Develop Reference

ECP & OWA aren't working - "Incorrect username/password"

I haven't been here for some time.. This time I think I have one of those "Rocket Science" problems, so shall I start?
alright, tl;dr - I started to work in a company as a Sysadmin and the last guy that I replaced really messed some stuff around and I'm spinning around trying to fix them..
I'm going to try to sum up everything in one post to avoid being asked the same questions over and over again.
The Problem:
I cannot access ECP/OWA, no matter which credentials I give it (and they are validated as correct vs Outlook itself) - Outlook works, ECP/OWA does not.
The error I get, no matter where I access it from (Internally / Locally) -
"The user name or password you entered isn't correct. Try entering it again."
- I think the problem relies within owa (Exchange Back End) / ecp (Exchange Back End), as I tried various solution suggestions I may have deleted the back end Virtual Directory to recreate them.
Some Info:
OS and Exchange: Windows Server 2016, Exchange 2016
Exchange CU Version: CU6
Logs & Debugging:
Event Viewer:
The Outlook Web App configuration settings couldn't be read and updated. Virtual directory: "owa". Web site: "Exchange Back End".
Error message:
"The Active Directory configuration settings couldn't be accessed for virtual directory "owa" under Web site "Exchange Back End"."
-> Source: MSExchangeOWA
-> Event ID: 64
--> Qualifiers: 49152
Image -
IIS:
W3SVC1 (Default Web Site?) + W3SVC2 (Exchange Back End?) log files don't say much actually , no indication of errors when I try to login. Here's a few lines I found (but its about health mail boxes);
2018-07-19 00:28:34 ::1 POST /owa/proxylogon.owa &ClientId=Some_Content_Here&ClientRequestId=&ActID=Some_Content_Here&CorrelationID=<empty>&userContextLogonIdentityName=DOMAIN_NAME\HealthMailboxc66d8b0&userContextLogonIdentitySid=Some_Content_Here&userContextMbGuid=Some_Content_Here&redir=lang 444 DOMAIN_NAME\HealthMailboxc66d8b0 ::1 Mozilla/4.0+(compatible;+MSIE+11.0;+Trident/7.0;+rv:11.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+EACBACKENDLOGON) - 302 0 0 3768
2018-07-19 00:28:34 ::1 GET /ecp/About.aspx ActID=Some_Content_Here 444 - ::1 Mozilla/4.0+(compatible;+MSIE+11.0;+Trident/7.0;+rv:11.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+EACBACKENDLOGON) - 401 1 2148074254 3
2018-07-19 00:28:34 ::1 GET /ecp/About.aspx ActID=Some_Content_Here 444 DOMAIN_NAME\HealthMailboxc66d8b0 ::1 Mozilla/4.0+(compatible;+MSIE+11.0;+Trident/7.0;+rv:11.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+EACBACKENDLOGON) - 302 0 0 82
2018-07-19 00:28:34 ::1 GET /owa/languageselection.aspx url=%2fecp%2fAbout.aspx&ClientId=Some_Content_Here&ClientRequestId=&ActID=Some_Content_Here&CorrelationID=<empty> 444 - ::1 Mozilla/4.0+(compatible;+MSIE+11.0;+Trident/7.0;+rv:11.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+EACBACKENDLOGON) - 401 1 2148074254 2
2018-07-19 00:28:34 ::1 GET /owa/auth/error.aspx url=%2fecp%2fAbout.aspx&ClientId=Some_Content_Here&ClientRequestId=&ActID=Some_Content_Here&CorrelationID=<empty> 444 DOMAIN_NAME\HealthMailboxc66d8b0 ::1 Mozilla/4.0+(compatible;+MSIE+11.0;+Trident/7.0;+rv:11.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+EACBACKENDLOGON) - 200 0 0 17
ADSI vs IIS:
You can see that there is no "owa (Exchange Back End) / ecp (Exchange Back End)", that might be the problem.. didn't have time to compare these vs my local hosted mail server to confirm.
This is in:
CN=HTTP,CN=Protocols,CN=Mail_Server,CN=Servers,CN=Exchange Administrative Group (GUID_HERE),CN=Administrative Groups,CN=DOMAIN_NAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN_NAME,DC=local
IIS:
Default Web Site
Exchange Back End
I think it'll be important to mind that I've had a lot of problems before that and they have been fixed and that one popped up (probably my mistake) recently after solving a lot of errors that came before that about OWA.
Believe me I dug every hole in the internet to find a solution without success, I have a final solution planned (as a Plan B at the moment) which is upgrading Exchange from CU6 to CU10 (planned to happen soon) but I can't really do that at the moment, keeping in mind that those are production servers and I cannot do whatever I want.
Tried solutions:
Recreating virtual directories (including webApplications) & Recycling AppPools (OWA & ECP)
Changing authentication methods and SSL settings back to default (https://learn.microsoft.com/en-us/exchange/clients/default-virtual-directory-settings) + comparing to a local mail server hosted at home.
Checking permissions (permissions are fine)
Checking Bindings and SSL cert attached to https bindings
Comparing IIS config files found at C:\Windows\System32\inetsrv\config\ vs My local hosted Mail Server (didn't really find much difference)
Restarting IIS ofcourse (tons of times) and Rebooting
Analyzing with Exchange Analyzer (https://gallery.technet.microsoft.com/office/Exchange-Analyzer-6e20132e) - no critical errors or anything noticeable relating ECP / OWA / Webservices
Updating CAS (C:\Program Files\Microsoft\Exchange Server\V15\Bin\UpdateCas.ps1)
Testing Exchange connectivity (https://testconnectivity.microsoft.com/) - No errors whatsoever
More (can't remember anymore.. too much)
I hope all of this helps analyzing the problem and fixing it , hope we can find a fix for this without having to upgrading exchange / reinstalling and thanks for reading

