Exchange 2016 OWA and ActiveSync 503 error

Question

We are getting intermittent 503 errors for OWA and ActiveSync with Exchange 2016. The errors only seem to affect accounts in databases which are not active on the front end server so there appears to be an issue proxying the users to their mailboxes. These problems started after applying a Hyper-V checkpoint which I will explain more below. I don't understand why this has happened as everything was working when I made the checkpoint.

Configuration

We have two Exchange 2016 servers running CU18. The servers are in a DAG and both have all roles installed. All of our databases are replicated on both servers and half of them are active on each server. We don't have any DNS load balancing set up, so instead each server has its own permanent IP and we point the DNS for mail.domain.com to a third IP which we manually move between the servers if we need to perform maintenance on one etc, but otherwise it stays on one server. Our DNS is split I.e. our internal and external DNS point to the internal and external IPs respectively. Both servers use the same SSL SAN certificate which is signed by a trusted public CA and the certificate is valid and assigned to services.

What Happened

Everything was working fine as far as Exchange is concerned. I noticed a problem with the management agent of our AV/Antispam etc not connecting back to the AV server on one of the exchange servers. Re-installing the agent didn't solve the problem so the AV tech support asked if they could re-install the entire security package on one server (lets just call the server exch1). I then put exch1 into maintenance mode by running C:\Program Files\Microsoft\Exchange\V15\Scripts\StartDagMaintenance.ps1 and moving the third IP mentioned earlier to exch2. After confirming that all of the database copies had been activated on exch2 I took a Hyper-V checkpoint of exch1. The security package was then removed and re-installed which solved the problem with the agent. However, we then realised that the shared quarantine was actually stored on exch1 meaning we lost everything in there. As we are a school we quarantine many file types which would be permitted by most others and release items regularly. For this reason we chose to apply/restore the checkpoint to save the quarantine. The AV tech support managed to get the agent connected again and I ran the StopDagServerMaintenance.ps1 script and moved the third IP back to exch1.

The Problem

After bringing exch1 back out of maintenance mode, I started getting 503 errors when logging in to certain accounts through OWA. The problematic accounts were any residing in a database which is active on exch2 and therefore being proxied via exch1. The mail app on my iPhone (which is configured as an Exchange account) was also unable to connect. At this point the HTTPERR logs from exch1 (C:\Windows\system32\LogFiles\HTTPERR) were showing repeated errors for the MSExchangeRpcProxyAppPool:

2021-03-03 17:42:19 {3RD_EXCH_IP} 20228 {3RD_EXCH_IP} 444 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:42:20 {3RD_EXCH_IP} 19752 {3RD_EXCH_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 BadRequest MSExchangeRpcProxyAppPool
2021-03-03 17:42:24 {Visitor_IP} 44932 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:42:28 {Visitor_IP} 44206 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:42:30 {EXCH2_IP} 33910 {EXCH1_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 BadRequest MSExchangeRpcProxyAppPool
2021-03-03 17:42:39 {Visitor_IP} 56932 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:42:40 {3RD_EXCH_IP} 20508 {3RD_EXCH_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 Connection_Dropped MSExchangeRpcProxyAppPool
2021-03-03 17:42:40 {IPV6_ADDR} 18889 {IPV6_ADDR} 444 HTTP/1.1 GET /owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=90952fb3-d596-4c2e-b4ae-4a19ecba2204&brwnm=chrome&X-OWA-CANARY=r6JrtadBzESnFj23L7T5ZdDs3zxr3tgIFNaGCIXOAFiqEzPIoSRDIZmhFbuZnhVVsyQp5sqSYgQ.&n=rf - - 2 Connection_Dropped MSExchangeOWAAppPool
2021-03-03 17:42:40 {EXCH2_IP} 33906 {EXCH1_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 Connection_Dropped MSExchangeRpcProxyAppPool
2021-03-03 17:42:40 {EXCH1_IP} 18912 {EXCH1_IP} 444 HTTP/1.1 GET /owa/ev.owa2?ns=PendingRequest&ev=PendingNotificationRequest&UA=0&cid=cf1049ad-ecca-4ec5-ac46-015e3e0eb32d&brwnm=chrome&X-OWA-CANARY=Gh9oOYHZPkuN4Ou2TTIPPyAoS1tr3tgIzL0cjYwNeE1YpjnAzHdoa7CGiidtl2YWLWqvdgHVFY0.&n=r3 - - 2 Connection_Dropped MSExchangeOWAAppPool
2021-03-03 17:42:44 {Visitor_IP} 8192 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:42:44 {Visitor_IP} 35328 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:09 {Visitor_IP} 53884 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:09 {Visitor_IP} 53882 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:09 {Visitor_IP} 53883 {3RD_EXCH_IP} 80 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:09 {3RD_EXCH_IP} 20810 {3RD_EXCH_IP} 444 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:13 {Visitor_IP} 59200 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:13 {3RD_EXCH_IP} 18096 {3RD_EXCH_IP} 444 - - - - - - Timer_ConnectionIdle -
2021-03-03 17:43:13 {Visitor_IP} 61922 {3RD_EXCH_IP} 443 - - - - - - Timer_MinBytesPerSecond -
2021-03-03 17:43:15 {3RD_EXCH_IP} 19752 {3RD_EXCH_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 Connection_Dropped MSExchangeRpcProxyAppPool
2021-03-03 17:43:15 {EXCH2_IP} 33910 {EXCH1_IP} 444 HTTP/1.1 RPC_IN_DATA /rpc/rpcproxy.dll?{EXCH1_FQDN}:6001 - 400 2 Connection_Dropped MSExchangeRpcProxyAppPool
2021-03-03 17:43:19 {Visitor_IP} 60452 {3RD_EXCH_IP} 443 - - - - - - Timer_ConnectionIdle -

