Issue: You need to deploy Exchange 2013 CU21.
Solution: The following step by step instructions will guide you through the Exchange 2013 installation process. This will be a new installation of Exchange 2013 using the CU21 media.
0) If you haven’t already done so, you first need to install the Exchange 2013 pre-requisites and prepare the AD Schema for Exchange 2013 CU21.
1) Download Exchange CU21, here is a convenience link to download the latest version of Exchange 2013.
2) Execute the downloaded CU21 file to extract the installer, choose the path you would like the installation files extracted to, make sure you choose a drive with plenty of free space
The installation files will be extracted:
3) open the folder you extracted the installation files, right click setup.exe and click ‘Run as administrator’.
4) click ‘next’ on the introduction (and review the license agreement).
5) Decide whether you want recommended settings or not for error reporting and usage data gathering:
6) Select the server roles that you desire. Whether you are setting up a single server or multi-server environment, Microsoft Preferred Architecture recommends all roles on each Exchange Server.
7) Choose the installation path for Exchange 2013 CU21 (I generally accept the defaults)
8) Next the readiness checks will commence. On all my CU21 installs I have been getting the error “Setup can’t contact the primary DNS server using TCP port 53”. I subsequently verify DNS functionality and have proceeded with ignoring the error and have not had any problems.
If any errors are encountered during the readiness checks / pre-requisite check then you will need to resolve the issues before continuing. You can use the ‘retry’ button to re-run the readiness checks.
9) Once the readiness checks are complete, proceed with setup. Exchange 2013 CU21 setup will copy files and other setup processes.10) Once setup completes it is recommended that you reboot the Exchange Server.
Next: proceed with Installing an SSL Certificate on Exchange 2013 and then configuring the Exchange 2013 External URL’s.
Chris, thank you for this article pretty helpful.
What brought me here was my attempt to sort out audiiscovery nightmare – where outlook clients just won’t connect in this case outlook 2013. OWA works well.
i am still being asked to log in..
i have attempted to remove the digital thirdparty cert and installed self-signed … configured etc.. IIS, IMAP & SMTP still..
i tried https://www.expta.com/2012/10/rpc-client-encryption-in-exchange-2013.html still won’t work — at first it worked — but had to sort of click cancel when username and password is asked for — strangely it works can send and receive mails.. but cannot give that to users .. so i reverted back and am back to prompts!
Outlook authentication prompts can be a tough one to solve and outside the scope of applying cumulative updates. Did you begin having that issue after applying a CU? I’d suggest you make sure all the exchange virtual directory URL’s match your certificate hostname: https://enterpriseit.co/microsoft-exchange/2013/configure-virtual-directories-eac/
Also make sure your SSL certificate is good to go and any intermediate certificates are installed. Make sure Outlook has the latest cumulative updates as well.
Hi All,
You might find it strange, I am struggling for the above issue for the past 3 days.
I am unable to login to ecp and owa via administrator account.
However when i tried to login with administrator@domain.com it works. Still when I try only administrator it give me below errors:
“You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again.
or something went wrong :(”
Since its fix now i can say — ;-)
Hi Ajay, thanks for your comment. Were you able to find a permanent fix, or is your solution still logging in specifying the domain (user@domain.com)?
If this is still an issue I would recommend confirming that the OWA authentication settings are set to require username only:
1) Servers > Virtual Directories > select server that hosts OWA > click OWA and then click the ‘Wrench’ icon.
2) Click the Authentication tab.
3) Confirm forms-based authentication is selected.
4) Select the sign-in format that you want to use, in this case “Username Only” and click save.
Other ideas:
– If you have legacy Exchange servers in the environment, confirm your admin mailbox was moved to a 2013 server. I’ve seen where administrator mailbox being on the legacy server causes issues logging into OWA and Exchange Admin Center.
– Check the Checkbox of Doom on the administrator account in question
Can You please clarify first step. Server configuration from where?
Thanks
Thanks, I corrected the steps in my comment above for modifying the OWA virtual directory settings.
Hello
I install an AD on win2k8R2SP1 enterprise on a server.
then I install all exchange2013 prerequisite on another win2k8R2SP1 joined to AD and reboot.
Next I install exchange2013 cu5 successfully and reboot.
Now when I try to connect to OWA using administrator user, any thing is right.
But when I create a new user by ECP and tty yo connect to OWA, I see error message: “:-( something went wrong”. Please help me what should i do to correct this problem.
remember that all windows are clear initially.
Hi Gholam,
Do you have a previous version of Exchange in the environment? You will get the “:-( something went wrong” error if you are connecting to Exchange 2013 OWA but the mailbox of the user you created is on Exchange 2007 and you haven’t setup ‘legacy redirection’ yet. Make certain the new mailbox you created is actually on 2013. Just as a test, I would also check if Outlook works for the new user mailbox.
Chris
In fact, i install an AD and Exchange Server 2013 CU5 on Test Environment, without any other version of Exchange or other applications.
But, I found that if i promote the Exchange Server to AD Additiona Server, the problem solve. but i don’t like to do this in real environment.
Hi Chris
I installed no other version of exchange previous.
if it is possible to you, i suggest run a lab using win2k3r2sp1. add an add. join a mail server and install exchange 2013 cu5 on it. then create a new user (that in fact never created previous). then try to login OWA using this new user. it is important to install exchange on a server other that AD. You will See the ERROR that i discuss to you
Hi Gholam, I deployed CU5 at two clients last week and did not have the issue you describe. Are you creating the new mailboxes using Exchange Admin Center (found from the start menu)? You mentioned ECP but I would try EAC instead.
