by Nicolas Blank 27th of April 2012

OWA proxy diagnosis

This post is the first in a series of diagnosing specific CAS issues. Today were going to take a look specifically at OWA site to site proxy issues.

Outlook Web App isn’t available. If the problem continues, please contact your helpdesk

While appropriate, this isn’t the most descriptive error message in the world. In order to demonstrate this scenario I build a lab with two Exchange Servers, both deployed on domain controllers in different AD sites. In this scenario, OWA is published to the internet in Site 1, however the user in question is trying to login to his mailbox, which is hosted in Site 2. Site 1 is internet facing and Site 2 is not. Both sites are running Exchange 2010.

Let’s look at what’s happening “under the hood”:

  • After a user has authenticated to an internet facing CAS server, the CAS server attempts to locate the location and version of the users mailbox.
  • If the user is local, the mailbox is rendered.
  • If the user is NOT local, then use the AD Routing information supplied by the “Microsoft Exchange Active Directory Topology” service to locate a CAS server in the site hosting the user’s mailbox. If an external URL is configured on the CAS server in the second site, then silently redirect to the URL (available in SP2) or redirect the user to the link supplied. If the external URL is NOT specified, and an internal URL exists, AND the authentication method on the virtual directory is set to windows integrated, THEN proxy the request.

In the Exchange Management GUI, you should see the following, first the empty

External URL

Second, the authentication method is set to windows integrated:

However we’re still receiving an error.

Looking at the Active Directory event logs on the Domain Controllers in both sites, we may notice a number of Active Directory errors, including Inter Site Topology Generator errors. These are the clue that we need.

When we open the Active Directory Sites and Services administration tool, we would notice that the IP SITE LINK between the two sites is missing or misconfigured. Without valid site links, Exchange cannot proxy between sites and OWA fails.

Re-creating the site link, and waiting for replication and cache timeouts to take effect, (or restarting the “Microsoft Exchange Active Directory Topology” service) and OWA stops replying with an error message and renders the users mailbox.

Let’s recap quickly; our three areas for OWA site to site proxy failures are:

  • Incorrect URL’s
  • Incorrect authentication
  • Incorrect site link definitions

The last one can be a bit tricky since it’s often unexpected, and most of us take for granted that AD is either designed and implemented correctly or at least is healthy.