"No accessible vaults" when manually archiving an item in OWA (Outlook Web Access) 2003, 2007 or 2010.

book

Article ID: 100018140

calendar_today

Updated On:

Description

Error Message

The pop-up window that shows to the user:

 

The specific errors in the logs will vary based on the root cause and are presently separately for each scenario below.

Scenario 1The Default Web Site that hosts the /EVAnon VD is stopped.

 
Logging:
In the OWA diagnostic log, the following appears:
 
10/20/2014 1:11:21 PM [4484,1] [EVServerRequest::CreateRequest] Sending request to: https://EV-EXCH.EV10.local/EVAnon/getarchivesettings.asp?dn=%2fo%3dFirst+Organization%2fou%3dExchange+Administrative+Group+(FYDIBOHF23SPDLT)%2fcn%3dRecipients%2fcn%3dUser+1&sid=1EB78F15DCDFE024D89F5FD7C68FABCC51d10000EV-EXCH.EV10.local
10/20/2014 1:11:21 PM [4484,1] [EVServerRequest::CreateRequest] Request timeout (milliseconds): 30000
10/20/2014 1:11:21 PM [4484,1] [EVServerRequest::AddHeader] Set header: EV-OWA-2010-Extensions-Version=10.0.4.0
10/20/2014 1:11:21 PM [4484,1] [EVServerRequest::CreateRequest] Making request for user: EV10\user1
10/20/2014 1:11:21 PM [4484,1] [EVServerRequest::AddHeader] Set header: X-EVOWA-User-Encoded=45005600310030005C0075007300650072003100
10/20/2014 1:11:21 PM [4484,1] [ArchiveSettingsRequest::Send] Exception sending request for archive settings: System.Net.WebException: The remote server returned an error: (404) Not Found.
   at System.Net.HttpWebRequest.GetResponse()
   at Veritas.EnterpriseVault.Owa.EVServerRequests.ArchiveSettingsRequest.Send()
10/20/2014 1:11:21 PM [4484,1] [FolderArchiveSettings::GetFolderSettings] No default settings available
 
No request is logged in the EV server's IIS log because the Web Site is not running.

Details:
With the Default Web Site stopped, any requests made to the /EVAnon VD will fail. Additionally, requests to /EnterpriseVault  and all other VDs under the site will fail as well, so this issue will likely not go undetected for long.

Solution:
1. On the Enterprise Vault server, open Internet Information Services (IIS) Manager.
2. Expand ServerName and click on Sites. The state of the Default Web Site will be listed in the Status column in the right pane.
3. Right-click the Default Web Site and select Manage Web Site > Start.
 
 
 

Scenario 2
The Internet Protocol (IP) Address of the Exchange Server has been changed, and access to the /EVAnon VD from the new IP Address is denied.

 
Logging:
In the OWA diagnostic log, the following appears:
 
10/21/2014 10:13:53 AM [5092,1] [EVServerRequest::CreateRequest] Sending request to: https://EV-EXCH.EV10.local/EVAnon/restoreo2k.asp?vaultid=17A142DC05D93D54797CCF9FC1E2414D31110000EV-EXCH.EV10.local&savesetid=XXXX~XXXX~Z~XXXX&mbx=User1@ev10.server=EX2010&restorelocation=3&foldername=Deleted Items
10/21/2014 10:13:53 AM [5092,1] [EVServerRequest::CreateRequest] Request timeout (milliseconds): 30000
10/21/2014 10:13:53 AM [5092,1] [EVServerRequest::AddHeader] Set header: EV-OWA-2010-Extensions-Version=10.0.4.0
10/21/2014 10:13:53 AM [5092,1] [EVServerRequest::CreateRequest] Making request for user: EV10\user1
10/21/2014 10:13:53 AM [5092,1] [EVServerRequest::AddHeader] Set header: X-EVOWA-User-Encoded=45005600310030005C0075007300650072003100
10/21/2014 10:13:56 AM [5092,1] [RestoreRequest::Send] Exception sending request to restore item: System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Veritas.EnterpriseVault.Owa.EVServerRequests.RestoreRequest.Send()
10/21/2014 10:13:56 AM [5092,1] [RequestProcessor::RestoreAndActOnItem] Item not restored

