Description: The Client Access server "https://mail.contoso.com/owa" attempted to proxy Outlook Web App traffic for mailbox <UserDN>. This failed because no Client Access server with an Outlook Web App virtual directory configured for Kerberos authentication could be found in the Active Directory site of the mailbox. The simplest way to configure an Outlook Web App virtual directory for Kerberos authentication is to set it to use Integrated Windows authentication by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, or by using the Exchange Management Console. If you already have a Client Access server deployed in the target Active Directory site with an Outlook Web App virtual directory configured for Kerberos authentication, the proxying Client Access server may not be finding that target Client Access server because it does not have an internalUrl parameter configured. You can configure the internalUrl parameter for the Outlook Web App virtual directory on the Client Access server in the target Active Directory site by using the Set-OwaVirtualDirectory cmdlet.
This issue can occur if the OWA version in Site B is incompatible with the version of OWA in Site A.
Note This issue can also occur if the authentication method was changed, and the change has not replicated to all AD DS sites.
To resolve this issue, verify that the OWA version on the Internet-facing AD DS site is the same or a later version than the OWA version on the site that is not Internet-facing. To verify the OWA version, follow these steps:
Start IIS Manager on the CAS in the Internet-facing AD DS site.
Expand the server that you want, expand Sites, expand Default Web Site, and then expand OWA.
Note the highest OWA version number.
Repeat steps 1 through 3 on the CAS in the AD DS site that is not Internet-facing.
If the OWA version is a later version on the CAS server in the AD DS site that is not Internet-facing, update the Exchange Server 2010 installation on the CAS in the AD DS site that is Internet-facing
As a best practice, we recommend that you update any CAS servers in Internet-facing AD DS sites before you update the CAS servers in AD DS sites that are not Internet-facing.