Remvoe & Create OWA Exchange Back End

1. Remove OWA  (Exchange Back End).
Remove-OwaVirtualDirectory -Identity "ex1\owa (Exchange Back End)"

[PS] C:\Windows\system32>Remove-OwaVirtualDirectory -Identity "ex1\owa (Exchange Back End)"

Confirm
Are you sure you want to perform this action?
Outlook Web App virtual directory "ex1\owa (Exchange Back End)" is being removed.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
[PS] C:\Windows\system32>

2. Create OWA  (Exchange Back End).
New-OwaVirtualDirectory -WebSiteName "Exchange Back End" -Server ex1

[PS] C:\Windows\system32>New-OwaVirtualDirectory -WebSiteName "Exchange Back End" -Server ex1
Name                                    Server                                  OwaVersion
----                                    ------                                  ----------
owa (Exchange Back End)                 EX1                                     Exchange2013
[PS] C:\Windows\system32>

Re-create OWA virtual Directories in Exchange 2013

Some times, you may be fed up with some sort of issues related to ‘owa’ , ‘ecp’ or any other virtual directories. Any repair or fine tuning mayn’t fix the issue and you will have to re-create the virtual directories from the scratch.
The difference in Exchange 2013 is that, it has got 2 websites hosted at IIS (Default Website and Exchange Back End).
I am presenting a simple scenario in which I describes how to remove the owa virtual Directories and how to re-create the owa virtual directories in Exchange 2013 for both Default Website and Exchange Back End

Remove the owa virtual Directories
[PS] C:\Windows\system32>Remove-OwaVirtualDirectory “ServerName\owa (Default Web Site)”
Confirm Are you sure you want to perform this action? Outlook Web App virtual directory “ServerName\owa (Default Web Site)” is being removed. [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is “Y”): y
[PS] C:\Windows\system32>Remove-OwaVirtualDirectory “ServerName\owa (exchange back end)”
Confirm Are you sure you want to perform this action? Outlook Web App virtual directory “ServerName\owa (exchange back end)” is being removed. [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is “Y”): y

 Re-Create the owa virtual Directories
[PS] C:\Windows\system32>New-OwaVirtualDirectory  -InternalUrl “https://ServerName/owa” -ExternalUrl “https://mail. domain.com/owa”
[PS] C:\Windows\system32>New-OwaVirtualDirectory  -InternalUrl “https://ServerName/owa” -ExternalUrl “https://mail. domain.com/owa” -WebSiteName “Exchange Back End”
Hope you are now free from the owa virtual directories remove/recreate troubles

OWA/ECP login loop on Exchange 2010/13/16

OWA/ECP login loop on Exchange 2010/13/16

By pdhewjau Blog, Exchange  1 Comment

On Exchange server, configuring virtual directory might be pain sometime. A simple misconfiguration of Virtual directory might be the worst nightmare and create login loop, because I had this few days back. While configuring additional CAS server  after few changes done on the Virtual directory, my OWA/ECP page start to go on loop whenever I tried to get login. I was on dark what mistake I had made. So, I tried to list down what might the issue that is causing on looping of my OWA/ECP page. While listing down, I have found two things.

1. SSL Certificate.
2. Issue with configuration of Virtual Directory.

SSL Certificate can also be the reason behind this kind of issue. So, you need to make sure you do have correct SSL assigned with IMAP, POP, IIS and SMTP. Also 2^nd thing is that SSL certificate is across all of your Exchange server. If the issue is with SSL Certificate, you are lucky and can be resolve easily. But with virtual directory it is not so.

On my Earlier Blog, you can find how to configure Virtual Directory. But as going on, I came for the conclusion with that might not be enough if OWA/ECP login loop issue arises. Hence, here I have made an Table with the specific configuration required while configuring the OWA/ECP Virtual Directory.

On the IIS Manager expand to the default web site and check if the configuration you have made are as of the below Table are not.

Table: Chart of Virtual Directory configuration.

Virtual directory	Default IIS Authentication methods	SSL settings	Default authentication methods Exchange Admin Center (EAC)	HTTP Redirect	Authentication Methods Exchange Management Shell (EMS)
Sites \ Default Web Site	• Anonymous authentication	• Not Required	Available through EAC	YES	Internal	External
aspnet_client	• Anonymous authentication	• SSL required		NO
Autodiscover	• Anonymous authentication • Basic authentication • Windows authentication	• SSL required	• Integrated Windows authentication • Basic authentication	No	Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth	Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
ECP (Exchange Control Panel)	• Anonymous authentication • Basic authentication	• SSL required	• Use-forms-based authentication	No	Basic, Fba	Fba
EWS (Exchange Web Services)	• Anonymous authentication • Basic authentication	• SSL required	• Integrated Windows authentication	No	Ntlm, WindowsIntegrated, WSSecurity, OAuth	Ntlm, WindowsIntegrated, WSSecurity, OAuth
Mapi	• Windows authentication	• SSL required	Not available in EAC	No	Ntlm, OAuth, Negotiate	Not configured
Microsoft-Server-Active-Sync	• Basic authentication	• SSL required	• Basic authentication • Ignore client certificate	No	Not set * All methods can be used.	Not set * All methods can be used.
OAB (Offline Address Book)	• Windows authentication		None available	No	WindowsIntegrated, OAuth	WindowsIntegrated, OAuth
OWA (Outlook Web App)	• Basic authentication	• SSL required	• Use-forms-based authentication • Domain\user name	No	Basic, Fba	Basic, Fba
OWA\Calendar	• Anonymous authentication	• Ignore client certificates	None available	No
OWA\Integrated	• Windows authentication	• SSL required • Ignore client certificates	None available	No
OWA\oma (Outlook Mobile Access)	• Basic authentication	• Ignore client certificates	None available	No
PowerShell	• Windows authentication	• Not Required	None set	No	{}	{}
Rpc	• Basic authentication • Windows authentication	• SSL required		No

