[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Domain required before username on OWA w/ integrated security enabled

Posted on 2006-04-12
21
Medium Priority
?
402 Views
Last Modified: 2010-05-18
I am stuck between two problems, I don't know the in-between to resolve both at the same time.

I dont want my users to enter a domain name while authenticating into outlook web access via exchange 2003. Simple way to eliminate this is to only enabled basic authentication and disable integrated authentication on the /exchange IIS folder. Problem is, when integrated security is disabled on the /exchange folder wireless ActiveSync fails to work with an 85010014 error thrown on the PDA device and an event 3031 in the event log explaining that the mail server is not allowing "Negotiate" authentication to the exchange virtual directory.

So it seems that OWA/ActiveSync requires integrated security to talk with the /exchange virtual directory.

I need to get both to work, ActiveSync and not require a domain via OWA login (we are not using form authentication).

Thanks!

Phil Ciccone
0
Comment
Question by:philciccone
  • 8
  • 7
  • 4
  • +1
20 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16437118
Try locating the Exchange Virtual Directory in Exchange System Manager (servers/protocols/http).  Look at its authentication properties, and set the Default Auth Domain for Basic Authentication.
0
 

Author Comment

by:philciccone
ID: 16437225
That is already set correctly via systems manager. Seems that basic authentication is "over-ruled" when integrated security is enabled from what I have read.

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16437321
It may help to try different values in that domain input box, like:

NTDOMAIN
dns.domain.name
\

What auth methods are enabled on your Microsoft-Server-ActiveSync VDir in IIS Manager?  I assume that it's set to Basic only.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:philciccone
ID: 16437344
I tried all three variations already (glad you asked) :)

You are correct - "basic only" w/ the default domain name filed in as well.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16437445
Actually, it might be preferring to use Integrated Auth like you say.  You can try this out by disabling Integrated Auth in your IE options (Advanced), and seeing if Basic then works (for that PC) and behaves differently.
0
 

Author Comment

by:philciccone
ID: 16437819
Interestingly enough, it still did not work with IA disabled via IE (and after a restart).
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16437938
So, you are pretty sure that IE on that computer is using Basic Auth, but you still needed to type in a domain?
0
 

Author Comment

by:philciccone
ID: 16437957
I think so, I am not sure if you can disable IA via the client browser? I thought that setting only prevented IE from grabing the local machines account info not stopping the server from attempting to grab it.

I dont know if stopping the client is an accurate test of that.

I do know if I turn off IA on the servers /exchange directory it will start to work (but of course break ActiveSync).
0
 
LVL 2

Expert Comment

by:acpress
ID: 16437963
Try to log on as follows:
%USERNAME%@DOMAIN.com
Substitute %USERNAME% with the actual username.
Substitute DOMAIN with the actual domain name.
The setting for %USERNAME%@DOMAIN.com is configured in the Account tab for each user in ADUC.  Even if you have multiple domains, you can elect to have everyone use the same @DOMAIN.com to standardize logons. They do not need to remember which domain they belong to.
0
 

Author Comment

by:philciccone
ID: 16438194
Yeah, that works -- but I am back to my same problem.

I want the username to default to just the username, no DOMAIN\username or username@domain.com entry.

I know this is possible because I have done it without IA enabled but now that ActiveSync has to continue to work I am stuck. I wonder if I can combat it somehow with turining IA off and still getting ActiveSync to connect somehow....
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16438258
It can't be done without forms based authentication.
Trust me - I have tried.

Any reason you aren't using FBA? Does that mean you aren't using SSL? I wouldn't dream of deploying OWA, OMA or EAS without SSL - I don't want the usernames and passwords going across in the clear.

Simon.
0
 

Author Comment

by:philciccone
ID: 16438281
Testing now, 1 activesync device and 1 OWA user :)

SSL will be a requirment before allowing production use, we have over a hundred employees who will access.

 I will switch on FBA and see what happens.... Will update
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16438364
Sembee, do you mean that AS doesn't work without IA, not FBA?  Surely, FBA breaks AS badly if it's on the mailbox server?  As far as I can tell, you definitely need Integrated Auth on the Exchange VDir for ActiveSync.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 700 total points
ID: 16438397
I haven't been able to get Integrated Authentication, the default domain and EAS to work without FBA.

Despite what Microsoft say, if you are using SSL, I can get FBA, EAS, OMA and OWA all working on the same site. No additional virtual directories or servers required.

You have to have Integrated enabled on /exchange, but if you are using SSL/FBA you also need to have basic. By enabling FBA it disabled integrated authentication. All I do is enable FBA, then do an IISRESET which commits the metabase changes. Then turn Integrated back on. If you don't do the IISRESET then the metabase changes don't commit and when the machine is rebooted or the services restarted, EAS is broken.

The other thing that breaks EAS is having require SSL enabled on the /exchange virtual directory.

Simon.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16438448
Right, so you have to kind of trick it?  I will have to try this.  Doesn't DS2MB keep removing the IA setting, though?  It sounds like you have done this often enough to be sure that it doesn't.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16438553
The setting hasn't been reset on the servers I have done it with.
I expect that it will get reset as part of any service pack for Exchange, and maybe on hotfixes etc. However it certainly survives regular reboots and I simply check it after rebooting from a patch or hotfix.

I have a page in prep for my web site, so I am prepared to stick my neck out that it works. I haven't seen any downsides yet either.

Simon.
0
 

Author Comment

by:philciccone
ID: 16440368
OK - made some progress but still yet a new problem.

FBA is working. SSL is working. ActiveSync will work only if not using SSL.

We are signing our own certs, activesync is complaining that the cert is not signed and wont sync. Following the advice of others on the net I have exported the public cert and installed it as a root cert on my mobile device. Still, even after a restart, the error remains.

The new problem is off topic to that of the original question, so at the request of my helpers I will close this and award points -- unless you have some ideas before I do so :)

Overall - the objective has been achieved in that FBA does not require a domain name and activesync still works (without using SSL).

Phil
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 300 total points
ID: 16440519
Personally, I have no problem continuing here (I've taken part in threads much, much longer than this), but you are less likely to get other people involved.  It's not always about getting points quickly - it's a great way to learn things, too, when you're trying to help someone.

You can possibly remove the requirement for SSL on /Exchange, but only open port 443 to the outside world, so it can only be reached when using SSL.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16440955
I am working on another question that is using a Sprint device that has run in to the exact same problem with self signed certificates. I have deployed it successfully with purchased certificates, because I don't use home grown certificates in any deployments.

Does it look like Windows Mobile 5.0 has an issue with self signed certificates? I haven't got an emulator with MSFP, so can't test that for myself, and I don't want to wreck my deployed environment.

There is a another alternative. I wouldn't recommend it for deployment, but I think I may have found how to disable certificate checking on Windows Mobile 5.0. There was a utility for Windows Mobile 2003, but nothing similar for Windows Mobile 5.0. This is untested.

You will need a registry editor - I use PHM myself but there are others.
When you get the registry editor open, go to the following location:
Hkey_Current_User\Software\Microsoft\ActiveSync\Partners

There will be two keys below that. One of them will have your EAS settings in it.
Create a new key of type DWORD, with the name of SECURE and value of 0.
That should allow connection over https but without the certificate checking.
I stress that it is untested - it is one of the things I am yet to test.

Simon.
0
 

Author Comment

by:philciccone
ID: 16441052
OK great guys! I will test both of your suggestions to see what works. I wont be able to get to this till tomorrow as I am in the middle of a BES migration at the moment and then time for dinner. I will write back mid-morning. - Phil
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question