Solved

RWW and OWA Problem

Posted on 2004-08-20
11
1,256 Views
Last Modified: 2011-10-03
I am using Small Biz Server 2003 Standard. I set all users the exact same way on server, (as plain users) By default all users have access to OWA and Remote Web Workplace. For security reasons I removed these groups from the user (Mobile Users, and Remote Web Workplace Users) they were not using these features at that time. Well later on when the users wanted to use these services I added these groups back to the users and OWA and Remote Web Workplace would not allow login from these users. I deleted the users and recreated the users and it worked fine for a few days. I deleted and replaced user again and it lasted about 12 hours. Both times using the same username and email alias. The last time I did this I made sure that I deleted the users mailboxes from Exchange. I am thinking it has something to do with IIS security, but I dont know how to go about removing all old users entries from IIS for these two services (OWA and RWW).
0
Comment
Question by:cgaengineer
  • 7
  • 4
11 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 11876995
It's difficult to give you an exact answer because of all the deleting and readding that you've done.  Ideally (and I know this is after the fact) you don't want to delete users or mailboxes, but instead modify what you have.

A couple of things you should know about these items:

1.  Mailboxes created in Exchange do not instantly update.
2.  You should ALWAYS use the wizards on SBS2003.

In the case of mailbox updates... if you want changes to be implemented immediately, you need to force the Recipient Update.  To do this, open the Server Management Console and navigate to: Advanced Management > First Organization (Exchange) > Recipients > Recipient Update Services.  Right click on each service and select "UPDATE NOW."

However, that being said, the best way to have done this would have been to rerun the Email/Internet Connection Wizard after you restored the groups (In Server Management Console, navigate to Internet & Email, then CONNECT TO THE INTERNET).  This will allow you to reconfigure the internal firewall settings and designate which services will be available.  Following that, run the Remote Access Wizard (Internet & Email > CONFIGURE REMOTE ACCESS).

BUT... before you do any of that be sure that you have installed ALL SBS updates and patches, including Service Pack 1 for Exchange.

http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx

Try all that and then let me know if you need further assistance.

Good Luck!

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
ID: 11879884
OK I ran windows update on my server, ran the internet/email connection setup wizard again, but I am not using the firewall, and havent been. We use and external firewall (Fortigate) so I have firewall disabled for simplicity. Then I updated through recipient update services. Tried to login..........nothing!! This has to be an IIS problem. Somewhere there are dribbys and tidbits of this user in IIS that is not allowing this user to login. Is there any simple way to remove old users from IIS or does it not work like that? I am thinking its all set to anonomous access and Exchange handles the authentication, same with Remote Web Workplace. But somewhere there has to be a way to make this same username and email alias work again. The weird thing is, when this first occured, I simply added the user back to the RWW group thinking this would fix the problem, after all, all I did was remove him from the group!!
0
 

Author Comment

by:cgaengineer
ID: 11879957
Logon Failure:
  Reason: User not allowed to logon at this computer
  User Name: Rxxxxxxxy
  Domain: www.xxxxxxxxxxx.net 
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: WKS008
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: xx.xxx.196.243
  Source Port: 16606
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:cgaengineer
ID: 11880157
OK!!!!!! Guess what? Just like all other users in the office I have specified which workstations I wanted to allow login. These were WKS001,WKS002,WKS004 and WKS005. Now I dont know why, but this was not allowing this particular user to gain access to the server. Now what I need to know is how to restrict the user to certain workstations, but allow login to IIS/Server, without local login to server. If I add allow login to server, will he be able to login locally to the server?
0
 

Author Comment

by:cgaengineer
ID: 11880200
OK I added allow login to server also, tried to login to server with his username/password, it said I couldnt login interactively. So I think I answered my last question.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 11884071
I must say that I have absolutely no idea what you are trying to do.

First, disabling the internal firewall for simplicity sake is not making it simpler.  It only makes it more difficult and there is no reason you can't have both a software and hardware firewall.  Using the EICW to configure both the firewall and email settings ensures that you have everything done right.  

Secondly, you should really read a short tutorial on Active Directory.  This is what controls user access, either at the workstation level or at the user level, depending on your needs.  Please see this Whitepaper: http://www.microsoft.com/windowsserver2003/techinfo/overview/adam.mspx

Then... about your question:
                 "Is there any simple way to remove old users from IIS or does it not work like that?"