Details:
During the initial setup and configuration of the Enterprise Vault OWA components, it is necessary to create a file named ExchangeServers.txt on the Enterprise Vault (EV) Server. This file contains a list of all the IP Addresses assigned to the Exchange servers that will be making the EV requests, a list that includes all Exchange 2003 Back End servers and all Exchange 2007/2010 CAS servers. In clustered environments, the IP Addresses of both the physical nodes and the virtual nodes should be included. When the owauser.wsf script runs on the EV server, it creates the /EVAnon VD and restricts access to it to only the IP Addresses listed in ExchangeServers.txt. This is a security measure that ensures only the proper Exchange servers are able to issue anonymous requests to EV. If the IP Address of an Exchange server changes, or if it was never included in ExchangeServers.txt in the first place, then EV requests will fail with the IIS error 403.6.

Solution:
There are two methods to fix this issue.
 
Method 1: Add the new IP Addresses to ExchangeServers.txt and run the owauser.wsf script again. It will update the relevant /EVAnon VD configuration.
 
Method 2: Modify the /EVAnon VD configuration directly.
 
On IIS 6 (Windows 2003)
a. In IIS Manager, open the Properties of the /EVAnon VD
b. On the Directory Security tab, click Edit under the IP Address and domain name restrictions section.
c. Add an entry for each Exchange IP Address that should be allowed.
d. Click OK to save the changes.
 
On IIS 7 and greater (Windows 2008 and greater)
a. Open the web.config file for the Default Web Site. The default location for this file is C:\inetpub\wwwroot\web.config.
b. In the section of the file, add a line like the following for each Exchange IP Address that should be allowed:
c. Save the web.config file.
 
Note: For IIS 7 and greater, it is important not to modify the IP Address restrictions directly on the /EVAnon VD using IIS Manager. Doing so will cause the issue described in this KB article.
 
Addendum: If it is not clear which IP Addresses should be added to the allowed list, follow these steps to determine them:
1. Make a request to EV by double-clicking on an archived item in OWA. This should fail with a 403.6 error as in the log above.
2. Check the IIS log on the EV server and locate the failed request.
3. The IIS log will also show the IP Address of the machine making the request. This is the IP Address that should be in the allowed list.
4. Repeat steps 1-3 for each Exchange server running the EV OWA Extensions.
 
 

Scenario 3
The EV Data Access account is locked, disabled, or has invalid credentials. (This account is colloquially known as the OWA account, anonymous account, EVAnon account, or the EV OWA user.)

 
Logging:
In the OWA diagnostic log, the following appears:
 
10/22/2014 11:07:15 AM [6524,15] [EVServerRequest::CreateRequest] Sending request to: https://EV-EXCH.EV10.local/EVAnon/getarchivesettings.asp?dn=%2fo%3dFirst+Organization%2fou%3dExchange+Administrative+Group+(FYDIBOHF23SPDLT)%2fcn%3dRecipients%2fcn%3dUser+1&sid=1EB78F15DCDFE024D89F5FD7C68FABCC51d10000EV-EXCH.EV10.local
10/22/2014 11:07:15 AM [6524,15] [EVServerRequest::CreateRequest] Request timeout (milliseconds): 30000
10/22/2014 11:07:15 AM [6524,15] [EVServerRequest::AddHeader] Set header: EV-OWA-2010-Extensions-Version=10.0.4.0
10/22/2014 11:07:15 AM [6524,15] [EVServerRequest::CreateRequest] Making request for user: EV10\user1
10/22/2014 11:07:15 AM [6524,15] [EVServerRequest::AddHeader] Set header: X-EVOWA-User-Encoded=45005600310030005C0075007300650072003100
10/22/2014 11:07:15 AM [6524,15] [ArchiveSettingsRequest::Send] Exception sending request for archive settings: System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Veritas.EnterpriseVault.Owa.EVServerRequests.ArchiveSettingsRequest.Send()
10/22/2014 11:07:15 AM [6524,15] [FolderArchiveSettings::GetFolderSettings] No default settings available


