Solved

Exchange2003 OWA & User Account Workstation "Login to" Restrictions

Posted on 2004-10-28
1,243 Views
Last Modified: 2010-05-18
Hello everyone,

In advance, I appreciate everyones time and attention to our issue:

We are in the process of migrating to Exchange 2003 and am testing this amazing new system and obviously have come across an issue.  To set the environment - I'd like to explain that we have two domains on two seperate forests.  Two completely seperate windows networks that traverse our interconnected Lans and Wans.  These domains have trusts that enable some collaboration, but are uniquely seperate.  For obvious security reasons we have enabled "Logon To" restictions to enforce user accounts on the less trusted domain to enforce user logons to only their assigned workstations - mind you, this domain is also a different domain from which the exchange server is associated to.

As an example: domain.com has the exchange server & sub.domain.com has the accounts with the restrictions.

I have followed the instructions on http://support.microsoft.com/?id=278888 on how to associate users from another domain to a mailbox and it works great.  My users on sub.domain.com can logon to accounts on domain.com with no issues via Outlook or OWA if they login from their "Logon To" workstations.  The problem is, if I give them OWA via a SSL VPN, they will not be able to access their mailbox via OWA b/c Windows 2003/Exchange 2003 will deny them b/c of the logon to restriction.

To reiterate, we cannot access the OWA from any other machines outside of the machine that they have permission to logon to.  (In testing, my account worked from my PC but the untrusted accounts wouldn't work from my PC - IE gives a 500 error.)  (I have also attempted to insert the exchange server itself into the "Login To" box to no avail - the Security Logs on the Windows 2003 Server (that runs Exchange 2003) displays the "User not allowed to logon at this computer" Error.)  If I add my workstation to the list, then I am able to login to their OWA.

This issue is urgent for us as we would like to complete the roll-out this coming weekend and this was just discovered in final OWA testing...  Its not the end of the world if the "untrusted" users don't get OWA, but it would be nice to be able to extend to them the same services as we do for the rest of the company (and not to mention this would save a lot of explaining...)  Therefore, I am rating this for 500 points...

Thanks for reading!

Rich
0
Question by:RichardCorbett
    7 Comments
     
    LVL 104

    Expert Comment

    by:Sembee
    An OWA user needs log on locally rights to the Exchange server. That is because OWA is running on the Exchange server. Therefore you need to adjust the settings slightly.

    I think if you add the Exchange server to the logon to list it should work. There may be some other settings that are required as well, which I know are documented somewhere, but I cannot find them. (I am pretty sure it is in the white papers on MS web site, but there are a pile of them to get through).

    Simon.
    0
     
    LVL 2

    Author Comment

    by:RichardCorbett
    I am not so sure that the OWA user needs logon local rights to Exchange 2003.  I have not set this for any account and many of them work without any issues.  Furthermore, I did add the Exchange server to the logon to list with no success.  The errors in the Security logs still reflects that the logon is from what ever workstation they are connecting from - see below:

    Logon Failure:
           Reason:            User not allowed to logon at this computer
           User Name:      XXXTESTUSER04XXX  
           Domain:            sub
           Logon Type:      3
           Logon Process:      NtLmSsp
           Authentication Package:      NTLM
           Workstation Name:      XXXLABTEST04XXX
           Caller User Name:      -
           Caller Domain:      -
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    I may be thinking of Exchange 5.5. In my job I have so many things running around inside my head that I forget which applies to which version.
    It is on my things to test this weekend as this question has come up a couple of times here and elsewhere. I would like to get to the bottom of it, so will play around on my VMWARE test network while I do a mailbox move tomorrow.

    Simon.
    0
     
    LVL 2

    Author Comment

    by:RichardCorbett
    Has anyone experienced this issue and/or have a workaround?  

    Thank you,

    Rich
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    I have now had time to replicate this... to some extent. And I don't see the error message.

    I restricted an account to one machine. I then attempted to use OWA from a number of other machines including a machine that was outside of the network. All of them worked correctly.
    The two things that I can see different which may be the difference why it works for me and not for you.
    I am using Forms Based Authentication on SSL. I am not using a trusted domain. I strongly suspect that it is the trusted domain setup that is causing the problem.

    Simon.
    0
     
    LVL 2

    Author Comment

    by:RichardCorbett
    I found on my own that if you add the mail server name to the user account that they restriction will be lifted.  The premise is that the mail server's OS is logging in to that mailbox and performing some kind of impersonation but the restrictions still take hold.  Once you add the mail servers machine name, the mail server / OS allows you to login to OWA.
    0
     
    LVL 1

    Accepted Solution

    by:
    PAQed with points (500) refunded

    DarthMod
    Community Support Moderator
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Live - One-on-One Exchange Help from Top Experts

    Solve your toughest problems, fast.
    Exchange experts are online now and ready to help you.

    Learn more about the importance of email disclaimers with our top 10 email disclaimer DOs and DON’Ts.
    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now