The problems appeared to have fixed themselves after a little while but now seem to be intermittent. For example right now my phone is working and Outlook on my PC at home is not but was earlier. OWA also started giving 503 errors again earlier but then randomly stopped (at least for me). I could still see some of the MSExchangeRpcProxyAppPool errors this morning despite being able to use OWA and my phone.

Test-OutlookWebServices shows that Autodiscover is failing, but I've tested this internally and externally using Outlook and using testconnectivity.microsoft.com and it works fine. The latency on the OAB isn't right though.

Test-OutlookWebServices -Identity me@domain.com -MailboxCredential (Get-Credential) -ClientAccessServer EXCH2

Source               ServiceEndpoint       Scenario                       Result  Latency(MS)
------               ---------------       --------                       ------  -------
{EXCH1_FQDN}         {EXCH2_FQDN}          Autodiscover: Outlook Provider Failure     242
{EXCH1_FQDN}         {EXCH2_FQDN}          Exchange Web Services          Success     124
{EXCH1_FQDN}         {EXCH2_FQDN}          Availability Service           Success     116
{EXCH1_FQDN}         {EXCH2_FQDN}          Offline Address Book           Success   17921


Test-OutlookWebServices -Identity me@domain.com -MailboxCredential (Get-Credential) -ClientAccessServer EXCH1

Source               ServiceEndpoint       Scenario                       Result  Latency(MS)
------               ---------------       --------                       ------  -------
{EXCH1_FQDN}         {EXCH1_FQDN}          Autodiscover: Outlook Provider Failure     128
{EXCH1_FQDN}         {EXCH1_FQDN}          Exchange Web Services          Success      58
{EXCH1_FQDN}         {EXCH1_FQDN}          Availability Service           Success     110
{EXCH1_FQDN}         {EXCH1_FQDN}          Offline Address Book           Success   18053

Test-ActiveSyncConnectivity is failing due to a certificate problem, but our assigned certificates are showing as valid. How can I check which certificate is used here?

Test-ActiveSyncConnectivity -ClientAccessServer EXCH2 -MailboxCredential (Get-Credential)

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
exch2      SiteName      Options         Failure             [System.Net.WebException
                                                            ]: The underlying
                                                             connection was closed:
                                                             Could not establish
                                                             trust relationship for
                                                             the SSL/TLS secure
                                                             channel. Inner error [Sy
                                                             stem.Security.Authentica
                                                             tion.AuthenticationExcep
                                                             tion]: The remote
                                                             certificate is invalid
                                                             according to the
                                                             validation procedure.

