In advance, I appreciate everyones time and attention to our issue:
We are in the process of migrating to Exchange 2003 and am testing this amazing new system and obviously have come across an issue. To set the environment - I'd like to explain that we have two domains on two seperate forests. Two completely seperate windows networks that traverse our interconnected Lans and Wans. These domains have trusts that enable some collaboration, but are uniquely seperate. For obvious security reasons we have enabled "Logon To" restictions to enforce user accounts on the less trusted domain to enforce user logons to only their assigned workstations - mind you, this domain is also a different domain from which the exchange server is associated to.
As an example: domain.com has the exchange server & sub.domain.com has the accounts with the restrictions.
I have followed the instructions on http://support.microsoft.com/?id=278888
on how to associate users from another domain to a mailbox and it works great. My users on sub.domain.com can logon to accounts on domain.com with no issues via Outlook or OWA if they login from their "Logon To" workstations. The problem is, if I give them OWA via a SSL VPN, they will not be able to access their mailbox via OWA b/c Windows 2003/Exchange 2003 will deny them b/c of the logon to restriction.
To reiterate, we cannot access the OWA from any other machines outside of the machine that they have permission to logon to. (In testing, my account worked from my PC but the untrusted accounts wouldn't work from my PC - IE gives a 500 error.) (I have also attempted to insert the exchange server itself into the "Login To" box to no avail - the Security Logs on the Windows 2003 Server (that runs Exchange 2003) displays the "User not allowed to logon at this computer" Error.) If I add my workstation to the list, then I am able to login to their OWA.
This issue is urgent for us as we would like to complete the roll-out this coming weekend and this was just discovered in final OWA testing... Its not the end of the world if the "untrusted" users don't get OWA, but it would be nice to be able to extend to them the same services as we do for the rest of the company (and not to mention this would save a lot of explaining...) Therefore, I am rating this for 500 points...
Thanks for reading!