Details:
When the owauser.wsf script runs on the EV server to build the /EVAnon VD, it requires that the administrator specify the logon credentials of a domain account which will serve as the Data Access account, to be used for anonymous connections from Exchange servers to the EV server.  If the account details become invalid for some reason (e.g., the account is disabled in Active Directory, the password is changed, the account is been moved to another domain, etc.), the /EVAnon VD will not be able to facilitate requests to archive or restore items from OWA.


Solution:
1. Ensure that the Data Access account is not disabled or locked in Active Directory.
2. Ensure that the only Active Directory group to which the Data Access account belongs is the Domain Users group. The account must not be a member of the Domain Administrators group.
3. Ensure that the Data Access account is not part of the Local Administrators group on the EV server.
4. If the password has changed or if you are otherwise unsure that it is correct, rerun the owauser.wsf script with the proper credentials specified. This will reregister the Data Access account as the identity for anonymous authentication to the /EVAnon VD.

 

Scenario 4
The EV Data Access account has been set to an invalid account. (This account is colloquially known as the OWA account, anonymous account, EVAnon account, or the EV OWA user.)

 

Logging:
In the OWA diagnostic log, the following appears:

[EVServerRequest::CreateRequest] Sending request to: https://evserver.domain.local/EVAnon/restoreo2k.asp?vaultid=....
[EVServerRequest::LogResponseHeaders]   Status: 200 OK
[RestoreRequest::Send] Unexpected response: OK OK
[RequestProcessor::RestoreAndActOnItem] Item not restored

Details:
This most often occurs when a different Data Access account is specified in the owauser.wsf script than is specified on the Data Access Account tab in the Vault Admin Console's Directory Properties.


Solution:
Make certain that the Data Access account configured with the owauser.wsf script is the same account as the one specified on the Data Access Account tab in the Vault Admin Console's Directory Properties. Neither of these locations should use the Vault Service Account.

Review this KB article for a more thorough discussion of this scenario.

 

Scenario 5
The physical path configured for the /EVAnon VD is invalid.

 

 
Logging:
In the OWA diagnostic log, the following appears:
 
10/21/2014 11:19:25 AM [4288,1] [EVServerRequest::CreateRequest] Sending request to: https://EV-EXCH.EV10.local/EVAnon/getarchivesettings.asp?dn=%2fo%3dFirst+Organization%2fou%3dExchange+Administrative+Group+(FYDIBOHF23SPDLT)%2fcn%3dRecipients%2fcn%3dUser+1&sid=1EB78F15DCDFE024D89F5FD7C68FABCC51d10000EV-EXCH.EV10.local
10/21/2014 11:19:25 AM [4288,1] [EVServerRequest::CreateRequest] Request timeout (milliseconds): 30000
10/21/2014 11:19:25 AM [4288,1] [EVServerRequest::AddHeader] Set header: EV-OWA-2010-Extensions-Version=10.0.4.0
10/21/2014 11:19:25 AM [4288,1] [EVServerRequest::CreateRequest] Making request for user: EV10\user1
10/21/2014 11:19:25 AM [4288,1] [EVServerRequest::AddHeader] Set header: X-EVOWA-User-Encoded=45005600310030005C0075007300650072003100
10/21/2014 11:19:26 AM [4288,1] [ArchiveSettingsRequest::Send] Exception sending request for archive settings: System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
   at System.Net.HttpWebRequest.GetResponse()
   at Veritas.EnterpriseVault.Owa.EVServerRequests.ArchiveSettingsRequest.Send()
10/21/2014 11:19:26 AM [4288,1] [FolderArchiveSettings::GetFolderSettings] No default settings available
 
Details:
When creating and configuring the /EVAnon VD, the owauser.wsf script checks the EV's InstallPath value in the Registry to get the EV installation location. The script appends \webapp to the existing InstallPath value and assigns the result to the physical path setting on the /EVAnon VD. If the InstallPath value contains a trailing slash (e.g., C:\Program Files (x86)\Enterprise Vault\), then /EVAnon VD's physical path will end up with two slashes (e.g., C:\Program Files (x86)\Enterprise Vault\\webapp). Since this is an invalid path, requests to the /EVAnon VD will fail with IIS error 500, and users will see "No accessible vaults" when attempting to archive items.

