[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 684
  • Last Modified:

Cannot access OWA from an outside location (e.g., internet) unless it's removed from IE's "Trusted Sites"

Hello -

We're currently running Exchange 2003 Ent. under a Windows 2003 Server environment. I setup the 'Exchange' virtual web to allow for Integrated Windows Authentication, and setup each client's IE configuration (XP Pro SP2) with the OWA public address as a "Trusted Site" (in an effort to allow for pass-through authentication if they use their corporate laptop at the office or home).

Unfortunately, the passthrough authentication only works if they're physically located within the domain. Each time they try to access OWA from the outside they receive, "Page Cannot be Displayed", and the following events shows up on their local machines:

--------------------------------------------

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            4/9/2006
Time:            5:38:19 PM
User:            N/A
Computer:      computer1
Description:
The Security System detected an attempted downgrade attack for server HTTP/webmail.domain.com.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            4/9/2006
Time:            5:38:19 PM
User:            N/A
Computer:      computer1
Description:
The Security System could not establish a secured connection with the server HTTP/webmail.domain.com.  No authentication protocol was available.

--------------------------------------------

The errors above don't go away, unless we remove the OWA public address from IE's "Trusted Sites" list, in which case they would get prompted.

Any ideas?..
0
lramos5
Asked:
lramos5
  • 4
  • 4
  • 2
1 Solution
 
LeeDerbyshireCommented:
How about comparing the User Authentication/Logon setting for Trusted Sites (in the IE Tools/Internet Options/Security properties) with the setting for another zone?  I expect you are trying to use the 'Automatic Logon with Current username and Password' feature?  In the Advanced options, do you have 'Enable Integrated Windows Authentication' unchecked?
0
 
lramos5Author Commented:
Hello Lee -

All the User Authentication settings look good. We're only using the "Trusted Sites" zone at the moment. We've only used the "Intranet Zone" during the time of troubleshooting, resulting in the same thing.

"In the Advanced options, do you have 'Enable Integrated Windows Authentication' unchecked?" - Yep

Is OWA designed to work this way? I'm trying to accomplish this task without having to introduce additional complexity to our environment (e.g., ISA Server, Front-End Exchange Server).
0
 
LeeDerbyshireCommented:
See if enabling the 'Enable Integrated Windows Authentication' option helps.  It's unusual to see this not checked (you said it was UNchecked, yes?).  If you are trying to use the existing logon in Trusted Sites, but not allowing IE to use Integrated Auth, then the settings are conflicting.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
lramos5Author Commented:
Ah! my apologies... Although I read your question all the way through and was answering it correctly in my head.. I mistyped the answer. The answer is actually that it is checked.... my apologies :(
0
 
SembeeCommented:
Are you using SSL?
If so, why not switch over to Forms Based Authentication? You will loose the pass through authentication but the users quickly get used to the login page.
If you want to allow users to get their email when off site then deploy RPC over HTTPS. That gives them access without the complexity of a VPN.

Simon.
0
 
lramos5Author Commented:
Hello Sembee....

Nope... no SSL.
0
 
LeeDerbyshireCommented:
No problem.  I expected you would say that it was checked, after all, because it so rarely is not.  This is a strange issue that you are having, though.  There are very few other discussions of this in the newsgroups.  What ones there are seem to involve some third factor interfering, like a software firewall, or IIS compression.  Do you use either of these?
0
 
SembeeCommented:
Better not post the URL anywhere because all of your usernames and passwords are going across in the clear. I don't deploy OWA without SSL - the risks are too great. And as for having port 80 open to the Internet - CodeRed anyone?

Simon.
0
 
lramos5Author Commented:
Nope... no software firewall or IIS compression being used....

Sembee... I would agree.... yet I'm baffled why this is just not working as it should be.... don't want to move to the next step (e.g., SSL) until I can get a handle on why it's not logging on via this basic setup.
0
 
LeeDerbyshireCommented:
You can use FBA without SSL if you are just testing, but don't put this into production because your password will not even be Base64 encoded in transmission:

http://hellomate.typepad.com/exchange/2003/11/formsbased_auth.html
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now