exchange all virtual directory error: An IIS directory entry couldn't be created. The error message is Access is denied.

Andry Haretonuyk 0

Здравствуйте,

при попытке изменить свойство "проверка подлинности" в ECP возникает ошибка:

Не удалось создать запись каталога служб IIS. Сообщение об ошибке - Access is denied. . HResult = -2147024891

при попытке сбросить виртуальный каталог в ECP ошибка: Exception has been thrown by the target of an invocation.

при этом в PowerShell виртуальные директории пересоздаются и никаких ошибок не возникает

2 answers

Jake Zhang-MSFT 6,850 Reputation points Microsoft Vendor

2024-10-15T02:18:26.0033333+00:00
Hi @Andry Haretonuyk，

Welcome to the Microsoft Q&A platform!

Based on your description, you are experiencing a permissions issue when trying to change the "Authentication" properties in the Exchange Control Panel (ECP). The error message "Access is denied. HResult = -2147024891" usually means that the required permissions for the action you are trying to perform are not in place.

Here are several things you can check and try:

Make sure the Exchange Trusted Subsystem group has the appropriate permissions. This group should have Full Control permissions to the Default Web Site in IIS:

Open IIS Manager.

Navigate to Sites > Default Web Site.

Right-click the Default Web Site and select Permissions.

Add the Exchange Trusted Subsystem and grant Full Control permissions.

Restart IIS and the Exchange server.

Check the identity of the application pool used by the Exchange virtual directory. It should run under "MSExchangeECPAppPooL".

Make sure the directory permissions are set correctly:

Navigate to C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess.

Right-click "ecp" and select "Properties".

Go to the Security tab and make sure the Exchange Trusted Subsystems group has full control over this directory.

Since you mentioned that recreating the virtual directory in PowerShell fixes the issue without errors, you might consider this as a workaround if the above steps don't resolve the issue.

Check Event Viewer for any related events that might provide more insight into the issue.

Make sure there are no DNS misconfigurations that could be causing the issue.

These steps should help you diagnose and potentially resolve the permissions issue you're facing. If the issue persists, it might be worth considering a deeper investigation into the migration path and the state of the Active Directory schema, especially if this is a new Exchange server coexisting with an older version.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Please sign in to rate this answer.
Amit Singh 4,986 Reputation points

2024-10-15T05:06:48.6266667+00:00

You can refer the same thread- https://learn.microsoft.com/en-us/answers/questions/1002393/an-iis-directory-entry-couldnt-be-created-the-erro

Andry Haretonuyk 0 Reputation points

2024-10-15T06:29:21.6733333+00:00

Здравствуйте, дополню все что удалось выяснить на сегодня:

Сам ECP работает, я могу зайти на него, как и все остальные виртуальные каталоги

не работает вкладка "authentication" выскакивает ошибка как в упомянутой Amit Singh статье, эта ошибка проявляется на всех виртуальных каталогах

при пытке пересоздать любой каталог из интерфейса ECP также выскакивает ошибка "Exception has been thrown by the target of an invocation."

в интерфейсе "Exchange Manager Shell" при использовании соответствующих командлетов виртуальные каталоги пересоздаются - были пересозданы все виртуальные каталоги, но ошибки в ECP так и не пропали, так же никаких ошибок в "Exchange Manager Shell" не появляется

отвечая на пост Jake Zhang-MSFT все это было проверено:

"Exchange Trusted Subsystem" - входит в группу "Administrators", в IIS были предоставлены соответствующие права - не помогло

Права проверены добавил "Exchange Trusted Subsystem" и выдал полные права - не помогло

Права выставлены корректно

виртуальные каталоги пересоздаются в "Exchange Manager Shell" без ошибок, но ошибки в ECP так и остались

"Event Viewer" - постоянно просматриваю пока ничего вразумительного не нахожу

с "DNS" все в порядке по прямой ссылке попадаю на ECP и другие виртуальные каталоги, они работают

проблема именно в управлении виртуальными каталогами в ECP - я не могу настраивать их в ECP, при этом в "Exchange Manager Shell" - все доступно и можно настраивать любые виртуальные каталоги

Andry Haretonuyk 0 Reputation points

2024-10-15T06:30:27.1866667+00:00

Здравствуйте

Jake Zhang-MSFT 6,850 Reputation points Microsoft Vendor

2024-10-17T08:36:40.7766667+00:00

Hi @Andry Haretonuyk ,

Thank you for the detailed information. You've clearly investigated the issue thoroughly. Given the additional background information, it appears that the issue is with the ECP interface rather than the underlying functionality of the virtual directory itself. Here are a few other things you might consider checking or trying:

Even if the "Exchange Trusted Subsystem" has the necessary permissions, the account you are using to access the ECP may not have the necessary permissions to modify the virtual directory. Make sure that the appropriate roles have been assigned to that account.

