OWA can't access mailbox on new Exchange 2019 server

Question

OWA can't access mailbox on new Exchange 2019 server

Wang Lee (Admin) 20

Deployed new 2019 exchange mailbox server. But Exchange OWA can't access the mailboxes.

We currently running a mix 2016 and 2019 on-perm exchange environment and just deployed a new 2019 mailbox server. New mailbox database was created along with new mailboxes. The Outlook desktop client can access the mailbox on the new server. However, when using Oulook web OWA, it keep looping back to the login screen. It took the credential but just go back to the OWA login without any error.

This behavior is the same when trying to login to OWA from internal netowrk or from the internet.

I checked the AutoDiscoverService URLs and all servers are different but using the same format: "serverhostname".domain.com/owa

The Exchange Server Auth Certificate is present on the server and valid.

Accepted answer

2 additional answers

Your answer

Answer 1

Hi @Wang Lee (Admin) ,

Glad to hear this issue has been resolved, and much appreciation for your sharing!

However, due to the forum policy update, the author of the question is now unable to accept his/her own answer. Therefore, I have written a short summary of how to solve this problem. Please accept it as an answer so that others who are going through the same thing can more easily refer to this.

Issue:

Deployed new 2019 exchange mailbox server. But Exchange OWA can't access the mailboxes. The Outlook desktop client can access the mailbox on the new server. However, when using Oulook web OWA, it keeps looping back to the login screen. It took the credential but just go back to the OWA login without any error.

After some testing with the https://locahost/owa URL, here are the results.

4 mailbox servers, mail2019_01 and mail2019_02 are exchange 2019. mail2016_01 and mail2016_02 are exchange 2016.

Everything works fine except https://mail2016_01/owa and https://mail2016_02/owa can't open the mailbox on server mail2019_02. The Exchange 2016 OWAs can open mailbox on all other mail servers, but mail2019_02.

Cause:

Extended Protection was enabled on the 2019_02 server.

Solution:

Once I disabled it, both the 2016 OWA can access the 2019_02 mailbox.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hien-L 1,910 Microsoft External Staff

Hi @Wang Lee (Admin) ,

Thank you for posting your question in the Microsoft Q&A forum.

Based on your description, here are some suggestions for you:

When we login OWA, Autodiscover will not be used. So, we have to check OWA virtual directory configuration: Get-OwaVirtualDirectory | Format-List Identity,InternalUrl, ExternalUrl Also, the AutoDiscoverServiceInternalUri should be set to use the format https://autodiscover.domain.com/Autodiscover/Autodiscover.xml instead of “/owa”
Does the issue only occur with mailboxes on Exchange 2019? Do mailboxes on Exchange 2016 login OWA successfully? If so, please login OWA with the following url on Exchange 2019 to see if the issue persists: https://localhost/owa https://server_ip/owa
When you reproduce the issue on specific Exchange server, please check application logs from event viewer. We can check if any error events generated at that time. Those error information may be helpful for further investigation.
There could be several suth certificates on Exchange server. Please use the following command on each Exchange server, we need to double-confirm if the specific auth certificate that set for AuthConfig exists on each Exchange server: (Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Wang Lee (Admin) 20 Reputation points

2025-04-29T18:38:02.9266667+00:00

Hi Hien,

After some testings with the https://locahost/owa URL, here are the results.

4 mailbox servers, mail2019_01 and mail2019_02 are exchange 2019. mail2016_01 and mail2016_02 are exchange 2016.

Everything works fine except https://mail2016_01/owa and https://mail2016_02/owa can't open the mailbox on server mail2019_02. The Exchange 2016 OWAs can open mailbox on all other mail servers, but mail2019_02.

I verified the Auth Cert on all 4 servers and they are identifical and using the same certificate.

No application log was generated when authenticating the mail2019_02 mailbox from the 2016's OWA.

Wang Lee (Admin) 20

Ran Healthchecker on both the 2019 server. On the 2019_02 server this section is missing from the Healthchecker result

Not sure if this has anything to do with my issue.

Default Web SiteValue SupportedValue ConfigSupportedConfigSecure RequireSSL ClientCertificateIPFilterEnabled

    ---------------------  -------------- ---------------------------  ----------     --------------------------------

    API            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    Autodiscover   None   None           True           True          True           Ignore         False

                                                                      (128-bit)

    ECP            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    EWS            None   Allow          True           False         True           Ignore         False

                                                                      (128-bit)

    Microsoft-Ser  None   Allow          True           False         True           Ignore         False

    ver-ActiveSyn                                                     (128-bit)

    c

    Microsoft-Ser  None   Allow          True           False         True           Ignore         False

    ver-ActiveSyn                                                     (128-bit)

    c/Proxy

    OAB            None   Allow          True           False         True           Ignore         False

                                                                      (128-bit)

    Powershell     None   None           True           True          False          Accept         False

    OWA            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    RPC            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    MAPI           None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    Exchange Back EndValue  SupportedValue ConfigSupportedConfigSecure  RequireSSL     ClientCertificateIPFilterEnabled

    ----------------------  -------------- ---------------------------  ----------     --------------------------------

    API            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    Autodiscover   None   None           True           True          True           Ignore         False

                                                                      (128-bit)

    ECP            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

    EWS            None   Require        True           False         True           Ignore         False

                                                                      (128-bit)

Hien-L 1,910 Reputation points Microsoft External Staff

2025-04-30T08:19:49.08+00:00

Hi @Wang Lee (Admin) ,

Thanks for your reply.

Do you mean some IIS VD settings cannot be found with Healthchecker script?

Please open IIS manager on mail2019_02, check if any virtual directories are missing the Default Web Site and the Exchange Back End.

Please also try to use the following command to recreate OWA virtual directory for mail2019_02. Then check if issue persists:

Get-OwaVirtualDirectory -Server "mail2019_02" -ShowMailboxVirtualDirectories

Get-OwaVirtualDirectory -Server "mail2019_02" -ShowMailboxVirtualDirectories | Remove-OwaVirtualDirectory

New-OwaVirtualDirectory -Server "mail2019_02" -InternalUrl "https://mail.contoso.com/owa" -ExternalUrl "https://mail.contoso.com/owa"

New-OwaVirtualDirectory -server "mail2019_02" -WebSiteName 'Exchange Back End'

Answer 3

Wang Lee (Admin) 20

I figured out the issue. Extended Protection was enabled on the 2019_02 server. Once I disabled it, both the 2016 OWA can access the 2019_02 mailbox.

Share via

OWA can't access mailbox on new Exchange 2019 server

2 additional answers

Your answer