Solution:
1. Correct the physical path of the /EVAnon VD in IIS Manager.
 
On IIS 6 (Windows 2003)
a. In IIS Manager, open the Properties of the /EVAnon VD
b. On the Virtual Directory tab, remove the extra slash character from the Local path field.
Note: Local path in IIS 6 is the same as Physical path in IIS 7.
c. Click OK to save the changes.
 
On IIS 7 and greater (Windows 2008 and greater)
a. In IIS Manager, select the /EVAnon VD and click Basic Settings in the Action Pane.
b. Remove the extra slash character from the Physical path field.
c. Click OK to save the changes.
 
2. To prevent the issue recurring if the owauser.wsf script is run again, correct the InstallPath value in the Registry.
a. Open the Registry Editor (regedit.exe).
b. Navigate to the InstallPath value:
 
32-bit server:
HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Install\InstallPath
 
 
64-bit server:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KVS\Enterprise Vault\Install\InstallPath
 
c. Edit the InstallPath value to remove the trailing slash (\).

 
 

Scenario 4The EV Data Access account has been set to an invalid account. (This account is colloquially known as the OWA account, anonymous account, EVAnon account, or the EV OWA user.)

 

Logging:
In the OWA diagnostic log, the following appears:

[EVServerRequest::CreateRequest] Sending request to: https://evserver.domain.local/EVAnon/restoreo2k.asp?vaultid=....
[EVServerRequest::LogResponseHeaders]   Status: 200 OK
[RestoreRequest::Send] Unexpected response: OK OK
[RequestProcessor::RestoreAndActOnItem] Item not restored

Details:
This most often occurs when a different Data Access account is specified in the owauser.wsf script than is specified on the Data Access Account tab in the Vault Admin Console's Directory Properties.


Solution:
Make certain that the Data Access account configured with the owauser.wsf script is the same account as the one specified on the Data Access Account tab in the Vault Admin Console's Directory Properties. Neither of these locations should use the Vault Service Account.

Review this KB article for a more thorough discussion of this scenario.

 

Scenario 5The physical path configured for the /EVAnon VD is invalid.

 

Scenario 6Misconfiguration of the Exchange Desktop Policy's Web Application alias setting

 
Logging:
In the OWA diagnostic log, the following appears:
 
10/23/2014 12:52:16 PM [6524,20] [EVServerRequest::CreateRequest] Sending request to: https://EV-EXCH.EV10.local/EVAnon2/restoreo2k.asp?vaultid=17A142DC05D93D54797CCF9FC1E2414D31110000EV-EXCH.EV10.local&savesetid=XXX~XXXXX~Z~XXXX&mbx=User1@ev10.local&server=EX2010&restorelocation=3&foldername=Deleted Items
10/23/2014 12:52:16 PM [6524,20] [EVServerRequest::CreateRequest] Request timeout (milliseconds): 30000
10/23/2014 12:52:16 PM [6524,20] [EVServerRequest::AddHeader] Set header: EV-OWA-2010-Extensions-Version=10.0.4.0
10/23/2014 12:52:16 PM [6524,20] [EVServerRequest::CreateRequest] Making request for user: EV10\user1
10/23/2014 12:52:16 PM [6524,20] [EVServerRequest::AddHeader] Set header: X-EVOWA-User-Encoded=45005600310030005C0075007300650072003100
10/23/2014 12:52:16 PM [6524,20] [RestoreRequest::Send] Exception sending request to restore item: System.Net.WebException: The remote server returned an error: (404) Not Found.
   at System.Net.HttpWebRequest.GetResponse()
   at Veritas.EnterpriseVault.Owa.EVServerRequests.RestoreRequest.Send()
10/23/2014 12:52:16 PM [6524,20] [RequestProcessor::RestoreAndActOnItem] Item not restored
 
Details:
Within the Exchange Desktop Policy, it is possible to override the name of the /EVAnon VD for those users to whom the policy is assigned.
 
