Solved

RWW and OWA Problem

Posted on 2004-08-20
11
1,251 Views
Last Modified: 2011-10-03
I am using Small Biz Server 2003 Standard. I set all users the exact same way on server, (as plain users) By default all users have access to OWA and Remote Web Workplace. For security reasons I removed these groups from the user (Mobile Users, and Remote Web Workplace Users) they were not using these features at that time. Well later on when the users wanted to use these services I added these groups back to the users and OWA and Remote Web Workplace would not allow login from these users. I deleted the users and recreated the users and it worked fine for a few days. I deleted and replaced user again and it lasted about 12 hours. Both times using the same username and email alias. The last time I did this I made sure that I deleted the users mailboxes from Exchange. I am thinking it has something to do with IIS security, but I dont know how to go about removing all old users entries from IIS for these two services (OWA and RWW).
0
Comment
Question by:cgaengineer
  • 7
  • 4
11 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
Comment Utility
It's difficult to give you an exact answer because of all the deleting and readding that you've done.  Ideally (and I know this is after the fact) you don't want to delete users or mailboxes, but instead modify what you have.

A couple of things you should know about these items:

1.  Mailboxes created in Exchange do not instantly update.
2.  You should ALWAYS use the wizards on SBS2003.

In the case of mailbox updates... if you want changes to be implemented immediately, you need to force the Recipient Update.  To do this, open the Server Management Console and navigate to: Advanced Management > First Organization (Exchange) > Recipients > Recipient Update Services.  Right click on each service and select "UPDATE NOW."

However, that being said, the best way to have done this would have been to rerun the Email/Internet Connection Wizard after you restored the groups (In Server Management Console, navigate to Internet & Email, then CONNECT TO THE INTERNET).  This will allow you to reconfigure the internal firewall settings and designate which services will be available.  Following that, run the Remote Access Wizard (Internet & Email > CONFIGURE REMOTE ACCESS).

BUT... before you do any of that be sure that you have installed ALL SBS updates and patches, including Service Pack 1 for Exchange.

http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx

Try all that and then let me know if you need further assistance.

Good Luck!

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
Comment Utility
OK I ran windows update on my server, ran the internet/email connection setup wizard again, but I am not using the firewall, and havent been. We use and external firewall (Fortigate) so I have firewall disabled for simplicity. Then I updated through recipient update services. Tried to login..........nothing!! This has to be an IIS problem. Somewhere there are dribbys and tidbits of this user in IIS that is not allowing this user to login. Is there any simple way to remove old users from IIS or does it not work like that? I am thinking its all set to anonomous access and Exchange handles the authentication, same with Remote Web Workplace. But somewhere there has to be a way to make this same username and email alias work again. The weird thing is, when this first occured, I simply added the user back to the RWW group thinking this would fix the problem, after all, all I did was remove him from the group!!
0
 

Author Comment

by:cgaengineer
Comment Utility
Logon Failure:
  Reason: User not allowed to logon at this computer
  User Name: Rxxxxxxxy
  Domain: www.xxxxxxxxxxx.net
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: WKS008
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: xx.xxx.196.243
  Source Port: 16606
0
 

Author Comment

by:cgaengineer
Comment Utility
OK!!!!!! Guess what? Just like all other users in the office I have specified which workstations I wanted to allow login. These were WKS001,WKS002,WKS004 and WKS005. Now I dont know why, but this was not allowing this particular user to gain access to the server. Now what I need to know is how to restrict the user to certain workstations, but allow login to IIS/Server, without local login to server. If I add allow login to server, will he be able to login locally to the server?
0
 

Author Comment

by:cgaengineer
Comment Utility
OK I added allow login to server also, tried to login to server with his username/password, it said I couldnt login interactively. So I think I answered my last question.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
I must say that I have absolutely no idea what you are trying to do.

First, disabling the internal firewall for simplicity sake is not making it simpler.  It only makes it more difficult and there is no reason you can't have both a software and hardware firewall.  Using the EICW to configure both the firewall and email settings ensures that you have everything done right.  

Secondly, you should really read a short tutorial on Active Directory.  This is what controls user access, either at the workstation level or at the user level, depending on your needs.  Please see this Whitepaper: http://www.microsoft.com/windowsserver2003/techinfo/overview/adam.mspx

Then... about your question:
                 "Is there any simple way to remove old users from IIS or does it not work like that?"

