Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange2003 OWA & User Account Workstation "Login to" Restrictions

Posted on 2004-10-28
9
Medium Priority
?
1,267 Views
Last Modified: 2010-05-18
Hello everyone,

In advance, I appreciate everyones time and attention to our issue:

We are in the process of migrating to Exchange 2003 and am testing this amazing new system and obviously have come across an issue.  To set the environment - I'd like to explain that we have two domains on two seperate forests.  Two completely seperate windows networks that traverse our interconnected Lans and Wans.  These domains have trusts that enable some collaboration, but are uniquely seperate.  For obvious security reasons we have enabled "Logon To" restictions to enforce user accounts on the less trusted domain to enforce user logons to only their assigned workstations - mind you, this domain is also a different domain from which the exchange server is associated to.

As an example: domain.com has the exchange server & sub.domain.com has the accounts with the restrictions.

I have followed the instructions on http://support.microsoft.com/?id=278888 on how to associate users from another domain to a mailbox and it works great.  My users on sub.domain.com can logon to accounts on domain.com with no issues via Outlook or OWA if they login from their "Logon To" workstations.  The problem is, if I give them OWA via a SSL VPN, they will not be able to access their mailbox via OWA b/c Windows 2003/Exchange 2003 will deny them b/c of the logon to restriction.

To reiterate, we cannot access the OWA from any other machines outside of the machine that they have permission to logon to.  (In testing, my account worked from my PC but the untrusted accounts wouldn't work from my PC - IE gives a 500 error.)  (I have also attempted to insert the exchange server itself into the "Login To" box to no avail - the Security Logs on the Windows 2003 Server (that runs Exchange 2003) displays the "User not allowed to logon at this computer" Error.)  If I add my workstation to the list, then I am able to login to their OWA.

This issue is urgent for us as we would like to complete the roll-out this coming weekend and this was just discovered in final OWA testing...  Its not the end of the world if the "untrusted" users don't get OWA, but it would be nice to be able to extend to them the same services as we do for the rest of the company (and not to mention this would save a lot of explaining...)  Therefore, I am rating this for 500 points...

Thanks for reading!

Rich
0
Comment
Question by:RichardCorbett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
9 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12443552
An OWA user needs log on locally rights to the Exchange server. That is because OWA is running on the Exchange server. Therefore you need to adjust the settings slightly.

I think if you add the Exchange server to the logon to list it should work. There may be some other settings that are required as well, which I know are documented somewhere, but I cannot find them. (I am pretty sure it is in the white papers on MS web site, but there are a pile of them to get through).

Simon.
0
 
LVL 2

Author Comment

by:RichardCorbett
ID: 12445838
I am not so sure that the OWA user needs logon local rights to Exchange 2003.  I have not set this for any account and many of them work without any issues.  Furthermore, I did add the Exchange server to the logon to list with no success.  The errors in the Security logs still reflects that the logon is from what ever workstation they are connecting from - see below:

Logon Failure:
       Reason:            User not allowed to logon at this computer
       User Name:      XXXTESTUSER04XXX  
       Domain:            sub
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      XXXLABTEST04XXX
       Caller User Name:      -
       Caller Domain:      -
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12446173
I may be thinking of Exchange 5.5. In my job I have so many things running around inside my head that I forget which applies to which version.
It is on my things to test this weekend as this question has come up a couple of times here and elsewhere. I would like to get to the bottom of it, so will play around on my VMWARE test network while I do a mailbox move tomorrow.

Simon.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Author Comment

by:RichardCorbett
ID: 12486380
Has anyone experienced this issue and/or have a workaround?  

Thank you,

Rich
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12677727
I have now had time to replicate this... to some extent. And I don't see the error message.

I restricted an account to one machine. I then attempted to use OWA from a number of other machines including a machine that was outside of the network. All of them worked correctly.
The two things that I can see different which may be the difference why it works for me and not for you.
I am using Forms Based Authentication on SSL. I am not using a trusted domain. I strongly suspect that it is the trusted domain setup that is causing the problem.

Simon.
0
 
LVL 2

Author Comment

by:RichardCorbett
ID: 14344446
I found on my own that if you add the mail server name to the user account that they restriction will be lifted.  The premise is that the mail server's OS is logging in to that mailbox and performing some kind of impersonation but the restrictions still take hold.  Once you add the mail servers machine name, the mail server / OS allows you to login to OWA.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 14588136
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question