This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 33%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM1%3C/text%3E%3C/svg%3E)
I have an Exchange 2016 DAG with 2 servers. I recently lost access to OWA and ECP on one of the servers. I am trying to pin down an explanation for the cause. That server had a failed and suspended database copy. Two admins were working on the server. One fixed the database. The other removed a duplicate cert. The issue was resolved after both tasks were completed. I want to know if a failed and suspended database can cause an error 403 on OWA and ECP or was it a duplicate cert. I remember vaguely that this happened before and was told that IIS authenticates on through the server it is hosted on and a failed and suspended database prevents it from authenticating the users on that DB even if it is an inactive copy. Is there an article that can prove or disprove this hypothesis?
My theory is that the server cannot find where the active DB for the user is in order to proxy the request to that server because it cannot find the user on it's own DB because it is failed and suspended with a failed content index state. This is a guess based on architecture diagrams.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
I remember vaguely that this happened before and was told that IIS authenticates on through the server it is hosted on and a failed and suspended database prevents it from authenticating the users on that DB even if it is an inactive copy. Is there an article that can prove or disprove this hypothesis?
Please refer to this link: Load Balancing in Exchange 2016
3.The Client Access services located on the MBX server authenticates the request and performs a service discovery by accessing Active Directory to retrieve the following information:
Mailbox version (for this discussion, we will assume an Exchange 2016 mailbox)
Mailbox location information (e.g., database information, ExternalURL values, etc.)4.The Client Access services located on the MBX server makes a decision on whether to proxy the request or redirect the request to another MBX infrastructure (within the same forest).
If the IIS authentication of the virtual directories (in this case ECP and OWA) isn't set correctly on the server which the requests are sent to (not necessarily the server which is currently hosting the active copy of database), It would also cause the authentication to fail.
By "The other removed a duplicate cert", did the admin also change the certificate binding in IIS?
To me I suppose the possible cause of the 403 error may be an invalid certificate binding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
Yes. That was helpful. Going through the logs, it appears that the issue was resolved after an IIS reset. I am still not totally sure of the cause. I suppose it will have to remain a mystery.