I read your last post where you mentioned promoting Exchange 2013 to a DC in your lab fixed the issue, this makes me think your issue is DNS/AD or Security related. Here are some things to check:
-Can you verify the TCP/IP stack on the Exchange Server, check the DNS settings make sure it points to valid DC’s for primary and secondary DNS.
-Make sure the account you are using to create users is member of Organization Administrators.
-Open the mailbox you created and verify OWA is enabled under ‘features’.
-Verify AD Health, if you are having AD replication issues then that could cause the issue in OWA, maybe the mailbox attribute did not replicate yet. See step 2 of this post: https://enterpriseit.co/microsoft-exchange/2013/prepare-ad-prepare-schema/
-This would be good to check as well “permission inheritance”: https://enterpriseit.co/microsoft-exchange/checkbox-of-doom/
Please let me know if one of the above resolves the issue?
Hi Chris,As you attend, i create new user by Exchange Admin Center (found from the start menu). but if you think of different way please tell me the URL of that one.
I create the new user by Administrator that is member of “Organization Management” group.
OWA is enabled for the new user.
I also think of an Access violation but colud not find its place. So for detail:
when i connect to OWA using a user other than Administrator i see the following Error Message On Web Screen:
——————————————————————
:-(
something went wrong
An unexpected error occurred and your request couldn’t be handled.
X-OWA-Error: System.ArgumentException
X-OWA-Version: 15.0.913.21
X-FEServer: MAILBOX
X-BEServer: MAILBOX
Date: 6/15/2014 5:39:55 AM
Fewer details…
refresh the page
——————————————————————-
and also i see the following Event logs added to Event viewer logs:
——————————————————————-
Log Name: Application
Source: MSExchange RBAC
Date: 6/15/2014 10:10:18 AM
Event ID: 258
Task Category: RBAC
Level: Error
Computer: MailBox.demo.local
Description:
(Process 10220, PID w3wp.exe)”RemotePS Public API Func GetApplicationPrivateData throws Exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The operation couldn’t be performed because ‘S-1-5-21-2900208030-1228596238-308441794-1131’ couldn’t be found.
at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.GetGroupAccountsSIDs(IIdentity logonIdentity)
Log Name: Application
Source: MSExchange RBAC
Date: 6/15/2014 10:10:18 AM
Event ID: 23
Task Category: RBAC
Level: Error
Computer: MailBox.demo.local
Description:
(Process w3wp.exe, PID 10220) “Exchange AuthZPlugin Fails to finish method GetApplicationPrivateData due to application exception Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The operation couldn’t be performed because ‘S-1-5-21-2900208030-1228596238-308441794-1131’ couldn’t be found.
Log Name: Application
Source: MSExchange RBAC
Date: 6/15/2014 10:10:18 AM
Event ID: 15
Task Category: RBAC
Level: Error
Computer: MailBox.demo.local
Description:
(Process w3wp.exe, PID 10220) “RBAC authorization returns Access Denied for user S-1-5-21-2900208030-1228596238-308441794-1131. Reason: Call to NativeMethods.AuthzInitializeContextFromSid() failed when initializing the ClientSecurityContext. Exception: Microsoft.Exchange.Security.Authorization.AuthzException: AuthzInitializeContextFromSid failed for User SID: S-1-5-21-2900208030-1228596238-308441794-1131. —> System.ComponentModel.Win32Exception: No mapping between account names and security IDs was done
— End of inner exception stack trace —
———————————————————————-
It is all things that i can found for this error.
I hope that is useful to help me what can i do?
Hi Gholam,
Did you verify the health of AD, replication and check your DNS settings on your Exch server per my last reply? I would also verify you installed all of the Exchange 2013 Pre-Requisites (there are several related to IIS authentication):
Windows 2012 pre-requisites: https://enterpriseit.co/microsoft-exchange/install-exchange-2013-prerequisites-windows-2012/
Windows 2008 pre-requisites: https://enterpriseit.co/microsoft-exchange/exchange-2013-prerequisites-windows-server-2008-r2/
I feel like something is missing from your setup or you are have an AD issue auth issue or Exch can’t find a DC to auth with. That said I haven’t researched your specific event errors yet.
As a test you could try adding your problem test account into domain admins and organization admins to see if it works (just as a test).
I would check in Exchange Admin Center under recipients if this new mailbox shows up, maybe it’s not even getting created, that would explain those errors. I’ve had some issues on Exchange 2013 where a mailbox move shows as complete and it never moves at all, perhaps the same is happening with your new-mailbox command. I would try creating the mailbox using Exchange Management Shell (that’s what I did to work around the move request issue I mentioned). Here are some examples of creating mailboxes using the Management Shell: https://technet.microsoft.com/en-us/magazine/dd541641.aspx
Hi Chris,
All AD Service are health.All Prerequisites of win2k8r2sp1 are installed successfully except “Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution” that i download all versions of this file but it returns “The update is not applicable to your computer”.
Also, I add the new user to “Domain Admin” and “Organization Management” groups, but the error continued.
Also Add a new user by Exchange Management Shell but the problem continued.
Hi Gholam,
I’ve provided just about all the ideas I have short of looking at it directly. If you would like me to look at the issue via join.me send me your best contact info and we can arrange a time:
https://enterpriseit.co/about/
In the meantime, if you do find a solution, please let me know what it was.
Hi Chris,
I try to download an evaluation version of windows 2008 r2 sp1 from microsoft web site and install exchange on it.
Now,ANY THING IS OK.
Thanks for any thing Chris.
Hi Gholam and Chris,
I’m wondering if SIDs mentioned in event log entries you posted are assigned to HealthMailbox* accounts in AD. I’m experiencing almost the same problem (only new users are unable to open OWA, but for those who used it before everything works) after installing CU5.
P.S. Exchange server is also DC, AD replication, DNS etc works OK :)
Regards
Andrzej