Sometimes, browser cache can cause issues with the ECP interface. Try clearing your browser cache or using a different browser to see if the issue persists.

Since the issue appears to be with the ECP interface, you may want to try recreating the ECP virtual directory itself. This can be done using the following PowerShell cmdlets:

Remove-EcpVirtualDirectory -Identity "ServerName\ecp (Default Web Site)" New-EcpVirtualDirectory -Server "ServerName" -InternalUrl "https://yourdomain.com/ecp" -ExternalUrl "https://yourdomain.com/ecp"

Check the IIS logs for any additional information. The logs are typically located at C:\inetpub\logs\LogFiles\W3SVC1. Look for any access denied entries or other errors to get more insight into the issue.

Review the Exchange setup logs to see if there were any issues during the installation or configuration of the virtual directory. The logs are located at C:\ExchangeSetupLogs.

Ensure your Exchange server is updated to the latest cumulative updates and patches. There may be a known issue that has been resolved in a subsequent update.

If you have another Exchange environment with ECP functioning properly, compare the configurations of the two environments to see if there are any differences.

Run System File Checker (SFC) and Deployment Image Servicing and Management Tool (DISM) to check and repair any corrupted system files:

sfc /scannow

DISM /Online /Cleanup-Image /RestoreHealth

These additional steps should help you narrow down the cause of the problem.

Jake Zhang-MSFT 6,850 Reputation points Microsoft Vendor

2024-10-21T05:40:21.1666667+00:00

Hi @Andry Haretonuyk ,

Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!

Best,

Jake Zhang

Andry Haretonuyk 0 Reputation points

2024-11-02T09:00:18.8166667+00:00

отвечаю на пост Jake Zhang-MSFT по пунктам:1. у пользователя права Organization Management

кеш браузера чистили, отрывали в другом браузере на других компьютерах - не помогает

уже писал пересоздание каталога ни к чему не приводит - ошибка остается

в логах IIS нет ошибок "access denied"

exchange установлен давно, не вижу смысла смотреть эти логи

если это известная проблема то дайте на нее ссылка, на сайтах miсrosoft я такой не нашел

проверил, не помогло, ошибка осталась

Jake Zhang-MSFT 6,850 Reputation points Microsoft Vendor

2024-11-05T07:23:59.11+00:00

Hi @Andry Haretonuyk ,

Thanks for your detailed follow-up. This seems like a particularly tricky issue given the extensive troubleshooting you've already done. Here are some more advanced steps and notes that may help:

Run System File Checker (SFC) and the Deployment Image Servicing and Management tool (DISM) to check and repair any corrupted system files:

sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth

Reinstalling IIS components can sometimes resolve underlying issues:

Uninstall IIS and all related components.

Reboot the server.

Reinstall IIS and the necessary components for Exchange.

Make sure your Exchange server is updated to the latest cumulative updates and patches. Sometimes known issues are resolved in subsequent updates. Unfortunately, I couldn't find a specific known issue that matches your exact problem, but it's always good practice to keep your server updated.

Since recreating the other virtual directories did not help, try recreating the ECP virtual directory specifically:

Remove-EcpVirtualDirectory -Identity "ServerName\ecp (Default Web Site)" New-EcpVirtualDirectory -Server "ServerName" -InternalUrl "https://yourdomain.com/ecp" -ExternalUrl "https://yourdomain.com/ecp"

5.Make sure the Application Pool Identity for the ECP virtual directory is correct:

Open IIS Manager.

Navigate to Application Pools.

Make sure the Application Pool for ECP is running under "MSExchangeECPAppPooL".

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andry Haretonuyk 0 Reputation points

2024-11-15T07:00:03.1966667+00:00
Привет Jake Zhang-MSFT

Запускал обе команды, ошибок не выявлено

После переустановки IIS - перестал работать, пришлось восстанавливать из бекапа

Информационная безопасность не позволяет обновляться до последних актуальных обновлений

пересоздавал ВСЕ виртуальные директории таким способом в том числе и ECP - ошибки остались

Проверил все "MSExchangeECPAppPooL" работает под ECP

какие еще могут быть решения данной проблемы, может нужны какие логи ?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

exchange all virtual directory error: An IIS directory entry couldn't be created. The error message is Access is denied.

2 answers

Your answer