Thursday, 19 May 2022

Cannot open ECP via On-Prem Exchange


Situation:

We had migrated all our employees to exchange online and decommissioned our on-prem exchange servers which was hosting user databases. Retained on-prem exchange server 2013 CU22 just for SMTP application relay purpose. Also have created a new on-prem database with 2 user mailbox. However, with that user we were not able to login to the ECP on-prem. 

No issues in login to the online Exchange Admin Centre. 

What errors do you see? 

:-( Something went wrong We can't get that information right now. Please try again later 


What's the environment and are there recent changes? 

Exchange server 2013 Cu22 on Windows 2012R2. 

Our emails (...domain) have been migrated to exchange online. 

We are using exchange on-prem for the application servers hosted on Azure to relay to onprem-exchange. Noticed that on-prem ECP wasn't accessible. Single database and two mailbox accounts on on-prem exchange

What have you tried to troubleshoot this? 

Verified on-prem database and 2 users accounts already available on on-prem exchange. but cannot login via https://localhost/ecp

Resolution:

You cannot access ECP, it is getting redirected to office 365 while accessing local host/ecp.

We checked the HTTP redirect on Default Frontend, there are no settings found.

We checked the HTTP redirect on ECP, we found no settings

We found HTTP redirect configured for OWA, redirected to office 365 portal

We unchecked the settings and were able to access ECP successfully.

Password Policies and Recommendations


As per Microsoft baseline recommendation, good practice to fine tune password lockout threshold from 15 invalid logon attempts to 10 invalid logon attempts

 





Minimum is password length is 8 characters as per Microsoft guidelines (Password policy recommendations - Microsoft 365 admin | Microsoft Docs)

Windows security baseline recommend configuring a threshold of 10 invalid sign-in attempts

Account lockout threshold (Windows 10) - Windows security | Microsoft Docs

 

Check Group Policies applied to a User Account and Computer

 

Resultant Set of Policy

There is a built-in tool called “Resultant Set of Policy” (RSoP) that simulates the policy settings applied to computers and users using Group Policy. It acts as a query engine that polls existing policies based on site, domain, domain controller, and organizational unit, and then reports the results of those queries.

To launch Resultant Set of Policy, press Win + R to fire up the Run dialog box, type rsop.msc, and press Enter.











The tool fires up and scans the active policies and displays them within the tool. You will still need to go through the folders to find out each active policy applied to the account and computer.














GPResult

Alternatively, there is also a command line called GPResult that you can also use to collect active Group Policy settings. Simply open a Command Prompt and run the following command.

gpresult /scope user /v

This is to search and show all the active policies applied to the current user. To find all policies applied to the PC, run the following instead in an elevated Command Prompt window.

gpresult /scope computer /v

Even more, you can use GPResult to gather Group Policy information applied to certain user account from a remote computer, such as below:

gpresult /c computername /u username /p password /user targetusername /scope user /r

Or, all Group Policies applied to a remote computer:

gpresult /c computername /u username /p password /scope computer /r

Note that the switch /r is to display RSoP summary data while /v is to display verbose policy information.