I'm running a win2kAS (SP4) with Exchange 2k (SP2).
I've just noticed (after running OWA over HTTPS for many months) that if I log into our server as me, ie:
and then authenticate with the server, once in i can then change /me to /anyone else and I have access to all users mailboxes!!
I thought it might just be because i'm admin; So I asked a user for their password, logged in as them from a seperate machine to ensure there was no cache at work, authenticated, then tried to access my own mailbox - it worked (!!!!) without asking for my pw.
Needless to say, i've now disabled OWA until I can sort this, and i'm likely overlooking something obvious.
Any help is appreciated.