I have finally fixed the problem!
Here's what I did for reference to people having the same or familiar problem:
NOTE: You are going to need to have an Exchange 2016 server with a working ECP/OWA to make a comparison between the broken Machine's files and fix the problem (I have installed a local Virtual Machine at my home's PC, you can do so too)
Fixing EventID 64 # Event Viewer:
This is for people getting this error # Event Viewer
The Outlook Web App configuration settings couldn't be read and updated. Virtual directory: "XXX". Web site: "XXX".
Error message:
"The Active Directory configuration settings couldn't be accessed for virtual directory "XXX" under Web site "XXX"."
-> Source: MSExchangeOWA
-> Event ID: 64
--> Qualifiers: 49152
I was suspecting that this was the problem and after some research I have found this article (follow the article): https://dirteam.com/dave/2010/12/23/fixing-a-broken-owa-2010-virtual-directory/
In my situation, after doing the steps in the article the errors went away but I still Couldn't log-in!
I have had no errors anymore, not in the Event Viewer or IIS logs so, I have been thinking to myself that maybe the same way I have been doing in https://dirteam.com/dave/2010/12/23/fixing-a-broken-owa-2010-virtual-directory/ to fix the ADSI Object of ECP and OWA That I would do the same concept but instead of comparing between ADSI's, this time maybe Comparing between an example machine's working ECP/OWA config files and a broken ECP/OWA config files may reveal the problem to me!
So, I fired up my local Exchange 2016 server back at home and compared 3 Files using https://www.diffchecker.com/ to check what is wrong.
I have gone ahead and compared between those 3 web.config files located at:
Text
[Exchange_Install_Drive]\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
[Exchange_Install_Drive]\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa
C:\inetpub\wwwroot
To my surprise I have found some wrong and empty parameters in those files , so I went ahead and made a backup for those files and carefully removed those parameters, saved those files and restarted the IIS service (iisreset)
ECP and OWA are now fully working for me!
Hope this helps anyone!

403 Forbidden Error - IIS 8

I'm using IIS 8 on Windows 2012 server. I have a site set up to serve as an API for HTTPS traffic on a custom port (4443). I have installed a wildcard SSL certificate, which is functioning properly. Our network firewall is routing all public inbound traffic on port 4443 to this server internally, which is then being handled by IIS.
From the server itself, everything works fine. I am not using localhost, and do not have a hosts file entry looping the traffic back internally. Going to https://api.blahblahblah.com:4443 returns what I want.
However, from external to the network, I am getting a 403 Forbidden error. I know the traffic is making it to the server because I get the correct custom "X-Powered-By" response header that I have set on that server.
I have tried setting the permissions on the folder that contains the site files to allow Full Control to "Everyone", but no luck. The site has Anonymous Authentication enabled for the user "IUSR". Directory browsing is disabled.
What's going on? I'm assuming it's a permissions error with the file system, but I figured having the Everyone permission would eliminate that. Also, there is nothing special about the internal traffic (from the server itself) in terms of an authenticated session or anything. It's just a plain request with no bells or whistles.
Please help! Thanks.
=======UPDATE=======
Here is a sample log entry showing the substatus code of 16:
2018-02-08 17:56:58 10.1.10.11 GET /favicon.ico - 4443 - 184.4.143.229 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 https://api.blahblahblah.com:4443/data/countyList 403 16 2148204809 97
Apparently this is a client certificate trust issue? Upon further testing, I am able to access the site without issue on another device, just not my primary development PC.
I just set the site to Ignore Client Certificates in the SSL Settings, and it is working as expected again.

