"403: Forbidden" error when you try to view organization-wide free/busy information

Summary

When you try to view organization-wide free/busy information, the attempt fails and generates a "403: Forbidden" error.

For example, you have Forest A on a server that is running Microsoft Exchange 2007 and Forest B on a server that is running Microsoft Exchange Server 2013 or Microsoft Exchange Server 2010. In this situation, a user in Forest A cannot see the free/busy information of a user in Forest B. Additionally, the following event is logged in the event log on the source server:

Log Name:      Application

Source: MSExchange Availability

Date: xxxxx

Event ID: 4002

Task Category: Availability Service

Level: Error

Keywords: Classic

User: N/A

Computer: xxxxxxxx

Description:

Process xxxxx[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-130778800910201315]: Proxy request CrossForest from
Requester:S-1-5-21-1016748826-3068013645-1401187561-1105 to https://xxxx/EWS/Exchange.asmx failed.
Caller SIDs: . The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException:
System.Net.WebException: The request failed with HTTP status 403: Forbidden.
On the destination server, the following entry is logged in the Internet Information Service (IIS) log, under the W3SVC1 directory:

IIS Logs:  2015-06-08 04:19:25 xx.xxx.xxx.xxx POST /EWS/Exchange.asmx &CorrelationID=<empty>;&ClientId=JQJLGECZ0MGEHVVWEBZG&cafeReqId=9f422915-0721-48ce-b2c6-4406d2c1b49d; 443 domain\serviceaccount xx.xx.xx.xx ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000 - 403 0 0 718 
On the server that is running Exchange Server 2013, the following entry is logged in the HTTPProxy log:

WebExceptionStatus=ProtocolError;ResponseStatusCode=403;WebException=System.Net.WebException: The remote server returned an error: (403) Forbidden.    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass2c.<OnResponseReady>b__2b(); 
On the Mailbox server, the following entry is logged in the IIS log, under the W3SVC2 directory:

2015-06-08 04:16:29 xx.xx.xx.xx POST /EWS/Exchange.asmx - 444 domain\serviceaccount 10.152.152.166 ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000 403 0 0 233 
On the Mailbox server, the following entry is logged in the EWS log:

AuthError=User not allowed to access EWS;,FaultInnerException=Microsoft.Exchange.Services.Core.Types.ServiceAccessDeniedException: Access is denied. Check credentials and try again.;ExceptionHandlerBase_ProvideFault_FaultException=System.ServiceModel.FaultException: Access is denied. Check credentials and try again.    at Microsoft.Exchange.Services.Wcf.MessageInspectorManager.InternalAfterReceiveRequest(Message& request  IClientChann 

Cause

This problem occurs because EWS is blocked on Forest B at the organization level. Forest B allows only selected applications to access EWS. EWS is not allowed for cross-forest free/busy requests.

To check the organization configuration, run the following command:

Get-Organizationconfig | fl *ews* 

Resolution

To enable cross-forest free/busy requests at the organization level, you have to add the User agent to the EWS Allow list. For example, in the situation that is described in the "Summary" section, add the following User agent path.

Note This information is taken from IIS logs on the destination server.

ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.00
Then, run the following command:

Set-OrganizationConfig -EwsAllowList "ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000","TestApp","app1” 
Properties

Article ID: 3082946 - Last Review: Aug 6, 2015 - Revision: 1

Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2007 Service Pack 3

Feedback