Our certificates. There's some old ones in here but they're not assigned to any services.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {65******-****-****-****-************, {EXCH1}, {EXCH1_IP}, {3RD_EXCH_IP}, 169.254.1.63}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MS-Organization-P2P-Access [2020]
NotAfter           : 05/03/2021 15:36:39
NotBefore          : 04/03/2021 15:31:39
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 21******************************
Services           : None
Status             : Invalid
Subject            : CN=65******-****-****-****-************, DC=46******-****-****-****-************
Thumbprint         : 7B*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {{EXCH1}}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Exchange_{Company} Comm Group Root CA, OU=Exchange_{Company} Comm Group, O=ESET
NotAfter           : 03/03/2051 15:34:04
NotBefore          : 03/03/2021 15:34:04
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 02
Services           : None
Status             : RevocationCheckFailure
Subject            : CN={EXCH1}, OU=Exchange_{Company} Comm Group, O=ESET
Thumbprint         : EC*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {65******-****-****-****-************, {EXCH1}, {EXCH1_IP}, {3RD_EXCH_IP}, 169.254.1.19, {EXCH1_FQDN}}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MS-Organization-P2P-Access [2019]
NotAfter           : 05/06/2020 21:59:17
NotBefore          : 04/06/2020 21:54:17
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 42******************************
Services           : None
Status             : Invalid
Subject            : CN=65******-****-****-****-************, DC=46******-****-****-****-************
Thumbprint         : 9A*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.domain.com, www.mail.domain.com, domain.com, autodiscover.domain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 22/10/2021 12:25:35
NotBefore          : 22/10/2019 12:25:35
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 1A******************************
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain.com, OU=Domain Control Validated
Thumbprint         : 72*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {65******-****-****-****-************, {EXCH1}, {EXCH1_IP}, {3RD_EXCH_IP}, 169.254.1.5, {EXCH1_FQDN}}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MS-Organization-P2P-Access [2018]
NotAfter           : 06/07/2019 00:53:49
NotBefore          : 05/07/2019 00:48:49
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 50******************************
Services           : None
Status             : Invalid
Subject            : CN=65******-****-****-****-************, DC=46******-****-****-****-************
Thumbprint         : 37*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {65******-****-****-****-************, {EXCH1}, {EXCH1_IP}, {3RD_EXCH_IP}, 169.254.1.252, {EXCH1_FQDN}}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MS-Organization-P2P-Access [2017]
NotAfter           : 05/08/2018 00:05:25
NotBefore          : 04/08/2018 00:00:25
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 3F******************************
Services           : None
Status             : Invalid
Subject            : CN=65******-****-****-****-************, DC=46******-****-****-****-************
Thumbprint         : 66*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {65******-****-****-****-************, {EXCH1}, {EXCH1_IP}, {3RD_EXCH_IP}, 169.254.1.80, {EXCH1_FQDN}}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MS-Organization-P2P-Access [2016]
NotAfter           : 03/09/2017 20:59:10
NotBefore          : 02/09/2017 20:54:10
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 43******************************
Services           : None
Status             : Invalid
Subject            : CN=65******-****-****-****-************, DC=46******-****-****-****-************
Thumbprint         : 5B*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 08/06/2022 09:39:03
NotBefore          : 04/07/2017 09:39:03
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 4E******************************
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 2B*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {{EXCH1}, {EXCH1_FQDN}}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN={EXCH1}
NotAfter           : 04/07/2022 09:37:32
NotBefore          : 04/07/2017 09:37:32
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 18******************************
Services           : IIS, SMTP
Status             : Valid
Subject            : CN={EXCH1}
Thumbprint         : 65*************************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-SHA2-{EXCH1}}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-SHA2-{EXCH1}
NotAfter           : 28/06/2027 14:27:42
NotBefore          : 30/06/2017 14:27:42
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 18******************************
Services           : None
Status             : Valid
Subject            : CN=WMSvc-SHA2-{EXCH1}
Thumbprint         : 68*************************************

