Exchange 2016 ECP and OWA error 403

MichaelFuller-1588 66 Reputation points
2022-04-29T11:41:46.307+00:00

I have an Exchange 2016 DAG with 2 servers. I recently lost access to OWA and ECP on one of the servers. I am trying to pin down an explanation for the cause. That server had a failed and suspended database copy. Two admins were working on the server. One fixed the database. The other removed a duplicate cert. The issue was resolved after both tasks were completed. I want to know if a failed and suspended database can cause an error 403 on OWA and ECP or was it a duplicate cert. I remember vaguely that this happened before and was told that IIS authenticates on through the server it is hosted on and a failed and suspended database prevents it from authenticating the users on that DB even if it is an inactive copy. Is there an article that can prove or disprove this hypothesis?

My theory is that the server cannot find where the active DB for the user is in order to proxy the request to that server because it cannot find the user on it's own DB because it is failed and suspended with a failed content index state. This is a guess based on architecture diagrams.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,635 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,709 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,167 questions
0 comments No comments
{count} votes

Accepted answer
  1. Kael Yao-MSFT 37,661 Reputation points Microsoft Vendor
    2022-05-02T08:05:06.533+00:00

    Hi @MichaelFuller-1588

    I remember vaguely that this happened before and was told that IIS authenticates on through the server it is hosted on and a failed and suspended database prevents it from authenticating the users on that DB even if it is an inactive copy. Is there an article that can prove or disprove this hypothesis?

    Please refer to this link: Load Balancing in Exchange 2016

    3.The Client Access services located on the MBX server authenticates the request and performs a service discovery by accessing Active Directory to retrieve the following information:

    Mailbox version (for this discussion, we will assume an Exchange 2016 mailbox)
    Mailbox location information (e.g., database information, ExternalURL values, etc.)

    4.The Client Access services located on the MBX server makes a decision on whether to proxy the request or redirect the request to another MBX infrastructure (within the same forest).

    If the IIS authentication of the virtual directories (in this case ECP and OWA) isn't set correctly on the server which the requests are sent to (not necessarily the server which is currently hosting the active copy of database), It would also cause the authentication to fail.


    By "The other removed a duplicate cert", did the admin also change the certificate binding in IIS?
    To me I suppose the possible cause of the 403 error may be an invalid certificate binding.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.