• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1963
  • Last Modified:

Forms based authentication does not work

I have an Exchange 2003/W2k3 FE/BE solution with SSL enabled on the FE server. I have enabled Forms Based Authentication on the FE server but the old logon box still pops up. The FE server has been rebooted after the changes. I use https://owa.domain.com/exchange to log on and OWA works fine, just not the new authentication page.
Any ideas anyone?
0
Allianse
Asked:
Allianse
  • 5
  • 5
  • 2
1 Solution
 
flyguybobCommented:
It sounds like the anonymous authentication to the server for the exchange/bin directory in IIS is denied.
0
 
flyguybobCommented:
Is what is happening:
1) Connect to the FBA page
2) Enter authenticaiton info
3) Log onto server using FBA
4) User is now in OWA
0
 
SembeeCommented:
First thing to check with any OWA issues is authentication in the IIS manager for the Exchange virtual directories:
/exchange
/exchweb
/public
/exadmin

All should be basic and integrated ONLY.
In addition, /exchweb should also have anonymous access. No others should have anonymous.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AllianseAuthor Commented:
I have the following security on the Exchange virtual directories:
/exadmin - Integrated
/exchange - Basic
/exchweb - Anonymous and Integrated
/exchweb/bin - Anonymous and Integrated
/public - Basic

When I change the settings to Basic AND Integrated on all directories in addition to Anonymous on the Exchweb and bin directories, the popup login-box still shows when I try to logon to OWA, but now with the Domain field in addition to the Username and Password fields (not wanted).
0
 
SembeeCommented:
The settings that I have give you above are the correct settings from a working front-end / back-end scenario. Therefore that is what you need to set them to. The fact that the login prompt keeps coming indicates that the problem is elsewhere.

Have you tried to do anything with the anonymous user account within IIS? This should be left under the control of Windows.
If you disable FBA, does it login correctly to the mailbox?
With FBA enabled do you ever see the forms page?

My instinct is that something is wrong with IIS, but it is tracking down what.

Simon.
0
 
AllianseAuthor Commented:
We do not want the users to have to enter the domain when logging on, therefore we use only Basic on /exchange and /public (and avoid the Domain-field in the popup box)
We only see the popup box (and not the FBA page) either if FBA is enabled or not. We use the default IUSR_... for anonymous logon.
0
 
SembeeCommented:
When you are using FBA you will need to use the domain when completing the form.
That can be changed via an unsupported process. It is outlined in the articles below.

http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain-Part2.html

However you aren't even seeing the forms based login page, so something is wrong there. When it is enabled you shouldn't see any popup box - the form does everything for you.

What happens if you browse to the FBA page directly?

http://servername/exchweb/bin/auth/owalogon.asp

Note that it is in http, but also try it in https as well.
Do you get any prompts for username and password?

Simon.
0
 
AllianseAuthor Commented:
I still get the logon popup when I use https://servername/exchweb/bin/auth/owalogon.asp (and no FBA page)
0
 
SembeeCommented:
If you have anonymous enabled for exchweb (which you should) then you shouldn't get a prompt. The /exchweb directory contains public information that should be accessible by anyone.
Have you got anything on this server that can be browsed by an anonymous user? Or does everything prompt for a username and password?

Therefore this means that either the authentication on the anonymous internet account isn't working correctly, or there is a more core problem with IIS.

A couple of articles I would like you to look at.

This article tells you how to reset the anonymous account password. Ignore the symptoms and version - it is the same for IIS4, 5 and 6.
http://support.microsoft.com/?kbid=184730

This second one is how to reset the virtual folders for Exchange. This may resolve the problems if the above doesn't.
http://support.microsoft.com/?kbid=883380

Simon.
0
 
AllianseAuthor Commented:
Regarding the first article - I cant find the same things in IIS6 Manager as referenced in the IIS4 article. Could you please tell me how to do this with IIS6? Thanks:)
0
 
SembeeCommented:
My bad - I only scan read it during a break at a client's.

This is a better article to follow.

http://support.microsoft.com/default.aspx?kbid=332167

Simon.
0
 
AllianseAuthor Commented:
Resetting the Exchange virtual folders did the trick. Thank you!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now