RPCPing from exch1 to exch2:

rpcping /t ncacn_http /s {EXCH2_FQDN} /o RpcProxy=mail.domain.com /P username,domain,* /H Basic /u NTLM /a connect /F 3
Enter password for RPC/HTTP proxy:

Exception 1722 (0x000006BA)
Number of records is: 3
ProcessID is 9396
System Time is: 3/4/2021 16:11:18:616
Generating component is 14
Status is 0x6C0, 1728
Detection location is 1398
Flags is 0
NumberOfParameters is 2
Long val: 0x4
Long val: 0x6c0
ProcessID is 9396
System Time is: 3/4/2021 16:11:18:603
Generating component is 13
Status is 0x6C0, 1728
Detection location is 1428
Flags is 0
NumberOfParameters is 1
Long val: 0x190
ProcessID is 9396
System Time is: 3/4/2021 16:11:18:603
Generating component is 13
Status is 0x190, 400
Detection location is 1417
Flags is 0
NumberOfParameters is 1
Unicode string: Invalid RPC Port: 593

testconnectivity.microsoft.com results with an account residing in a database on exch1:

Testing Outlook connectivity.
The Outlook connectivity test failed.
Test Steps

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for email@domain.com.
Autodiscover was tested successfully.
Test Steps

Autodiscover settings for Outlook connectivity are being validated.
The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.

Testing MAPI over HTTP connectivity to server mail.domain.com
MAPI over HTTP connectivity was verified successfully.
Test Steps

Testing RPC over HTTP connectivity to server mail.domain.com
RPC over HTTP connectivity failed.
Test Steps

Attempting to resolve the host name mail.domain.com in DNS.
The host name resolved successfully.
Additional Details

Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
The port was opened successfully.

Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps

Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details

Testing HTTP Authentication Methods for URL https://mail.domain.com/rpc/rpcproxy.dll?28eeaf00-7521-49c4-96cb-17f8068514de@domain.com:6002.
The HTTP authentication methods are correct.
Additional Details

Attempting to ping RPC proxy mail.domain.com.
RPC Proxy was pinged successfully.

Attempting to ping the MAPI Mail Store endpoint with identity: 28eeaf00-7521-49c4-96cb-17f8068514de@domain.com:6001.
The endpoint was pinged successfully.
Additional Details

Testing the MAPI Address Book endpoint on the Exchange server.
The address book endpoint was tested successfully.
Test Steps

Testing the MAPI Referral service on the Exchange Server.
An error occurred while the Referral service was being tested.
Test Steps

Attempting to ping the MAPI Referral Service endpoint with identity: 28eeaf00-7521-49c4-96cb-17f8068514de@domain.com:6002.
The endpoint was pinged successfully.
Additional Details

Attempting to perform referral for user on server 28eeaf00-7521-49c4-96cb-17f8068514de@domain.com.
An error occurred while trying to get the address book server.
Additional Details
An RPC error was thrown by the RPC Runtime process. Error -532462766 -532462766
RPC Status: -532462766 -532462766

testconnectivity.microsoft.com results with an account residing in a database on exch2:

Testing Outlook connectivity.
The Outlook connectivity test failed.
Test Steps

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for exch2_email@domain.com.
Autodiscover was tested successfully.
Test Steps

Autodiscover settings for Outlook connectivity are being validated.
The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.

Testing MAPI over HTTP connectivity to server mail.domain.com
MAPI over HTTP connectivity failed.
Test Steps

Attempting to resolve the host name mail.domain.com in DNS.
The host name resolved successfully.
Additional Details

Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
The port was opened successfully.

Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps

Testing HTTP Authentication Methods for URL https://mail.domain.com/mapi/emsmdb/?MailboxId=3b7a0102-7dfd-43c2-835b-502c7718a50c@domain.com.
The HTTP authentication methods are correct.
Additional Details

Testing the MAPI Address Book endpoint on the Exchange server.
An error occurred while testing the address book endpoint.
Test Steps

Testing the address book "Check Name" operation for user exch2_email@domain.com against server mail.domain.com.
An error occurred while attempting to resolve the name.
Additional Details
A protocol layer error occured. HttpStatusCode: 503
Failure LID: 47372
Failure Information:

