Consider the following scenario:
- You deploy Microsoft Exchange Server 2010 in multiple Active Directory Domain Services (AD DS) sites.
- AD DS Site A is Internet-facing.
- AD DS Site B is not Internet-facing.
- Microsoft Outlook Web App (OWA) is published in Site A.
- Windows Integrated Authentication is enabled on the Client Access server (CAS) in Site B.
- A user in Site B tries to log on to OWA.
In this scenario, the user may receive an error message that resembles the following:
Outlook Web App isn't available. If the problem continues, please contact your help desk.
Additionally, an error message that resembles the following is logged in the Application log on the CAS in Site A:
Source: MSExchange OWA
Event ID: 41
Task Category: Proxy
The Client Access server "https://mail.contoso.com/owa" attempted to proxy Outlook Web App traffic for mailbox <UserDN>. This failed because no Client Access server with an Outlook Web App virtual directory configured for Kerberos authentication could be found in the Active Directory site of the mailbox. The simplest way to configure an Outlook Web App virtual directory for Kerberos authentication is to set it to use Integrated Windows authentication by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, or by using the Exchange Management Console. If you already have a Client Access server deployed in the target Active Directory site with an Outlook Web App virtual directory configured for Kerberos authentication, the proxying Client Access server may not be finding that target Client Access server because it does not have an internalUrl parameter configured. You can configure the internalUrl parameter for the Outlook Web App virtual directory on the Client Access server in the target Active Directory site by using the Set-OwaVirtualDirectory cmdlet.
This issue can occur if the OWA version in Site B is incompatible with the version of OWA in Site A.Note
This issue can also occur if the authentication method was changed, and the change has not replicated to all AD DS sites.
To resolve this issue, verify that the OWA version on the Internet-facing AD DS site is the same or a later version than the OWA version on the site that is not Internet-facing. To verify the OWA version, follow these steps:
- Start IIS Manager on the CAS in the Internet-facing AD DS site.
- Expand the server that you want, expand Sites, expand Default Web Site, and then expand OWA.
- Note the highest OWA version number.
- Repeat steps 1 through 3 on the CAS in the AD DS site that is not Internet-facing.
- If the OWA version is a later version on the CAS server in the AD DS site that is not Internet-facing, update the Exchange Server 2010 installation on the CAS in the AD DS site that is Internet-facing
As a best practice, we recommend that you update any CAS servers in Internet-facing AD DS sites before you update the CAS servers in AD DS sites that are not Internet-facing.
Article ID: 2712097 - Last Review: August 27, 2012 - Revision: 2.0
- Microsoft Exchange Server 2010 Enterprise
- Microsoft Exchange Server 2010 Standard
|kbsurveynew kbtshoot kbprb KB2712097|