nui-nl
asked on
OWA login problems, only administrator can do this
Hi all,
At a customer of us, we have a problem with a new installed Windows 2003 Small Business Server with OWA login. It is a SBS2003 with Windows 2003 SP2, Small Business SP1 and Exchange SP2. All other updates are also installed.
We have configured OWA with ssl certification like we do at all our customers, but with this one, it won't work(also OWA 2003 Forms-Based Authentication enabled). The administrator can login, inside/outside with SSL but the users can't do this. If they want to login with they're username and password it says: wrong domain\username or password. Username and password are correct. Already tried to login with domain\username, but it won't work. With Outlook 2003 on a XP SP2 client it's work perfectly. In the event viewer on the server you don't see a thing while login. We get only with starting the server "The Kerberos Key Distribution Center service hung on starting". But he starts after that. In the security tab, we get: success audit and if we try with a wrong username or password we get failure audit.
What we're thinking is that there is missing something between IIS login and Exchange or a rights problem.
Also tried Method 1 from http://support.microsoft.com/kb/883380.
Can somebody help us out?
At a customer of us, we have a problem with a new installed Windows 2003 Small Business Server with OWA login. It is a SBS2003 with Windows 2003 SP2, Small Business SP1 and Exchange SP2. All other updates are also installed.
We have configured OWA with ssl certification like we do at all our customers, but with this one, it won't work(also OWA 2003 Forms-Based Authentication enabled). The administrator can login, inside/outside with SSL but the users can't do this. If they want to login with they're username and password it says: wrong domain\username or password. Username and password are correct. Already tried to login with domain\username, but it won't work. With Outlook 2003 on a XP SP2 client it's work perfectly. In the event viewer on the server you don't see a thing while login. We get only with starting the server "The Kerberos Key Distribution Center service hung on starting". But he starts after that. In the security tab, we get: success audit and if we try with a wrong username or password we get failure audit.
What we're thinking is that there is missing something between IIS login and Exchange or a rights problem.
Also tried Method 1 from http://support.microsoft.com/kb/883380.
Can somebody help us out?
Make sure users are aloud to login to the IIS server you have OWA on as a user, also have you tryed domain.local/username for the username? this has helped me before.
ASKER
Hi Dave,
Thanks for you comment, but i've tried and it says the same. Username and password are incorrect. At the users properties is owa enabled.
Thanks for you comment, but i've tried and it says the same. Username and password are incorrect. At the users properties is owa enabled.
Try a UPN login instead of NT login: joe.smith@company.com. Sounds like there's an IIS/Exchange to AD security or communications problem.
ASKER
Hi Paka,
I've tried to login with username@domain.com but it won't work. I've tried the .local and the .com extension. And we guess also that there is an IIS/Exchange to AD issue. But what?
Thanks!
I've tried to login with username@domain.com but it won't work. I've tried the .local and the .com extension. And we guess also that there is an IIS/Exchange to AD issue. But what?
Thanks!
It's odd that the admin can login but users can't. This means it is likely a permissions issue. Try this article to reset the IIS permissions:
http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
There could be multiple reasons after this issue however this issue can also occour if we have "bypass traverse checking" had been set to Administrators under Group Policy object.
To check if its true follow the steps below:
1. Open AD Users and Computers
2. Right-click the domain_name, and click Properties
3. Click the Group Policy tab
4. Open the dthe "default Domain Policy", or the appropriate policy
5. Expand Computer Configuration, Windows Settings, Security Settings, Local
Policies, and click "User Rights Assignment"
6. In the detail pane, double-click "Bypass Travers checking"
7. Remove any accounts that are listed, or add permissions for all domain users
To check if its true follow the steps below:
1. Open AD Users and Computers
2. Right-click the domain_name, and click Properties
3. Click the Group Policy tab
4. Open the dthe "default Domain Policy", or the appropriate policy
5. Expand Computer Configuration, Windows Settings, Security Settings, Local
Policies, and click "User Rights Assignment"
6. In the detail pane, double-click "Bypass Travers checking"
7. Remove any accounts that are listed, or add permissions for all domain users
ASKER
Hi Paka,
Tried and won't work. Recreate things I already tried en rights are also okay. I just checked.
Tried and won't work. Recreate things I already tried en rights are also okay. I just checked.
ASKER
Hi Dev-prakash,
It wasn't configured, so I have assignd the Company Users Group. Restarted IIS and done gpupdate, but it won't work.
It wasn't configured, so I have assignd the Company Users Group. Restarted IIS and done gpupdate, but it won't work.
ASKER
Has anyone else any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Brilliant! This was it! everything works perfect, thanks for your great help.