###### REQUEST [2021-03-04T17:39:53.4083406Z] [ResolvedIPs: {EXCH_EXTERNAL_IP}] ######

POST /mapi/nspi/?mailboxId=3b7a0102-7dfd-43c2-835b-502c7718a50c@domain.com HTTP/1.1
Content-Type: application/octet-stream
User-Agent: MapiHttpClient
X-RequestId: 199148da-e4e8-45cc-9109-8462a54e9449:1
X-ClientInfo: afeca7b0-830f-491d-874b-90e03f295d7c:1
client-request-id: 0917a5aa-f28e-4e11-95c0-460d6cc0b0bf
X-ClientApplication: MapiHttpClient/15.20.3825.0
X-RequestType: Bind
Authorization: Negotiate [truncated]
Host: mail.domain.com
Content-Length: 45

--- REQUEST BODY [+0.041] ---
..[BODY SIZE: 45]

--- REQUEST SENT [+0.041] ---

###### RESPONSE [+0.138] ######

HTTP/1.1 503 Failed authentication on backend server: Unauthorized
request-id: 6b446af9-fe00-403c-b390-038b740f3000
X-CalculatedBETarget: {EXCH2_FQDN}
X-FailureContext: BackEnd;401;NDAx;U3lzdGVtLk5ldC5XZWJFeGNlcHRpb246IFRoZSByZW1vdGUgc2VydmVyIHJldHVybmVkIGFuIGVycm9yOiAoNDAxKSBVbmF1dGhvcml6ZWQuDQogICBhdCBTeXN0ZW0uTmV0Lkh0dHBXZWJSZXF1ZXN0LkVuZEdldFJlc3BvbnNlKElBc3luY1Jlc3VsdCBhc3luY1Jlc3VsdCkNCiAgIGF0IE1pY3Jvc29mdC5FeGNoYW5nZS5IdHRwUHJveHkuUHJveHlSZXF1ZXN0SGFuZGxlci48PmNfX0Rpc3BsYXlDbGFzczE5OV8wLjxPblJlc3BvbnNlUmVhZHk+Yl9fMCgp;;;
Persistent-Auth: true
X-FEServer: {EXCH1}
Content-Length: 0
Cache-Control: private
Date: Thu, 04 Mar 2021 17:39:52 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

--- RESPONSE BODY [+0.139] ---

--- RESPONSE DONE [+0.139] ---

###### EXCEPTION THROWN [+0.139] ######


HTTP Response Headers:
request-id: 6b446af9-fe00-403c-b390-038b740f3000
X-CalculatedBETarget: {EXCH2_FQDN}
X-FailureContext: BackEnd;401;NDAx;U3lzdGVtLk5ldC5XZWJFeGNlcHRpb246IFRoZSByZW1vdGUgc2VydmVyIHJldHVybmVkIGFuIGVycm9yOiAoNDAxKSBVbmF1dGhvcml6ZWQuDQogICBhdCBTeXN0ZW0uTmV0Lkh0dHBXZWJSZXF1ZXN0LkVuZEdldFJlc3BvbnNlKElBc3luY1Jlc3VsdCBhc3luY1Jlc3VsdCkNCiAgIGF0IE1pY3Jvc29mdC5FeGNoYW5nZS5IdHRwUHJveHkuUHJveHlSZXF1ZXN0SGFuZGxlci48PmNfX0Rpc3BsYXlDbGFzczE5OV8wLjxPblJlc3BvbnNlUmVhZHk+Yl9fMCgp;;;
Persistent-Auth: true
X-FEServer: {EXCH1}
Content-Length: 0
Cache-Control: private
Date: Thu, 04 Mar 2021 17:39:52 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

HTTP Status Code: 503 ServiceUnavailable

Any help would be greatly appreciated.

Answer 1

I have done some research, this issue may be related with certificate.

1. Check from IIS to confirm which certificate that used for IIS service(Make sure the bind certificate is correct):

2. Then run IISReset in CMD with administrator rights.

3. Check if this issue still continues.

In addition, here's a similar thread for your reference: Exchange 2013 ECP/OWA/Outlook all failing - 503 Service Unavailable