Similarly, only configuration of Default website is not going to solve this issue. Hence you need more Knowledge on configuration of Exchange Back End site too, else you will keep on going loop. Below is the detail configuration you can have on Exchange Back End.

Table: Exchange Back End Virtual Directory Configuration.

Virtual directory	IIS Default Authentication methods	IIS SSL settings	HTTP Redirect
Exchange Back End		• Not Required	Yes
Autodiscover	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
ecp	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
EWS	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
Exchange*		• SSL required • Ignore client certificates	No
Exchweb*		• SSL required • Ignore client certificates	No
mapi*	• Anonymous authentication	• SSL required • Ignore client certificates	No
Microsoft-Server-ActiveSync	• Basic authentication	• SSL required • Ignore client certificates	No
OAB	• Windows authentication	• SSL required • Ignore client certificates	No
owa	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
owa\Calender	• Anonymous authentication	• Ignore client certificates	No
PowerShell	• Windows authentication	• SSL required • Accept client certificates	No
Public*		• SSL required • Ignore client certificates	No
PushNotifications	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
Rpc	• Windows authentication	• Ignore client certificates	No
RpcWithCert	• Windows authentication	• Ignore client certificates	No

I hope this will help you solving the Exchange OWA/ECP login loop issue. 

An old password still works after you change it in Outlook on the Web

https://support.microsoft.com/en-us/help/267568/an-old-password-still-works-after-you-change-it-in-outlook-on-the-web

Exchange 2013 EAC / ECP Blank Screen

WRITTEN BY ALLEN WHITE ON NOVEMBER 23, 2012. POSTED IN EXCHANGE 2013

When trying to log in into the new Exchange 2013 EAC / ECP you encounter a plain blank screen and get no options at all. The URLs you may see this error on are below.You must attach to these addresses on the CAS server so you need the CAS role installed.

https://ServerName/ecp
https://ServerName/owa

Ive seen this with two seperate issues, one is SSL cert related and one is corruption. If it is SSL related you will see this error in event viewer.

Read more »

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

In Group Policy Editor (run: gpedit.msc),  went to Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility and enabled "allow local activation security check exemptions"

https://www.vcloudnine.de/microsoft-exchange-2013-shows-blank-ecp-owa-after-changes-to-ssl-certificates/

EDIT

This issue is described in KB2971270 and is fixed in CU6.

I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:

An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

1	An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.

If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.

C:\windows\system32>netsh http show sslcert SSL Certificate bindings: ------------------------- IP:port : 0.0.0.0:443 Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 0.0.0.0:444 Certificate Hash : a80c9de605a1525cd252c250495b459f06ed2ec1 Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 0.0.0.0:8172 Certificate Hash : 09093ca95154929df92f1bee395b2670a1036a06 Application ID : {00000000-0000-0000-0000-000000000000} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : 127.0.0.1:443 Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

C:\windows\system32>netsh http show sslcert   SSL Certificate bindings: -------------------------       IP:port                      : 0.0.0.0:443     Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 0.0.0.0:444     Certificate Hash             : a80c9de605a1525cd252c250495b459f06ed2ec1     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 0.0.0.0:8172     Certificate Hash             : 09093ca95154929df92f1bee395b2670a1036a06     Application ID               : {00000000-0000-0000-0000-000000000000}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled       IP:port                      : 127.0.0.1:443     Certificate Hash             : 1ec7413b4fb1782b4b40868d967161d29154fd7f     Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}     Certificate Store Name       : MY     Verify Client Certificate Revocation : Enabled     Verify Revocation Using Cached Client Certificate Only : Disabled     Usage Check                  : Enabled     Revocation Freshness Time    : 0     URL Retrieval Timeout        : 0     Ctl Identifier               : (null)     Ctl Store Name               : (null)     DS Mapper Usage              : Disabled     Negotiate Client Certificate : Disabled

Check the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.

C:\windows\system32>netsh http delete sslcert ipport=0.0.0.0:444 SSL Certificate successfully deleted

1 2 3

C:\windows\system32>netsh http delete sslcert ipport=0.0.0.0:444   SSL Certificate successfully deleted

Now add it again with the correct certificate hash and application ID.

C:\windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}" SSL Certificate successfully added

1 2 3

C:\windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"   SSL Certificate successfully added