OWA requires client authentication twice
Posted on 2005-04-05
I'm running OWA in IIS 5.1 w/ Exchange 2000 on Win2k Server. Yesterday I ran the IIS Lockdown Tool and messed up my OWA (not a single mention in the interface about SSL, but it destroyed my SSL settings nevertheless).
I have seen both of the following KB articles:
Neither applies AFAIK, so please read on:
Prior to the Lockdown Tool mishap my SSL redirection was working perfectly. I have since re-implemented SSL, and followed Article 839357 to the last detail to re-create the redirection using the custom error and asp page combination recommended in that article.
Before it was undone by the Lockdown Tool, my redirection would send all of the following requests directly to SSL with one authentication:
- it authenticates "https://mail.domain.com" once (directly to SSL)
- it authenticates both "mail.domain.com" and "http://mail.domain.com" to "http://mail.domain.com", then requires a second authentication to "https://mail.domain.com"
AFAIK, no settings in Exchange have been changed. From what I'm reading here, it sounds as if maybe I should be allowing anonymous access someplace where I'm not, but I have tried various possiblities, and none have made a difference. (I have been restarting IIS Admin service with every change, which stops & restarts everything.)
Here's what I have for directory security settings in IIS:
Default Web Site: Anonymous:YES / Basic:YES / Integrated: NO / SSL required:NO
Exchweb: Anonymous:YES / Basic:NO / Integrated: NO / SSL required: NO
Public: Anonymous:YES / Basic:YES / Integrated: NO / SSL required: YES
Exchange: Anonymous:YES / Basic:YES / Integrated: NO / SSL required: YES
Exadmin: Anonymous:YES / Basic:NO / Integrated: NO / SSL required: NO
OWA_Redirect Anonymous:YES / Basic:YES / Integrated: NO / SSL required: NO
Owaasp Anonymous:YES / Basic:NO / Integrated: NO / SSL required: NO
Through tiral & error I've determined that without Basic authentication on Default Web Site, no password is accepted, and users can't log in.
Furthermore, without Basic authentication on Default Web Site + Exchange + OWA_Redirect, the login attempt always results in either a 401 (unauthorized) or 403 (forbidden) error. But as long as Basic authentication is set on those 3 directories, a user can log in, but will always be presented first with a login for http, then with a login for https. Furthermore, the 2 logins persist regardless how many directories have Basic authentication set, as long as at least Default + Exchange + OWA_Redirect are set. The only way to log in is to log in twice, first to http, then to https.
Right now I'm pretty stuck. This is my first time having to get under the hood of OWA so deep, and I have to admit I'm pretty clueless. Any suggestions?