Link to home
Start Free TrialLog in
Avatar of LBMcLeod
LBMcLeod

asked on

Cannot login to OWA using any version of IE.

Hello!

I recently got my Exchange Server up and running with the great help of redseatechnologies.  Whenever a user (including myself) attempts to login to OWA using IE, you are prompted 3 times for uername and password  and then a message saying, "Error: Access is Denied."

This happens with all users as long as they attempt to login with IE.

Any thoughts?
Avatar of AdamRobinson
AdamRobinson

This happens when the authentication is set improperly.  Two questions:

1) Are they able to log in from outside of your domain with IE?
2) If you connect with http://servername/exchange versus http://externaldomainname/exchange do you see any difference?

You're probably going to have to end up re-doing the permissions on your virtual server.

ASKER CERTIFIED SOLUTION
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm fairly certain on the most updated Exchange that is no longer necessary.

Avatar of LBMcLeod

ASKER

I'm not sure if they cannot login with IE outside the domain or not.  I know we can with Firefox just fine.  I tried logging in using http://servername/exchange and it worked just fine using IE, however, I noticed I am unable to log out after clicking on logout and closing the browser.  When I reopen IE and go back to http://servername/exchange it lets be right in without asking for login credentials.
Right.  

You definitely have an authentication problem, as I said in the first post.  I would suggest going through the first link NJComputer posted, and if that doesn't resolve it, message back.  

This message should probably be moved to the Exchange Server Area, btw.
I did as you suggested using the first link NJComputer posted and now I can't get into OWA at all.  Actually, I didn't do everything outlined in the article, I only did the following, "In order to do so start the IIS Manager then right-click the ExchWeb virtual directory and select Properties. Now select the Directory Security tab and click Edit under Authentication and access control. Make sure the Anonymous access and Integrated Authentication check boxes are enabled then click OK and Apply. If an Inheritance Overrides dialog box pops up make sure you click Select All then OK. Under Authentication and access control, click Edit then clear the Integrated Windows authentication check box again. Click OK twice and you’re done."

Now when I try to access OWA it just hangs.  

Thoughts?
It's been a very, very long time since I had to do all of that, but I recall needed to restart the Exchange Services and/or reboot.  Nevertheless, why not do the whole thing?  There are a lot of settings that need to be correct for OWA to work properly.

By the way, which Exchange version is this, and what domain operating system?

I would once again request that this be moved to Exchange Server.  You'll get a lot prompter and possibly better help there than in here, as this isn't actually an Outlook issue.
I did do the whole thing as I was a little worried about losing data by deleting virtual directories.  I was hoping by just doing the second part that would cover it.  I am running Exchange 2003 on Window 2003 Server.

How do I go about moving this to Exchange Server.  I'm fairly new to Experts-Exchange and don't quite have down all it's capabilities.

Thanks!
You can:

1) Put in a request in the Community Support Area
2) Create a topic in Exchange worth 50 points as a Pointer to this thread
3) Delete this question and re-open another one in the Exchange Server Topic Area.

As a sidenote, until such time that you feel comfortable with the directions there (I understand why you don't want to delete those virtual directories if you're not comfortable), you should revert back to your old settings, whatever they were, assuming you wrote them down/documented them before you made a change.

When you restarted the services, did anything change?  And what message are you getting now when you try to connect to OWA?  

When I restarted services I didn't notice any changes.  When I try to connect to OWA I get no messages as I just continues to load, but it never renders anything.  I attempted to undo the changes I made but it doesn't seem to have an effect.  I can access it using http://servername/exchange however.

To make a pointer, do I just copy/paste the url to this thread when I create the new topic in the Exchange area?
Here's the message I get when trying to access OWA, "HTTP/1.1 500 Internal Server Error(USG support)"
Universal Security Group?  Let's see.  

If you're in through servername/exchange, then OWA is still running, but you're still stuck on the permissions issue.

Can you check your services and see if you have groups denied?  

Do authenticated users have access to Exchsrvr\Exchweb?  
And did you restart the Microsoft Exchange System Attendant?

And when you said "hangs" above, do you mean it loads nothing, or do the framebars for OWA load but nothing comes up?
Yes, the next few questions after that may be more relevant, specifically the Exchsrvr question.
Just  checked permissions in IIS and it doesn't appear anyone is denied.  Is that what you were asking?
Sigh, it appears my last comment disappeared into never never land (Thanks New EE site!).

http://support.microsoft.com/kb/883380

Do authenticated users have access to Exchsrvr\Exchweb?  <--It appears so
And did you restart the Microsoft Exchange System Attendant? <--Yes

I can get the login window to come up now on IE so everything is back to square one.  When I put in my username and password, the login screen reappears and instead of just my username in the username field, it is filled in as follows:  Username: www.domain.edu\username 

I'm reading the support article now.
Have you applied the most recent Exchange Service Packs yet, out of curiosity?

