OWA 500 error, ECP works fine

exchangeexchange-2016outlook-web-app

I'm getting a 500 error after logging in to OWA. I enter the credentials on the sign in form, it redirects to the frowny face with error 500. More details just shows my server name and the UTC date/time (I am -6 Central). However if I modify the URL from my.domain\owa to my.domain\ecp, I am immediately taken to the ECP. That seems to indicate that I am authenticating.

This happens for the 8 or 9 accounts I have tested. I have tested both internally and externally and with a variety of browsers and devices. Outlook still works and Android and iOS devices get email no problem. It is just the viewing of the mail items that is broken.

I have tried this fix from Microsoft: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired#resolution
I have also looked at Exchange Server 2016 OWA Error 500.

I have also recreated my OWA virtual directories (Remove-OwaVirtualDirectory then New-OwaVirtualDirectory).

This is Exchange 2016 on-prem on a Server 2012 R2 VM. No hybrid environment or other mail servers.

[PS] C:\scripts>Get-ExchangeServer | Format-List Edition, AdminDisplayVersion

Edition             : Standard
AdminDisplayVersion : Version 15.1 (Build 2242.4)

Thanks Ivan,

I am not aware of any accounts that can successfully access OWA. I've gotten a few trouble tickets from users and personally tested 8 or 9 accounts myself. This represents about 10% of my users.

This is the result of Test-ServiceHealth. The only service not running is Unified Messaging.

[PS] C:\Windows\system32>Test-ServiceHealth

Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost, MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC, MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : False
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {MSExchangeUM}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

The default web site bindings for 443 and back end bindings for 444 are set to my GoDaddy cert which is valid until 6/22/2022.

I also ran Get-HealthReport, and I have lots of Unhealthiness: HubTransport, ECP, Search, OWA.Protocol, and a couple of UM HealthSets. Looking more deeply at the Search set, HostControllerSer…, SearchQueryFailur…, and SearchQueryStxMon… are Unhealthy.

I think I'm just going to spin up a new mail server and move the database.

I reinstalled the CU22 update, and this fixed my OWA issue. I also applied more patches and ran MSCert. My search services were stopped, so I restarted them and set them to Automatic (Delayed), and search has been working now too. When I mentioned all this to my boss in my weekly actiovity report, he told me of his thoughts on moving to M365 in 2023, but this convinced him that we should just move early. So now rather than standing up a new on-prem server I am prepping things for the cloud.

Best Answer

However if I modify the URL from my.domain\owa to my.domain\ecp, I am immediately taken to the ECP. That seems to indicate that I am authenticating

Did you encounter the same issue when accessing ECP? Is there any mailbox which can logon and access OWA successfully?

Please perform the below inspections, maybe they help:

  1. Run the following command in EMS(Exchange PowerShell) and see if the required services are running on your Exchange server: Test-ServiceHealth

  2. Navigate to the IIS manager and see the Binding of the default web site and exchange backend site(port 443 and 444). By default, the default and backend site are bound the same self-signed certificate(Microsoft Exchange). If you have a commercial certificate, the default web site should be bound this cert , and the backend site is still bound the above self-signed cert.

  3. Check if there is any error or warning in the Event Viewer when using the 8 or 9 accounts to access OWA.

  4. Check if there is any http redirect or URL rewrite configured for the OWA virtual directory, if there is, try to temporarily disable them and see if the issue still exists.

According to your output above, the current CU version of your Exchange server is CU20, it isn't the latest, I suggest you to upgrade your Exchange to the latest version(But the CU upgrade will overwritten any customized Exchange or Internet Information Server (IIS) settings that you made in Exchange XML application configuration files on the Exchange server: Source).

Related Topic