You are currently offline, waiting for your internet to reconnect

"403: Forbidden" error when you try to view organization-wide free/busy information

Summary
When you try to view organization-wide free/busy information, the attempt fails and generates a "403: Forbidden" error.

For example, you have Forest A on a server that is running Microsoft Exchange 2007 and Forest B on a server that is running Microsoft Exchange Server 2013 or Microsoft Exchange Server 2010. In this situation, a user in Forest A cannot see the free/busy information of a user in Forest B. Additionally, the following event is logged in the event log on the source server:

Log Name:      ApplicationSource:        MSExchange AvailabilityDate:          xxxxxEvent ID:      4002Task Category: Availability ServiceLevel:         ErrorKeywords:      ClassicUser:          N/AComputer:      xxxxxxxxDescription:Process xxxxx[w3wp.exe:/LM/W3SVC/1/ROOT/EWS-1-130778800910201315]: Proxy request CrossForest fromRequester:S-1-5-21-1016748826-3068013645-1401187561-1105 to https://xxxx/EWS/Exchange.asmx failed. Caller SIDs: . The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException:System.Net.WebException: The request failed with HTTP status 403: Forbidden.
On the destination server, the following entry is logged in the Internet Information Service (IIS) log, under the W3SVC1 directory:

IIS Logs:  2015-06-08 04:19:25 xx.xxx.xxx.xxx POST /EWS/Exchange.asmx &CorrelationID=<empty>;&ClientId=JQJLGECZ0MGEHVVWEBZG&cafeReqId=9f422915-0721-48ce-b2c6-4406d2c1b49d; 443 domain\serviceaccount xx.xx.xx.xx ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000 - 403 0 0 718
On the server that is running Exchange Server 2013, the following entry is logged in the HTTPProxy log:

WebExceptionStatus=ProtocolError;ResponseStatusCode=403;WebException=System.Net.WebException: The remote server returned an error: (403) Forbidden.    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass2c.<OnResponseReady>b__2b();
On the Mailbox server, the following entry is logged in the IIS log, under the W3SVC2 directory:

2015-06-08 04:16:29 xx.xx.xx.xx POST /EWS/Exchange.asmx - 444 domain\serviceaccount 10.152.152.166 ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000 403 0 0 233
On the Mailbox server, the following entry is logged in the EWS log:

AuthError=User not allowed to access EWS;,FaultInnerException=Microsoft.Exchange.Services.Core.Types.ServiceAccessDeniedException: Access is denied. Check credentials and try again.;ExceptionHandlerBase_ProvideFault_FaultException=System.ServiceModel.FaultException: Access is denied. Check credentials and try again.    at Microsoft.Exchange.Services.Wcf.MessageInspectorManager.InternalAfterReceiveRequest(Message& request  IClientChann
Cause
This problem occurs because EWS is blocked on Forest B at the organization level. Forest B allows only selected applications to access EWS. EWS is not allowed for cross-forest free/busy requests.

To check the organization configuration, run the following command:

Get-Organizationconfig | fl *ews*
Resolution
To enable cross-forest free/busy requests at the organization level, you have to add the User agent to the EWS Allow list. For example, in the situation that is described in the "Summary" section, add the following User agent path.

Note This information is taken from IIS logs on the destination server.

ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.00
Then, run the following command:

Set-OrganizationConfig -EwsAllowList "ASProxy/CrossForest/EmailDomain/EXCH/08.03.0083.000","TestApp","app1”
Properties

Article ID: 3082946 - Last Review: 08/06/2015 00:05:00 - Revision: 1.0

Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2007 Service Pack 3

  • kbsurveynew KB3082946
Feedback
">