Actually, I'm not sure about the service pack thing.  I thought I did, but it's possible I have not.  If I went to microsoft update, would it apply it automatically, because that's what I did.
How do I check my current service pack.  I know it's different than a Windows 2003 Server service pack.
Service Packs will not normally apply automatically, since you very often have to follow detailed instructions.  I believe to check the service pack version on Exchange 2003 you can open Windows Explorer, go to Program Files\Exchsrvr\bin and then look at the properties on Store.exe.  
Avatar of redseatechnologies
This is a permissions issue.

Open up IIS, check the following virtual directories, and ensure that the permissions are exactly the same;

Exadmin -> Basic + Integrated
Exchange -> Basic + Integrated
Exchweb -> Anonymous ONLY
Public -> Basic + Integrated

The problem is, one of those is going to be set to integrated when it shouldn't be (my bet is Exchweb).  Firefox can't do Integrated Authentication, so that is why it works.

Finally, as a Premium Services member, you have access to add area to your favourites -> *please* add exchange ;)  http://www-new.experts-exchange.com/editFavorites.jsp

-red
Red:

Assuming you don't use the new website and your favorites randomly disappear at random, depending on the day :)
Okay.  I assume I should install them in order.  IE; install Service Pack 1 first, then Service Pack 2.  I just finished installing the first one.  I'm getting ready to download the second now.
Okay, when you say: Basic + Integrated, do you mean that under Authenticated Methods, there should be a checkmark for Integrated Windows authentication and Basic anthentication, and no checkmark for Enable anonymous access?
That is correct
I did as you suggested and I'm still having the same problem.  I put in my username and password in IE, and the login window reappears with the username: www.domain/username

Any other thoughts?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay, so I did as you suggested and entered username as username@domain.local and it worked fine on IE.

Is that the way it will have to be on when logging in on IE, or does that indicate how we can get it to work by just entering the username?
There is a work around on OWA wherein you can have it automatically enter the domain portion for you, but I'm not sure if you want to do that.  

Security is my main concern.  Of course I would like to make it as easy as possible for my users, but not at the expense of security.  What does this work around entail?  It's not a big deal for me to have them just use their email address as their login name if need be.
Essentially you'd just add a default domain to the authenticated access portion of your authentication method underneath the virtual site.  IIRC, this pre-populates the front page with the domain.

I preferred making my users type it in, though.  

On the other hand, I was pretty darn sure the most recent Exchange Service Pack REMOVED the necessity of having to enter the domain (which was default before that).
Okay, so I know for sure that I have installed Exchange 2003 Service Pack 1, but not SP2.  Do you think installing SP2 would do the job?
Just do this:

Go to Exchange System Manager -> Servers -> <servername> -> Protocols -> HTTP -> Exchange Virtual Server -> Exchange

Check the properties on the Exchange directory.  

Put a "\" on the Default Domain.  

I believe that will do it.  If not, let me know and I'll try to dig up how it worked.  

Could also try the same under IIS, under Default Website -> Exchange

Properties here, then directory security, and makes sure it has yourdomain.local as the default domain (\ would likely work here too -- don't have a non-production server to test it on at the moment for you, though, so I'm not entirely certain).

When you say, "yourdomain.local", am I supposed to actually put ".local" at the end, or are your referring to the .com, .edu, .org, etc...?
Just put a slash.  It should default to your domain.  

Did as you suggested at both places, still no go.

I noticed that when the login window reappears it displays:  Username: www.mydomain.edu\username

If I take out "www." and click okay it works.  It also works if I use: username@mydomain.edu

Is there anyway to keep it from wanting to insert, "www."?
That has to be set as the default domain somewhere in your virtual directories.  Take a look at the various places online regarding this issue (it's one of the most oft-asked questions in regards to OWA).  You can also try installing SP2 and see if it helps -- especially considering SP2 contains some improvements you'll want anyway.

Yeah, I just installed SP2 a few hours ago.  I'll do some googling to see what I come up with.
Honestly, now that you are logging in and it is working (but is just ugly) i wouldn't waste any more time trying to make it simple.

Install an SSL certificate (if you haven't already) and enable FBA;

http://thelazyadmin.com/index.php?/archives/126-Enabling-Forms-Based-Authentication-for-OWA-2003.html

-red