagate to this object and all child objects. Include these with entries explicitlydefined here." 1. Open up Active Directory Users and Computers 2. Go to the View menu, Advanced. 3. Locate the user in AD, right click, properties. Jump to the security tab. 4. Click "Advanced" next to the "For special permissions or for advanced settings, click Advanced. 5. Click "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." Check box and apply. 6. Click OK and OK again. Once changed and replicated OWA works. This is checked by default but is turned offfor accounts with administrative privileges. So how does this get turned off? Well if the account is an administrative accountor was ever an administrative account previously. It will be turned off automatically.Reference the following.XADM: Do Not Assign Mailboxes to Administrative Accounts http://support.microsoft.com/kb/328753 which says By not assigning mailboxes to accounts with administrative permissions,
you avoid security issues related to "elevation of privilege" attacks.
For example, in an elevation of privilege attack, a security hole
exists in which Group X is made a member of the Domain Administrators
group, and access control lists (ACLs) exist on Group X that permit
Group Y to modify Group X. In this situation, members of Group Y can
make themselves members of Group X and so become a member of the Domain
Administrators group.
To help guard against such security issues, the Administrator account
and accounts that are members of these security groups are not
permitted to inherit permissions. On the Security tab of the group or account's properties page, you can see that the Allow inheritable permissions from parent to propagate to this object
check box is not selected. Moreover, if you click to select this check
box, a Microsoft Windows 2000 system task soon clears it automatically.
Clearing the check box is a function of Windows 2000 intended to
prevent hackers from playing with security and inappropriately
increasing their permissions to the level of administrator.
As a side effect of this inheritance setting, if you do try to
use a mailbox assigned to an administrative account, you may not be
able to log on to or resolve the mailbox. Also, in Exchange System
Manager, although the Administrator account can have an Exchange 2000
alias and an Exchange 2000 mailbox, it does not have e-mail addresses.
The Recipient Update Service, which updates the e-mail addresses and
several other attributes, does not have the authority to update objects
if the Allow inheritable permissions from parent to propagate to this object check box is not selected.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2007 3:55am
I have the same problem.
However the CHECKBOX in the above mentioned fix is ALREADY selected...
Did anyone get any further to the SPECIFIC permission that is causling this?
March 2nd, 2007 7:15am
I to have the same problem.
Checkbox is already selected in my case too.
All the accounts with mailboxes created before installing exchange 2007 has this problem after they are moved.
Allthough the domain admin accounts have no problem whatsoever after the move.
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2007 3:55pm
Anyone got any further on this?
I can "fix" it but not in a sane way,if you give authenticated users all write permissions in the users ACE (or at any level above) itit works fineand no amount of playing has revealed what perm is reallyneeded, it's not one you can select at an OU level.
But givingauthenticated userswrite permissions is nigh on making an administrator out of the user, so I guess it's really broken for everyone (even admins in child domains can't use webmail either)and the admin rights just get round it.
March 22nd, 2007 11:19pm
i am also having this issue... The "Check Box Fix" did not work for me as well.
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2007 8:12am
had same problem, but I resolved it...sigh
I actually had an OU that was missing the "allow inherittable permission" checked so of course it didn't matter what the user was set to.
So check your OU that the user resides in. Check the permissions and make sure the inherritance is checked. In my case someone modified the default "users" ou to not inherit.
hope that helps u all...drove me crazy...
August 11th, 2007 3:42am
ok, got the same probelm with the first new account in created on Exchange 2007. All of the OUs are set to inherite permissions. any ideas?
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2007 3:55pm
Planwithtan, did you check the user account?
If not, give it a go.
My is like most of the users have that inherit while until now I found out only 2 users have their account untick. Even on the OU there is a tick but down to the user account may be a few user get miss.
I give my credit to the one who gave us the answer. It solve my problem too. Thank you.
September 23rd, 2008 1:27am
There is an issue with the ExchangeVersion for the user. This is caused by a user being created the "old" method in AD and adding a mailbox for that user in the 2007 environment. Read this blog as it fixed my issue. I was having the same problem and the inheret permissions was all correct.
http://nmdouh.blogspot.com/2008/02/error-message-when-users-try-to-log-on.html
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2008 8:21pm
Thanks Jason. The link and the workaround fixed it for my user. The key for me wasthis error: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).Running the shell command (Set-Mailbox User_Name -ApplyMandatoryProperties) on the user changes their mailbox version to 0.1 (8.0.535.0)
January 5th, 2009 12:18pm
Fontyyy's suggestion helped me. My test user mailbox was moved from Exchange03 to Exchange07, so I had the "Version Issue". Once I fixed that, I then ran into the "Access Denied Issue". The Inherit Properties checkbox was checked, so I then gave the "Authenticated Users" Write Permissions on the accountand it worked. But what the hay as we say here in NM?
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2009 7:00pm
JasonWilks post fixed it for me. cheers for the link. F
August 13th, 2009 1:20pm
Over 4 years old... and yet, still very helpful!
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2011 2:56pm