 
By default this value is empty and uses the /EVAnon VD created with by the owauser.wsf script, but if this value is edited to an invalid value (e.g., a VD that does not exist or is not configured for anonymous authentication), the "No accessible vaults" message will be presented to users who try to archive an item.

Solution:
It is ordinarily not necessary to modify this setting at all, but if it cannot be left at default, ensure that the value matches both the name of an accessible, properly configured VD and the value of the OwaWebAppAlias in the EV server's Registry.
 
32-bit server:
HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Install\OwaWebAppAlias

64-bit server: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KVS\Enterprise Vault\Install\OwaWebAppAlias
After correcting these values, you must restart the Enterprise Vault Admin Service, synchronize mailboxes, and restart any existing OWA sessions for the new settings to take effect.

 

Scenario 7Damaged or incorrectly configured /EVAnon VD

 

 
Logging:
Various inconsistent errors in the OWA diagnostic log, as well as in DTraces of w3wp on the EV server. Often includes an IIS 500 error on the EV server and Event ID 1000 in the Application Event Log on the Exchange server.
 
Details:
It has been observed that in rare circumstances the configuration of the /EVAnon VD may be damaged or corrupted in IIS. In this circumstance, the VD can be removed and recreated.

Solution:
1. Use IIS Manager to delete the existing /EVAnon VD

a. Open IIS Manager on the EV server b. Expand [ComputerName] > Sites > Default Web Site
c. Right-click the /EVAnon VD and select Remove

2. Recreate the /EVAnon VD using the owauser.wsf script 
 
 

Scenario 8There is no open partition in the Vault Store

Logging:
The OWA diagnostic log shows nothing out of the ordinary. However, a DTrace of StorageArchive on the EV server shows the following:

736 10:52:29.037 [4000] (StorageArchive) <2980> EV:M CVaultStorePartitionCache::ReadEntry - There is no open partition for vaultStoreEntryId = [13B88435A306F71429BA1C280E6A060341210000evsite] 
737 10:52:29.037 [4000] (StorageArchive) <2980> EV:M CVaultParameters::GetVSVaultParams (Exit) |The Vault Store does not contain any open partitions. [0xc0041aa2] | 

Details:
In order for EV to archive an item, there must be an open Vault Store Partition in the applicable Vault Store. If this is not the case, all attempts to archive will fail. In the case of items manually archived from OWA, this failure manifests as the "No accessible vaults" message detailed above.

Solution:
Reopen an existing closed Vault Store Partition, or create a new Vault Store Partition.

 

 

Cause

In general, the cause of this issue is an inability to contact the /EVAnon Virtual Directory (VD) configured on the Enterprise Vault server. The /EVAnon VD facilitates anonymous access for users to Archive and Retrieve messages via OWA.  When a user attempts to archive an item, the extensions contact the EV server to request the page \EVAnon\Getarchivesettings.asp. This page determines the archives that are accessible to the user making the request. When this request fails, or if the account does not have permission to any archive, the user's pop-up window will display "No accessible vaults." Below are common scenarios that can stop the Exchange Server's OWA session from accessing either the Enterprise Vault Server or the /EVAnon Virtual Directory.

Note: Ordinarily, if a user receives "No accessible vaults" when attempting to archive, the same user will also fail to retrieve an archived item through OWA, since both operations make use of the /EVAnon VD.

Issue/Introduction

When attempting to manually archive an item through OWA 2003, 2007, or 2010, users may receive a pop-up screen with an empty vault list and the status No accessible vaults.

Additional Information

ETrack: 1154141
Powered by Wolken Software