I recently migrated from an Exchange 2007 environment to Exchange 2013. This is a 100% on site deployment. Everything was working great, and then i introduced a secondary exchange server with both the CAS and Mailbox roles installed and is now participating in a DAG with the primary server. The primary server continues to work as expected. However, the secondary server is giving me problems. I'm not able to log into the secondary /ecp website. However, the /owa works fine. Another part that indicates a problem is launching the Exchange Shell on the secondary server gives me an error of:
New-PSSession : [exchange02.domain.com] Connecting to remote server exchange02.domain.com failed with the
following error message : The WinRM client cannot process the request. The WinRM client tried to use Kerberos
authentication mechanism, but the destination computer (EXCHANGE02.domain.com:80) returned an 'access denied' error.
I've tried deleting and recreating the PowerShell virtual directory, and uninstalling and reinstalling the WinRM IIS extensions. Along with other various suggestions found on the interwebs.
My suspicion is that it is something related to either Kerberos, or Windows Authentication. I've verified user rights, and they all appear to be correct.
What can I do to trouble shoot problems with the WinRm and or ECP? The server is not publicly accessible, so the Exchange connectivity analyzer doesn't work (I think?).