Client Access server %1 attempted to proxy Outlook Web Access traffic to Client Access server %2. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems: 1. The host name in %2 may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the “internalURL” configuration for the Outlook Web Access virtual directory on the target Client Access server. You can change the “internalURL” configuration for the target Client Access server using the “set-owavirtualdirectory” Exchange admin task. If you don’t want to change the “internalURL” configuration for the Outlook Web Access virtual directory on the target Client Access server, you can also use the tool “setspn.exe” on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication. 2.The server hosting %2 may be configured not to allow Kerberos authentication. It might be set to use Windows Integrated authentication for the Outlook Web Access virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Windows Integrated authentication. See the IIS documentation for additional troubleshooting steps if you suspect this may be the cause of the failure.

Details
Product: Exchange
Event ID: 71
Source: MSExchange OWA
Version: 8.0
Symbolic Name: ProxyErrorAuthenticationToCas2Failure
Message: Client Access server %1 attempted to proxy Outlook Web Access traffic to Client Access server %2. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems: 1. The host name in %2 may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the “internalURL” configuration for the Outlook Web Access virtual directory on the target Client Access server. You can change the “internalURL” configuration for the target Client Access server using the “set-owavirtualdirectory” Exchange admin task. If you don’t want to change the “internalURL” configuration for the Outlook Web Access virtual directory on the target Client Access server, you can also use the tool “setspn.exe” on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication. 2.The server hosting %2 may be configured not to allow Kerberos authentication. It might be set to use Windows Integrated authentication for the Outlook Web Access virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Windows Integrated authentication. See the IIS documentation for additional troubleshooting steps if you suspect this may be the cause of the failure.
   
Explanation

This error indicates that either Kerberos authentication has been misconfigured on the target Client Access Server or that the target Client Access server has not been configured to allow Kerberos authentication.

   
User Action

To resolve this error, do one or more of the following:

  • See the error text for possible causes and resolutions.

  • If you have difficulty resolving the issue, contact Microsoft Customer Support. For information about how to contact support, visit Microsoft Help and Support.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.

Related:

Leave a Reply