About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2013/06/06

Exchange 2010 EMC & EMS winrm “access is denied”

Four hours of my life gone. 

I had a customer call and say that on ONE of their Exchange 2010 servers the EMC would not open. 

The Situation

The EMS would give this error:  “Connecting to remote server failed with the following error message : Access is denied.” PowerShell would then happily connect to another server in the site. 

The EMC would simply go nowhere with a message that “kerberos authentication failed.”  How nice.

My user was in the Organization Management group, domain admins, and almost everything else needed to install, configure, and be a super-admin in Exchange 2010.  The server was a member of the Exchange Servers group.  The server, a multi-role server, was still hosting active mailboxes and delivering mail.  OWA worked just fine.  There were no user complaints of Exchange services not being rendered in any way, shape, or form.  Just that the EMC would balk at the failed Kerberos and then be useless, and the EMS would not connect locally, but would connect to another server.

We checked: IIS, PowerShell vdir, perms, auth, bindings, winrm quickconfig, net time, SPN’s, user accounts, Exchange component group membership, IIS webconfig files.  We removed registry entries, files and folders in the user profile, and spattered chicken blood on the walls.  I must have read about 100 different websites, blogs, and forums.  They all had the same information, and none of it worked.  Some of the advice was inane, recommending removing exchange, or just slapping in the next SP.  Take a gander at this forum thread; it contains a pretty good approximation of the issue and the failed resolution.

The Fix

I then found this article. Down at the bottom, there was a suggestion that this could be a certificate problem, but the solution was to put the self-signed Exchange server cert into the Trusted Root store – see below.  This just had to be wrong, right?  WTF?

image

Figuring that I had already failed for the last 225 minutes, I had nothing to lose.  Well, what do you know!  15 seconds of copy and paste, and the EMC and the EMS are functioning normally again. I then removed the self-signed cert from that store, and the EMC and EMS still work.  Having trepidations over that action of removing the cert that appears to have resolved the issue, I put the cert back into the Trusted Root store just to be safe and retested.  Still works.

I sit here, pondering on how and why this fix worked.  And I cannot come up with a good answer.  Maybe someone, someday, can explain it to me.

YMMV

2 comments:

Argahlji said...

Where did you remove the cert from? Local User Computer or Exchange Server?

tsoorad said...

Argahlji, the cert is removed from the local computer personal container.

test 02 Feb

this is a test it’s only a test this should be a picture