A 403 error could occur due to multiple reasons. Could you please share the substatus code. You can find it in IIS logs. Default location - C:\inetpub\logs\logfiles\w3svc_websiteID.
Once you have the substatus code, please share it here.
You can also capture FREB logs by following this article - https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis
Just modify step #10 in this article and don't uncheck anything in your case (leave everything to default). This will clearly tell you what's going on in the IIS pipeline.
If its 403.14, just add a default document in IIS and you should be good to go.

The page was not displayed because the Request URI is too long

I try to map a network share to an application in IIS8 but when i try to retrieve a test file i get this error in plain black text:
The page was not displayed because the Request URI is too long.
The url i test (on the server) is a short simple one:
http://localhost/server/test.jpg
I tested from another computer with IP but got the same error.
This is the information I get from the IIS log
2017-09-13 07:56:23 ::1 GET /server/test.jpg - 80 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 414 0 87 0
Why does it complain about the request URI? Is this a generic error?

It was a permission problem. The IIS user did not have read-rights to the folder. Changed to use application pool identity instead and now its working.

The issue here was using a virtual directory and the double hop issue with authentication where the folder didn't have the credentials tied to it. Needed to manually set it on the folder.
https://weblogs.asp.net/owscott/iis-windows-authentication-and-the-double-hop-issue

IIS 7 returns 404 for all requests

I have a default website and 2 applications underneath it. One is a WCF service on "http,net.tcp". The other is an asp.net site.
When I browse to the service, static files, the asp.net site or the default website I get a blank 404 response. The raw response in fiddler is "HTTP/1.0 404 Not Found"
I've tried reinstalling IIS. I thought it might be the handlers so I've had a look at the list but they exactly match a machine that does not have this issue.
The local 'hosts' file is empty and the machine.config file has not been manually edited.
(I can still connect to the service 'dsxwebservice' with tcp, and this issue has only been present for a few days, probably triggered by some change I've made to the configuration / install)

Have you seen Diagnosing 404 errors on IIS 7 and ASP.NET MVC?
You can also see if Failed Request Tracing can shed some light on your specific scenario.

Skype was hogging port 80
I came to this conclusion from using this on the command line:
netstat -ano
Then finding the PID against port 80 in Task Manager
Then quitting skype and seeing the issue go away.
I resolved the conflict by changing Skype settings to leave port 80 alone. This also explains why the 404 was not an IIS styled 404 page and why there was nothing in the IIS logs - just a question mark against the default website icon.

Umbraco 4.7.2 Installation Won't Load Images, CSS, Javascript, Etc

I've been trying in vain to get Umbraco installed on my Windows 7 box under IIS 7. I was able to use the Web Platform Installer to get it up and running via WebMatrix, but I want this running in IIS.
Whether I perform the install manually by setting up a new web site copying binaries, or whether I let the Web Platform Installer do it, I'm always presented with an installation page that's missing all CSS, images, js, etc.
When I attempt to hit those resources directly, I'm always redirected back to the install page.
I'm telling the platform installer to create a brand new web site. No virtual directory/application name is being specified. And I've followed all the online directions I can find.
Logs show 401 unauthorized errors:
2012-05-11 02:42:22 127.0.0.1 GET /umbraco_client/installer/css/all.css - 80 - 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 3 5 10
2012-05-11 02:42:22 127.0.0.1 GET /umbraco_client/installer/css/reset.css - 80 - 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 3 5 10
2012-05-11 02:42:22 127.0.0.1 GET /umbraco_client/installer/css/form.css - 80 - 127.0.0.1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 3 5 10
I tried changing the app pool identity to Network Service and granting full permissions to the web site root path, and while it didn't fix the problem, it turned all the above 401 errors into 302 redirects.
Thougts?

In my case I found that although I had created a custom App Pool running under an identity with permissions for this folder, in the IIS authentication page ( IIS Manager -> Authentication -> Anonymous Authentication ) it was using IUSR as the default user for anonymous authentication. By checking the "Use Application Pool Identity" box instead, it worked correctly.

It appears as though the root cause was that I had my umbraco files under c:\Projects\MySite\Umbraco\WWW. Despite the fact that the WWW folder had the correct permissions, IIS would not grant access to the resources in question.
Once I moved the contents to c:\inetpub\wwwroot\, it started working. I'm still not entirely sure why, as the permissions match exactly, but it is what it is.