Exchange 2013 OWA Mailbox policy issue cause of OWA error?
Within Exchange 2013 you can have OWA (Outlook Web App) Mailbox policies, in which an Exchange Admin can determine which features within OWA are available to users. By default, there’s a default policy with all options enabled, but you can have more policies and configure them at will and assign them to Mailbox-enabled users according to the organization’s needs.
In this case we wanted to completely disable the Text Messaging option, as it offers no additional functionality for this organization. Disabling it prohibits unnecessary confusion with end users. The same is for the OWA IM integration option; it is very possible you don’t want every user Lync-enabled but still Mailbox-enabled. When IM integration is configured, the IM Login option is visible for everybody but only works for those who are Lync-enabled. This could potentially be confusing and therefore OWA Mailbox policies, in this case, are a great way to limit user confusion.
However, we ran into an issue within this environment. Disabling Text Messaging (in the default OWA Mailbox Policy) caused some issues within the OWA options screen. I haven’t checked the other options whether they also cause issues, but for now I’ll assume it’s only the case with the Text Messaging option.
Even though I should have access to Call Answering rules (via Options > Phone > Voice Mail) because my mailbox is UM enabled within Exchange, I can’t manage them. A http 500 server error is presented in the frame where the rules should be as you can see in the screenshot below. Luckily, it’s just this screen and I can still navigate to other options without any problem.
This looks like a bug, I’ve seen more during the RTM build in OWA (setting Calendar permissions also generated similar errors). A bit annoying, but I decided to create a second policy with everything enabled again because I gathered the errors will be fixed in the future. The servers were already on CU1, so currently no new update exists that could potentially fix it.
Unfortunately that didn’t fix the issue! I changed the OWA Policy several times, but the error remained. I’ve moved the mailbox to another database, disable the UM features of the mailbox (and re-enabled them shortly thereafter) but all to no avail…
Some further investigation in the event log of the corresponding Client Access Server I was load balanced to, showed a little more insight in what is going wrong:
Log Name: Application
Source: MSExchange Control Panel
Date: 27-5-2013 22:14:02
Event ID: 4
Task Category: General
Current user: ‘contoso.local/Contoso/Users/Test/Test Kees’
Request for URL ‘https://ex02.contoso.local:444/ecp/Customize/Voicemail.aspx?showhelp=false(https://mail.contoso.com/ecp/Customize/Voicemail.aspx?showhelp=false)’ failed with the following error:
System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again.
If you notice the bold emphasis (added by me) the underlying cause is apparently a permission issue. Which makes sense, as what that is what OWA Mailbox policies do (next to changes in UI).
It made me think whether there is another option to change permissions in what user can and can’t do. Within Exchange 2013 you can have RBAC (Rights Based Access Control) User Roles of which an example is shown here (partly, within EAC > Permissions > User Roles).
Two options were interesting: MyTextMessaging and MyVoiceMail. I’ve enabled them in a new policy (with all other enabled options in the default policy), although MyVoiceMail is already enabled in the Default Role Assignment Policy.
First I’ve changed the mailbox policy to one that doesn’t disable Text Messaging. You can do that in the EAC via Recipients >DoubleClick Mailbox enabled User > Mailbox Features and scroll down to Email Connectivity and press View Details (highlighted below in screenshot).
Now select the OWA Mailbox Policy that does not have the Text Messaging option disabled.
I’ve then assigned this Role Assignment Policy to this specific mailbox, to the policy that I created earlier (see previous screenshot). This is key, even if they are the same, changing the assigned Role Assignment Policy somehow corrects the permissions within OWA for this user.
It can take a while (probably no longer than 15 minutes) for permissions to be active, but after that you can happily manage Call Answering rules again within OWA (which is the only place for users).
It looks like disabling the Text Messaging option within an OWA Mailbox policy has some unexpected side-effects on UM enabled mailboxes within Exchange 2013 with CU1.
The side-effects are two-fold: First issue is that Call Answering rule management isn’t possible. The second issue is that changing the OWA Mailbox policy back again didn’t resolve the issue. Only by changing and applying another Role Assignment Policy (with correctly enabled options) resolves this latter issue.
If memory serves me right, this bug wasn’t present within the RTM build.