Announcement

Collapse
No announcement yet.

OWA doesn't authenticate against the DCs in child domains correctly

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OWA doesn't authenticate against the DCs in child domains correctly

    I've got an AD forest set up with one parent domain and 2 child domains, all three of which are configured for 2000 Native mode. The forest schema master is on the parent domain. There is at least one 2003 SP1 domain controller on each of the three domains set up as a Global Catalog server as well. The Exchange 2007 server is on the parent domain because it must reside on the same domain as the schema master, however all the users are on the child domains.

    When connecting to the Exchange server with an Outlook client everything works as expected. When trying to connect via OWA however I get an error message right after the language and time zone selection screen.

    This only happens with users on the child domains, if I set up a user on the parent domain, it works fine.

    It seems as though the error always references one of the remaining Windows 2000 domain controllers. I've tried it multiple times now and the server referenced in the error will change, however it is always one of the 2000 servers.

    I've attached the error below, can anyone tell me how to either work around this issue or resolve it al together? Thanks!



    Request
    Url: https://webmail.domain.com:443/owa/lang.owa
    User host address: 123.123.123.123

    Exception
    Exception type: Microsoft.Exchange.Data.Directory.ADInvalidHandleC ookieException
    Exception message: Active Directory operation failed on Win2K.childdomain.domain.com. Additional information: Active Directory rejected paged search cookie because a cookie handle was discarded by a domain controller or a different LDAP connection was used on subsequent page retrieval. Restart paged search. Additional information: The parameter is incorrect. Active directory response: 00000057: LdapErr: DSID-0C090591, comment: Error processing control, data 0, v893.

    Call stack
    Microsoft.Exchange.Data.Directory.ADSession.Analyz eDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
    Microsoft.Exchange.Data.Directory.ADSession.Find(A DObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator)
    Microsoft.Exchange.Data.Directory.ADSession.Read(A DObjectId entryId, IEnumerable`1 properties, CreateObjectDelegate objectCtor)
    Microsoft.Exchange.Data.Directory.Recipient.ADReci pientSession.Read(ADObjectId entryId)
    Microsoft.Exchange.Data.Storage.ExchangePrincipal. Save()
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatc her.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatc her.DispatchLanguagePostRequest(OwaContext owaContext)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatc her.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatc her.InternalDispatchRequest(OwaContext owaContext)
    Microsoft.Exchange.Clients.Owa.Core.RequestDispatc her.DispatchRequest(OwaContext owaContext)
    System.Web.HttpApplication.SyncEventExecutionStep. System.Web.HttpApplication.IExecutionStep.Execute( )
    System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean& completedSynchronously)

    Inner Exception
    Exception type: System.DirectoryServices.Protocols.DirectoryOperat ionException
    Exception message: The server does not support the control. The control is critical.

    Call stack
    System.DirectoryServices.Protocols.LdapConnection. ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
    System.DirectoryServices.Protocols.LdapConnection. SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
    Microsoft.Exchange.Data.Directory.PooledLdapConnec tion.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
    Microsoft.Exchange.Data.Directory.ADSession.Find(A DObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate arrayCreator)

  • #2
    Re: OWA doesn't authenticate against the DCs in child domains correctly

    I would be looking at your domain structure here.
    Do the Windows 2000 machines hold any roles? Global Catalogs?
    For some reason Exchange is referencing those instead of Windows 2003 machines and the authentication is failing. I have actually been recommending the total removal of Windows 2000 domain controllers from a forest with Exchange 2007.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment

    Working...
    X