If you messed with the user permissions in IIS, then I'd suggest that you reinstall it to set the permissions back to their original state.  IIS is for serving your web pages, both internally, and externally.  Mostly for Sharepoint, RWW, OWA, or any other web service you may provide.  You would never want to modify the permissions individually for these services... all of this should be done through active directory.  Small Business Server comes pre-configured to give you a few different groups that would probably meet your needs... such as the Mobile Access group.

Beyond these couple of pointers, I really think you should take a step back and do a bit of the planning that should have been done before you launched your server.  Networks can not just be set up on the fly... you need to think about what the needs are, map it out... and then implement your plan.  I would highly suggest that you buy one of the very useful Small Business Server handbooks (personally, I use Windows Small Business Server 2003 Best Practices by Harry Brelsford).  These guides can help imeasurably.

Best of luck!

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
ID: 11884384
No I fixed it.

 I originally removed the user from the OWA group for security, then I added the person back at later time. When I did this I had restricted the users down to a few workstations. Once I realized that this is what had happened, I added the server to the "Allow login to" and the user had access to OWA and RWW. I never messed with IIS, just simply though it was an IIS authentication problem, as it turned out it kinda was. Since the user didnt have permission to login to the server under his profile settings, OWA and RWW wouldnt allow login. Problem fixed now. As far as taking a step back, I feel this was an insult, this server has been running without a hitch since deployment last November, I am A+, and MCSE, but unfortunately you cant learn everything in school. I built this server, ran SBS2000 on it (1.5 yrs), did a clean install of SBS2003 in November when it came out.

First, disabling the internal firewall for simplicity sake is not making it simpler.  It only makes it more difficult and there is no reason you can't have both a software and hardware firewall. (Running two firewalls with rules DOES make things more difficult, especially when I have to point each machine to the router for internet access, and SBS wants everything pointed at itself) We do not run ISA, this is the standard version, I specifically didnt get premium because I wanted an easier hardware solution, which also provides Anti Virus and NIDS. I can also deny access to websites, some or all, by time of day, or just a single workstation. All for less money than ISA that comes with premium version.

Small Business Server comes pre-configured to give you a few different groups that would probably meet your needs... such as the Mobile Access group. (I know this, this is why I removed this user from the group, I didnt want him to have this access at that time)

I paid for this web bull**** for help, not to be insulted, I simply asked a question that you could not answer. I fixed my own problem, and it was very simple once I figured it out. "Networks can not just be set up on the fly" (What the **** is this?) Setting my network up on the fly I wired this ****ing building myself, installed the jacks and built the ****ing server. Up until now, we have not had a single problem. And as of right now we have NO problems. My only problem is that I paid for help that I didnt need.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 11885978
No need to get angry... your posts were rather confusing... so I was just trying to be explicit.

Many things you wrote didn't make any sense... so it seemed logical to take a step back.  One thing that many people who have a LOT of experience with NT4.0 and SBS2k don't realize is that SBS2003's wizards can be a great help... especially for things like a double firewall.  Most FortiGate Firewalls are UPNP compliant... so the SBS will automatically configure the FortiGate during the EICW... I find that to be EASIER, not more difficult.

As we all know.... email and forum postings leave a lot to be interpreted.  Your response and use of language in a public forum was uncalled for.  I spent my own good time responding to your request... thanks so much for your appreciation of that.

Sincerely,

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
ID: 11886232
Im sorry if you were offended and sorry for the use of language. I took it as an insult and maybe it wasnt. I just dont like to ask questions and have people tell me I need to do things a different way when the way I have been doing it has been working for almost a year. Not to mention I started with this company when it was two computers no network no nothing. I built this company's network from nothing to what it is now. When we started we used sneaker net, now we are a domain running our own Email server, all of which I setup myself, no help from anyone. This network was never setup on the fly and nor was our business that depends on computers to function.

I like to keep things simple and my thoughts are Router-Firewall-Firewall that is three sets of ports that need to be forwarded/allowed.

I am sorry for being an asshole, and maybe I was out of line. Please except my sincere apology.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 11886306
accepted... and it sounds like you've accomplished a lot...

take care...

Jeff
0
 

Author Comment

by:cgaengineer
ID: 11886393
Thanks again for all your help, and again sorry for being an ass.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question