If you messed with the user permissions in IIS, then I'd suggest that you reinstall it to set the permissions back to their original state.  IIS is for serving your web pages, both internally, and externally.  Mostly for Sharepoint, RWW, OWA, or any other web service you may provide.  You would never want to modify the permissions individually for these services... all of this should be done through active directory.  Small Business Server comes pre-configured to give you a few different groups that would probably meet your needs... such as the Mobile Access group.

Beyond these couple of pointers, I really think you should take a step back and do a bit of the planning that should have been done before you launched your server.  Networks can not just be set up on the fly... you need to think about what the needs are, map it out... and then implement your plan.  I would highly suggest that you buy one of the very useful Small Business Server handbooks (personally, I use Windows Small Business Server 2003 Best Practices by Harry Brelsford).  These guides can help imeasurably.

Best of luck!

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
Comment Utility
No I fixed it.

 I originally removed the user from the OWA group for security, then I added the person back at later time. When I did this I had restricted the users down to a few workstations. Once I realized that this is what had happened, I added the server to the "Allow login to" and the user had access to OWA and RWW. I never messed with IIS, just simply though it was an IIS authentication problem, as it turned out it kinda was. Since the user didnt have permission to login to the server under his profile settings, OWA and RWW wouldnt allow login. Problem fixed now. As far as taking a step back, I feel this was an insult, this server has been running without a hitch since deployment last November, I am A+, and MCSE, but unfortunately you cant learn everything in school. I built this server, ran SBS2000 on it (1.5 yrs), did a clean install of SBS2003 in November when it came out.

First, disabling the internal firewall for simplicity sake is not making it simpler.  It only makes it more difficult and there is no reason you can't have both a software and hardware firewall. (Running two firewalls with rules DOES make things more difficult, especially when I have to point each machine to the router for internet access, and SBS wants everything pointed at itself) We do not run ISA, this is the standard version, I specifically didnt get premium because I wanted an easier hardware solution, which also provides Anti Virus and NIDS. I can also deny access to websites, some or all, by time of day, or just a single workstation. All for less money than ISA that comes with premium version.

Small Business Server comes pre-configured to give you a few different groups that would probably meet your needs... such as the Mobile Access group. (I know this, this is why I removed this user from the group, I didnt want him to have this access at that time)

I paid for this web bull**** for help, not to be insulted, I simply asked a question that you could not answer. I fixed my own problem, and it was very simple once I figured it out. "Networks can not just be set up on the fly" (What the **** is this?) Setting my network up on the fly I wired this ****ing building myself, installed the jacks and built the ****ing server. Up until now, we have not had a single problem. And as of right now we have NO problems. My only problem is that I paid for help that I didnt need.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
No need to get angry... your posts were rather confusing... so I was just trying to be explicit.

Many things you wrote didn't make any sense... so it seemed logical to take a step back.  One thing that many people who have a LOT of experience with NT4.0 and SBS2k don't realize is that SBS2003's wizards can be a great help... especially for things like a double firewall.  Most FortiGate Firewalls are UPNP compliant... so the SBS will automatically configure the FortiGate during the EICW... I find that to be EASIER, not more difficult.

As we all know.... email and forum postings leave a lot to be interpreted.  Your response and use of language in a public forum was uncalled for.  I spent my own good time responding to your request... thanks so much for your appreciation of that.

Sincerely,

Jeff
TechSoEasy
0
 

Author Comment

by:cgaengineer
Comment Utility
Im sorry if you were offended and sorry for the use of language. I took it as an insult and maybe it wasnt. I just dont like to ask questions and have people tell me I need to do things a different way when the way I have been doing it has been working for almost a year. Not to mention I started with this company when it was two computers no network no nothing. I built this company's network from nothing to what it is now. When we started we used sneaker net, now we are a domain running our own Email server, all of which I setup myself, no help from anyone. This network was never setup on the fly and nor was our business that depends on computers to function.

I like to keep things simple and my thoughts are Router-Firewall-Firewall that is three sets of ports that need to be forwarded/allowed.

I am sorry for being an asshole, and maybe I was out of line. Please except my sincere apology.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
accepted... and it sounds like you've accomplished a lot...

take care...

Jeff
0
 

Author Comment

by:cgaengineer
Comment Utility
Thanks again for all your help, and again sorry for being an ass.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now