lramos5
asked on
Cannot access OWA from an outside location (e.g., internet) unless it's removed from IE's "Trusted Sites"
Hello -
We're currently running Exchange 2003 Ent. under a Windows 2003 Server environment. I setup the 'Exchange' virtual web to allow for Integrated Windows Authentication, and setup each client's IE configuration (XP Pro SP2) with the OWA public address as a "Trusted Site" (in an effort to allow for pass-through authentication if they use their corporate laptop at the office or home).
Unfortunately, the passthrough authentication only works if they're physically located within the domain. Each time they try to access OWA from the outside they receive, "Page Cannot be Displayed", and the following events shows up on their local machines:
--------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 4/9/2006
Time: 5:38:19 PM
User: N/A
Computer: computer1
Description:
The Security System detected an attempted downgrade attack for server HTTP/webmail.domain.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 4/9/2006
Time: 5:38:19 PM
User: N/A
Computer: computer1
Description:
The Security System could not establish a secured connection with the server HTTP/webmail.domain.com. No authentication protocol was available.
--------------------------
The errors above don't go away, unless we remove the OWA public address from IE's "Trusted Sites" list, in which case they would get prompted.
Any ideas?..
We're currently running Exchange 2003 Ent. under a Windows 2003 Server environment. I setup the 'Exchange' virtual web to allow for Integrated Windows Authentication, and setup each client's IE configuration (XP Pro SP2) with the OWA public address as a "Trusted Site" (in an effort to allow for pass-through authentication if they use their corporate laptop at the office or home).
Unfortunately, the passthrough authentication only works if they're physically located within the domain. Each time they try to access OWA from the outside they receive, "Page Cannot be Displayed", and the following events shows up on their local machines:
--------------------------
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 4/9/2006
Time: 5:38:19 PM
User: N/A
Computer: computer1
Description:
The Security System detected an attempted downgrade attack for server HTTP/webmail.domain.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 4/9/2006
Time: 5:38:19 PM
User: N/A
Computer: computer1
Description:
The Security System could not establish a secured connection with the server HTTP/webmail.domain.com. No authentication protocol was available.
--------------------------
The errors above don't go away, unless we remove the OWA public address from IE's "Trusted Sites" list, in which case they would get prompted.
Any ideas?..
LeeDerbyshire
How about comparing the User Authentication/Logon setting for Trusted Sites (in the IE Tools/Internet Options/Security properties) with the setting for another zone? I expect you are trying to use the 'Automatic Logon with Current username and Password' feature? In the Advanced options, do you have 'Enable Integrated Windows Authentication' unchecked?
ASKER
Hello Lee -
All the User Authentication settings look good. We're only using the "Trusted Sites" zone at the moment. We've only used the "Intranet Zone" during the time of troubleshooting, resulting in the same thing.
"In the Advanced options, do you have 'Enable Integrated Windows Authentication' unchecked?" - Yep
Is OWA designed to work this way? I'm trying to accomplish this task without having to introduce additional complexity to our environment (e.g., ISA Server, Front-End Exchange Server).
All the User Authentication settings look good. We're only using the "Trusted Sites" zone at the moment. We've only used the "Intranet Zone" during the time of troubleshooting, resulting in the same thing.
"In the Advanced options, do you have 'Enable Integrated Windows Authentication' unchecked?" - Yep
Is OWA designed to work this way? I'm trying to accomplish this task without having to introduce additional complexity to our environment (e.g., ISA Server, Front-End Exchange Server).
See if enabling the 'Enable Integrated Windows Authentication' option helps. It's unusual to see this not checked (you said it was UNchecked, yes?). If you are trying to use the existing logon in Trusted Sites, but not allowing IE to use Integrated Auth, then the settings are conflicting.
ASKER
Ah! my apologies... Although I read your question all the way through and was answering it correctly in my head.. I mistyped the answer. The answer is actually that it is checked.... my apologies :(
Are you using SSL?
If so, why not switch over to Forms Based Authentication? You will loose the pass through authentication but the users quickly get used to the login page.
If you want to allow users to get their email when off site then deploy RPC over HTTPS. That gives them access without the complexity of a VPN.
Simon.
If so, why not switch over to Forms Based Authentication? You will loose the pass through authentication but the users quickly get used to the login page.
If you want to allow users to get their email when off site then deploy RPC over HTTPS. That gives them access without the complexity of a VPN.
Simon.
ASKER
Hello Sembee....
Nope... no SSL.
Nope... no SSL.
No problem. I expected you would say that it was checked, after all, because it so rarely is not. This is a strange issue that you are having, though. There are very few other discussions of this in the newsgroups. What ones there are seem to involve some third factor interfering, like a software firewall, or IIS compression. Do you use either of these?
Better not post the URL anywhere because all of your usernames and passwords are going across in the clear. I don't deploy OWA without SSL - the risks are too great. And as for having port 80 open to the Internet - CodeRed anyone?
Simon.
Simon.
ASKER
Nope... no software firewall or IIS compression being used....
Sembee... I would agree.... yet I'm baffled why this is just not working as it should be.... don't want to move to the next step (e.g., SSL) until I can get a handle on why it's not logging on via this basic setup.
Sembee... I would agree.... yet I'm baffled why this is just not working as it should be.... don't want to move to the next step (e.g., SSL) until I can get a handle on why it's not logging on via this basic setup.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.