question

Tyler-4246 avatar image
0 Votes"
Tyler-4246 asked YukiSun-MSFT commented

Local EWS error: The request failed. The remote server returned an error: (401) Unauthorized.

Hello. I have exhausted all my options and troubleshooting. And I have spent hours reading every article related to this and haven't found a solution. Would be something wonderful if someone could offer some assistance.

I will try to give as much details as possible. . .

One of my responsibilities is a server application administrator. We have this digital signage application in our company that pulls calendar information from a particular mailbox. This application is working fine in our production environment. The current servers are end of life and need to be refreshed, so we are standing up the application on new servers. (Old ones are Server 2012 and new ones Server 2019). We have application vendor support and everything is installed and working except this EWS piece. The vendor has described their API as "dumb" in that it doesnt do anything complex. When trying to fetch the data through EWS it returns the error: "The request failed. The remote server returned an error: (401) Unauthorized." On the current working server it returns "success" and with the data requested. Let me mention that all of our servers are internally facing and none of them have access to the internet by design.

Removing the application variable, I can go to the URL in the API in Internet Explorer: https://mail.OURDOMAIN.com/EWS/exchange.asmx (if this works then the API should work)

When I hit that URL, it prompts me for credentials. I supply a service account's creds that have been granted access to the particular mailbox I am trying to pull data from. From the current (working) prod server, it returns a webpage that says "SERVICE: You have created a service. To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax...." (Success)

When I hit that URL on the new (not working) server, it just keeps prompting me for the credentials. After the 3rd time, it just gives me a white page.

Since it works on the current server, that would rule out any issues with the service account (permissions on the exchange side, locked account, or invalid password). I am copy and pasting the account name and password so it isnt an issue of mistyping.

The real issue is that I have little exchange experience and our exchange servers and service are run by a third party contractor. I have ZERO visibility on that side of the fence. I have a point of contact (admin), but he just says there is nothing to configure on the exchange side. It just "should work". He is adamant it is something on the app server side. The app vendor and I have spent hours troubleshooting and both agree it looks like something on the exchange side. So basically we are at a standstill pointing fingers at each other.

The exchange admin said that it maybe how IE is configured or antivirus but I went down line by line in the IE options and made sure both servers are identical. And the AV is the same on both servers. Also, I have another 2012 server I have access to and tried to hit the URL with the service account creds and it behaves the same as the new (NOT WORKING) server. It just keeps asking for creds and then gives a blank white page after 3 attempts. This would suggest that it is NOT a difference between the new 2019 server and the old 2012 server OS. It would also suggest that something is configured specifically for the current prod server to work with EWS. I just cant figure out where. And I dont know what to tell the exchange admin to check because I havent found anything online to suggest. And I also cant just go poking around myself because I dont have access to that side of the company (exchange servers).

Does anyone have any suggestions on what to do to troubleshoot or configure on either the app server or exchange server? We are dead in the water currently. (production is working, but we cant move forward with the new refreshed servers until this EWS portion is working).

Thanks in advance!


office-exchange-server-administrationoffice-exchange-server-connectivity
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Tyler-4246,

When I hit that URL on the new (not working) server, it just keeps prompting me for the credentials. After the 3rd time, it just gives me a white page.

Have you tested using different web browsers and see how it goes?
What's the version of the Exchange server?
From the description, do you mean the EWS url works fine on all the old Windows server 2012 in the production environment, while the non-working servers(new 2019 server and the "another 2012 server") are in a different test environment, right?

I tried searching a lot about the EWS url white page issue but hardly find any information useful. Given this, if possible, I'd suggest trying to contact your Exchange administrator and check if he can collect the things below to see if more clues can be found ?

  1. Check the Event Viewer on the server and see whether there any potentially relavant events generated when the failed EWS requests occurs.

  2. On one of the problematic servers, go to the IIS log path(%SystemDrive%\inetpub\logs\LogFiles), check if there's any error recorded in the logs when you failed to access the EWS url.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

Yes, I have tried using both IE and Edge. Both do the same. Act like they are not accepting credentials. And I have confirmed credentials are valid (using copy and paste so no, not mistyping either) because they work on the current prod server.

Our Exchange server is 2016. And yes, the EWS URL works fine on the old windows 2012 server in production. The application API and just hitting the URL from IE work in production. I have another 2012 server in production (different application server) that the URL does NOT work on. This would tell me that it is NOT a difference in the OS (2019 vs 2012). Something is configured either on the local server or on the exchange side to specifically allow the current 2012 production server to work/talk to Exchange.

The Exchange Administrator has looked at the logs on the Exchange side and he says he sees the error when I try to connect but it just says "unauthorized" and no other helpful information. Basically the same we are seeing on the client side.

I appreciate your interest in helping me with this issue. Still need assistance.

0 Votes 0 ·

Hi @Tyler-4246,

Just checking in to follow up with this thread. Feel free to post back if there's any update or there's anything we can do to help with this issue.

1 Vote 1 ·
Show more comments

Hi @Tyler-4246,

From the perspective of Exchange, it's suggested to run the command below on both the working and non-working Exchange environment, verify the EWS url typed in the browser is correct, and the authentication settings for the EWS virtual directory are the same in both environments:

 Get-WebServicesVirtualDirectory | fl name,*iden*,*url*,*auth*

136190-1.png

Besides, based on my research regarding the "(401) Unauthorized", sometimes this could be due to the format of the credentials. Here's a link for reference: Exchange Web Service API and 401 unauthorized exception
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
1.png (24.8 KiB)
Tyler-4246 avatar image
1 Vote"
Tyler-4246 answered

I appreciate everyone's help. I figured out what was wrong. The service account I was using to make the connection needed to be whitelisted on the new servers. This was something I didnt realize needed to be done from an Active Directory standpoint. I thought it had to be associated with servers when trying to LOGIN or run services ON the server. But apparently, it's bidirectional. It also has to be whitelisted to be able to "talk" FROM a server. So when the Exchange server was responding "unauthorized" it was talking about the service account credentials. I had our AD admin add the 3 new servers to the service account whitelist and it immediately started working. This was a lack of knowledge on my part. Hope this helps someone else in the future. Again, thanks for the assistance.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlenScales-6756 avatar image
0 Votes"
GlenScales-6756 answered

Have you tried the Microsoft Remote Connectivity Analyzer EWS test eg https://testconnectivity.microsoft.com/tests/O365EwsAccess/input if this fails as well it should give you a better debug output to go back to the Admin about what might be the issue or if it works then you know it something in app code.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.