Exchange 2007 SP1 migration: Troubleshooting OWA issues
I'm going to make a note of issues I've encountered with the Exchange 2003 to Exchange 2007 migration at work, and which didn't have immediately obvious solutions. It's been far too long since I posted anything that wasn't a thinly (or not so thinly) disguised rant about some aspect of IT that I'm vexed at.
After migrating a mailbox to Exchange 2007 SP1 from Exchange 2003, the user attempts to access their mailbox via Outlook Web Access and gets redirected to the correct URL for an Exchange 2007 mailbox (webmail.example.com/owa) yet receives an error.
Common causes I've seen:
1. The user hasn't waited long enough after you've performed the move to allow AD to be updated about the change to their mailbox.
2. If you get the user to click the button for more information on the error, the following charming message appears
Request
Url: https://webmail.example.com:443/owa/lang.owa
User host address: 10.10.10.20
Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.
Call stack
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC.Your.Internal.Domain.FQDN. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Call stack
Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Call stack
System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
This message will appear if Exchange has insufficent rights to the user's AD object. Each user must have the Exchange Servers group listed in the
permissions tab of their active directory account object before OWA
will work properly.
Note that this isn't referring to the group memberships applied to the user's account that allow the user to do things, but rather to the permissions that are applied to the user account object itself to control how it can be accessed and manipulated by Active Directory, Exchange and the like.
To view these permissions on an object in Active Directory, you will need to run Active Directory Users and Computers, select the domain you wish to operate in, then in the menu select View, then click Advanced Features. You can now manipulate permissions on AD objects, and needless to say you should be very careful about how you use this power.
If no-one can access their mailbox, then refer to this article on the Microsoft website.
If the majority of your users are fine but one or two users cannot access their mailbox, then verify if the problem users are in the same OU and follow the Microsoft article above, paying special attention at the OU level.
If this does not help then you may need to manually edit the accounts themselves. Proceed with caution at this point, as the reason permissions on these account objects may be different is because another application needs them set a certain way and has made changes. I suggest making this change to just a small sample of users and testing their accounts before you apply it to all users having this problem.
- Remember to enable Advanced Features in ADU&C.
- Locate a user who is having this problem.
- Right-Click the account and choose Properties.
- Click the Security tab. DO NOT attempt to change permissions directly on the user.
- Click Advanced
- Ensure that "Inherit from parent...." is ticked, then press Apply.
- Ensure that the Exchange Servers group is now listed with the Modify Permissions Permission. If this is not the case, then the permissions are set incorrectly on the OU, and I refer you to my earlier comments and link.
- Press OK to close Advanced properties, then press OK again to close user's account properties.
- You might need to wait a while for the change to replicate.
- Test that OWA now works.