"No accessible vaults" when manually archiving an item in OWA (Outlook Web Access) 2003, 2007 or 2010.
Problem
When attempting to manually archive an item through OWA 2003, 2007, or 2010, users may receive a pop-up screen with an empty vault list and the status No accessible vaults.
Error Message
The pop-up window that shows to the user:
The specific errors in the logs will vary based on the root cause and are presently separately for each scenario below.
Cause
In general, the cause of this issue is an inability to contact the /EVAnon Virtual Directory (VD) configured on the Enterprise Vault server. The /EVAnon VD facilitates anonymous access for users to Archive and Retrieve messages via OWA. When a user attempts to archive an item, the extensions contact the EV server to request the page \EVAnon\Getarchivesettings.asp. This page determines the archives that are accessible to the user making the request. When this request fails, or if the account does not have permission to any archive, the user's pop-up window will display "No accessible vaults." Below are common scenarios that can stop the Exchange Server's OWA session from accessing either the Enterprise Vault Server or the /EVAnon Virtual Directory.
Note: Ordinarily, if a user receives "No accessible vaults" when attempting to archive, the same user will also fail to retrieve an archived item through OWA, since both operations make use of the /EVAnon VD.
Solution
Scenario 1
The Default Web Site that hosts the /EVAnon VD is stopped.
Details:
With the Default Web Site stopped, any requests made to the /EVAnon VD will fail. Additionally, requests to /EnterpriseVault and all other VDs under the site will fail as well, so this issue will likely not go undetected for long.
Solution:
1. On the Enterprise Vault server open Internet Information Services (IIS) Manager.
2. Expand ServerName and click on Sites. The state of the Default Web Site will be listed in the Status column in the right pane.
3. Right-click the Default Web Site and select Manage Web Site > Start.
Scenario 2
The Internet Protocol (IP) Address of the Exchange Server has been changed, and access to the /EVAnon VD from the new IP Address is denied.
Details:
During the initial setup and configuration of the Enterprise Vault OWA components, it is necessary to create a file named ExchangeServers.txt on the Enterprise Vault (EV) Server. This file contains a list of all the IP Addresses assigned to the Exchange servers that will be making the EV requests, a list that includes all Exchange 2003 Back End servers and all Exchange 2007/2010 CAS servers. In clustered environments, the IP Addresses of both the physical nodes and the virtual nodes should be included. When the owauser.wsf script runs on the EV server, it creates the /EVAnon VD and restricts access to it to only the IP Addresses listed in ExchangeServers.txt. This is a security measure that ensures only the proper Exchange servers are able to issue anonymous requests to EV. If the IP Address of an Exchange server changes, or if it was never included in ExchangeServers.txt in the first place, then EV requests will fail with the IIS error 403.6.
Solution:
Scenario 3
The EV Data Access account is locked, disabled, or has invalid credentials. (This account is colloquially known as the OWA account, anonymous account, EVAnon account, or the EV OWA user.)
Details:
When the owauser.wsf script runs on the EV server to build the /EVAnon VD, it requires that the administrator specify the logon credentials of a domain account which will serve as the Data Access account, to be used for anonymous connections from Exchange servers to the EV server. If the account details become invalid for some reason (e.g., the account is disabled in Active Directory, the password is changed, the account is been moved to another domain, etc.), the /EVAnon VD will not be able to facilitate requests to archive or restore items from OWA.
Solution:
1. Ensure that the Data Access account is not disabled or locked in Active Directory.
2. Ensure that the only Active Directory group to which the Data Access account belongs is the Domain Users group. The account must not be a member of the Domain Administrators group.
3. Ensure that the Data Access account is not part of the Local Administrators group on the EV server.
4. If the password has changed or if you are otherwise unsure that it is correct, rerun the owauser.wsf script with the proper credentials specified. This will reregister the Data Access account as the identity for anonymous authentication to the /EVAnon VD.
Scenario 4
The EV Data Access account has been set to an invalid account. (This account is colloquially known as the OWA account, anonymous account, EVAnon account, or the EV OWA user.)
Logging:
In the OWA diagnostic log, the following appears:
[EVServerRequest::CreateRequest] Sending request to: https://evserver.domain.local/EVAnon/restoreo2k.asp?vaultid=....
