Exchange2003 OWA & User Account Workstation "Login to" Restrictions

Hello everyone,

In advance, I appreciate everyones time and attention to our issue:

We are in the process of migrating to Exchange 2003 and am testing this amazing new system and obviously have come across an issue.  To set the environment - I'd like to explain that we have two domains on two seperate forests.  Two completely seperate windows networks that traverse our interconnected Lans and Wans.  These domains have trusts that enable some collaboration, but are uniquely seperate.  For obvious security reasons we have enabled "Logon To" restictions to enforce user accounts on the less trusted domain to enforce user logons to only their assigned workstations - mind you, this domain is also a different domain from which the exchange server is associated to.

As an example: has the exchange server & has the accounts with the restrictions.

I have followed the instructions on on how to associate users from another domain to a mailbox and it works great.  My users on can logon to accounts on with no issues via Outlook or OWA if they login from their "Logon To" workstations.  The problem is, if I give them OWA via a SSL VPN, they will not be able to access their mailbox via OWA b/c Windows 2003/Exchange 2003 will deny them b/c of the logon to restriction.

To reiterate, we cannot access the OWA from any other machines outside of the machine that they have permission to logon to.  (In testing, my account worked from my PC but the untrusted accounts wouldn't work from my PC - IE gives a 500 error.)  (I have also attempted to insert the exchange server itself into the "Login To" box to no avail - the Security Logs on the Windows 2003 Server (that runs Exchange 2003) displays the "User not allowed to logon at this computer" Error.)  If I add my workstation to the list, then I am able to login to their OWA.

This issue is urgent for us as we would like to complete the roll-out this coming weekend and this was just discovered in final OWA testing...  Its not the end of the world if the "untrusted" users don't get OWA, but it would be nice to be able to extend to them the same services as we do for the rest of the company (and not to mention this would save a lot of explaining...)  Therefore, I am rating this for 500 points...

Thanks for reading!

Who is Participating?
PAQed with points (500) refunded

Community Support Moderator
An OWA user needs log on locally rights to the Exchange server. That is because OWA is running on the Exchange server. Therefore you need to adjust the settings slightly.

I think if you add the Exchange server to the logon to list it should work. There may be some other settings that are required as well, which I know are documented somewhere, but I cannot find them. (I am pretty sure it is in the white papers on MS web site, but there are a pile of them to get through).

RichardCorbettAuthor Commented:
I am not so sure that the OWA user needs logon local rights to Exchange 2003.  I have not set this for any account and many of them work without any issues.  Furthermore, I did add the Exchange server to the logon to list with no success.  The errors in the Security logs still reflects that the logon is from what ever workstation they are connecting from - see below:

Logon Failure:
       Reason:            User not allowed to logon at this computer
       User Name:      XXXTESTUSER04XXX  
       Domain:            sub
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      XXXLABTEST04XXX
       Caller User Name:      -
       Caller Domain:      -
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

I may be thinking of Exchange 5.5. In my job I have so many things running around inside my head that I forget which applies to which version.
It is on my things to test this weekend as this question has come up a couple of times here and elsewhere. I would like to get to the bottom of it, so will play around on my VMWARE test network while I do a mailbox move tomorrow.

RichardCorbettAuthor Commented:
Has anyone experienced this issue and/or have a workaround?  

Thank you,

I have now had time to replicate this... to some extent. And I don't see the error message.

I restricted an account to one machine. I then attempted to use OWA from a number of other machines including a machine that was outside of the network. All of them worked correctly.
The two things that I can see different which may be the difference why it works for me and not for you.
I am using Forms Based Authentication on SSL. I am not using a trusted domain. I strongly suspect that it is the trusted domain setup that is causing the problem.

RichardCorbettAuthor Commented:
I found on my own that if you add the mail server name to the user account that they restriction will be lifted.  The premise is that the mail server's OS is logging in to that mailbox and performing some kind of impersonation but the restrictions still take hold.  Once you add the mail servers machine name, the mail server / OS allows you to login to OWA.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.