I remember vaguely that this happened before and was told that IIS authenticates on through the server it is hosted on and a failed and suspended database prevents it from authenticating the users on that DB even if it is an inactive copy. Is there an article that can prove or disprove this hypothesis?
Please refer to this link: Load Balancing in Exchange 2016
3.The Client Access services located on the MBX server authenticates the request and performs a service discovery by accessing Active Directory to retrieve the following information:
Mailbox version (for this discussion, we will assume an Exchange 2016 mailbox)
Mailbox location information (e.g., database information, ExternalURL values, etc.)
4.The Client Access services located on the MBX server makes a decision on whether to proxy the request or redirect the request to another MBX infrastructure (within the same forest).
If the IIS authentication of the virtual directories (in this case ECP and OWA) isn't set correctly on the server which the requests are sent to (not necessarily the server which is currently hosting the active copy of database), It would also cause the authentication to fail.
By "The other removed a duplicate cert", did the admin also change the certificate binding in IIS?
To me I suppose the possible cause of the 403 error may be an invalid certificate binding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.