[EVServerRequest::LogResponseHeaders] Status: 200 OK
[RestoreRequest::Send] Unexpected response: OK OK
[RequestProcessor::RestoreAndActOnItem] Item not restored
Details:
This most often occurs when a different Data Access account is specified in the owauser.wsf script than is specified on the Data Access Account tab in the Vault Admin Console's Directory Properties.
Solution:
Make certain that the Data Access account configured with the owauser.wsf script is the same account as the one specified on the Data Access Account tab in the Vault Admin Console's Directory Properties. Neither of these locations should use the Vault Service Account.
Review this KB article for a more thorough discussion of this scenario.
Scenario 5
The physical path configured for the /EVAnon VD is invalid.
When creating and configuring the /EVAnon VD, the owauser.wsf script checks the EV's InstallPath value in the Registry to get the EV installation location. The script appends \webapp to the existing InstallPath value and assigns the result to the physical path setting on the /EVAnon VD. If the InstallPath value contains a trailing slash (e.g., C:\Program Files (x86)\Enterprise Vault\), then /EVAnon VD's physical path will end up with two slashes (e.g., C:\Program Files (x86)\Enterprise Vault\\webapp). Since this is an invalid path, requests to the /EVAnon VD will fail with IIS error 500, and users will see "No accessible vaults" when attempting to archive items.
Solution:
1. Correct the physical path of the /EVAnon VD in IIS Manager.
HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Install\InstallPath
Scenario 6
Misconfiguration of the Exchange Desktop Policy's Web Application alias setting
Within the Exchange Desktop Policy, it is possible to override the name of the /EVAnon VD for those users to whom the policy is assigned.
Solution:
It is ordinarily not necessary to modify this setting at all, but if it cannot be left at default, ensure that the value matches both the name of an accessible, properly configured VD and the value of the OwaWebAppAlias in the EV server's Registry.
HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Install\OwaWebAppAlias
64-bit server: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KVS\Enterprise Vault\Install\OwaWebAppAlias
After correcting these values, you must restart the Enterprise Vault Admin Service, synchronize mailboxes, and restart any existing OWA sessions for the new settings to take effect.
Scenario 7
Damaged or incorrectly configured /EVAnon VD
It has been observed that in rare circumstances the configuration of the /EVAnon VD may be damaged or corrupted in IIS. In this circumstance, the VD can be removed and recreated.
Solution:
1. Use IIS Manager to delete the existing /EVAnon VD
a. Open IIS Manager on the EV server b. Expand [ComputerName] > Sites > Default Web Site
c. Right-click the /EVAnon VD and select Remove
Scenario 8
There is no open partition in the Vault Store
Logging:
The OWA diagnostic log shows nothing out of the ordinary. However, a DTrace of StorageArchive on the EV server shows the following:
736 10:52:29.037 [4000] (StorageArchive) <2980> EV:M CVaultStorePartitionCache::ReadEntry - There is no open partition for vaultStoreEntryId = [13B88435A306F71429BA1C280E6A060341210000evsite]
737 10:52:29.037 [4000] (StorageArchive) <2980> EV:M CVaultParameters::GetVSVaultParams (Exit) |The Vault Store does not contain any open partitions. [0xc0041aa2] |
Details:
In order for EV to archive an item, there must be an open Vault Store Partition in the applicable Vault Store. If this is not the case, all attempts to archive will fail. In the case of items manually archived from OWA, this failure manifests as the "No accessible vaults" message detailed above.
Solution:
Reopen an existing closed Vault Store Partition, or create a new Vault Store Partition.
Scenario 9
Incompatibility with Internet Explorer 10 on certain versions of EV and Exchange
Details:
This issue only affects versions of EV lower than 11.0 when used in conjunction with Exchange 2010 SP3 and accessed with Internet Explorer 10 or greater.
Solution:
More details and a workaround are available in a dedicated article for this issue.
Applies To
This issue affects the Enterprise Vault extensions for OWA 2003, 2007, and 2010. Enterprise Vault integration with OWA 2013 does not use the /EVAnon Virtual Directory.