Domain required before username on OWA w/ integrated security enabled

I am stuck between two problems, I don't know the in-between to resolve both at the same time.

I dont want my users to enter a domain name while authenticating into outlook web access via exchange 2003. Simple way to eliminate this is to only enabled basic authentication and disable integrated authentication on the /exchange IIS folder. Problem is, when integrated security is disabled on the /exchange folder wireless ActiveSync fails to work with an 85010014 error thrown on the PDA device and an event 3031 in the event log explaining that the mail server is not allowing "Negotiate" authentication to the exchange virtual directory.

So it seems that OWA/ActiveSync requires integrated security to talk with the /exchange virtual directory.

I need to get both to work, ActiveSync and not require a domain via OWA login (we are not using form authentication).


Phil Ciccone
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try locating the Exchange Virtual Directory in Exchange System Manager (servers/protocols/http).  Look at its authentication properties, and set the Default Auth Domain for Basic Authentication.
philcicconeAuthor Commented:
That is already set correctly via systems manager. Seems that basic authentication is "over-ruled" when integrated security is enabled from what I have read.

It may help to try different values in that domain input box, like:


What auth methods are enabled on your Microsoft-Server-ActiveSync VDir in IIS Manager?  I assume that it's set to Basic only.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

philcicconeAuthor Commented:
I tried all three variations already (glad you asked) :)

You are correct - "basic only" w/ the default domain name filed in as well.
Actually, it might be preferring to use Integrated Auth like you say.  You can try this out by disabling Integrated Auth in your IE options (Advanced), and seeing if Basic then works (for that PC) and behaves differently.
philcicconeAuthor Commented:
Interestingly enough, it still did not work with IA disabled via IE (and after a restart).
So, you are pretty sure that IE on that computer is using Basic Auth, but you still needed to type in a domain?
philcicconeAuthor Commented:
I think so, I am not sure if you can disable IA via the client browser? I thought that setting only prevented IE from grabing the local machines account info not stopping the server from attempting to grab it.

I dont know if stopping the client is an accurate test of that.

I do know if I turn off IA on the servers /exchange directory it will start to work (but of course break ActiveSync).
Try to log on as follows:
Substitute %USERNAME% with the actual username.
Substitute DOMAIN with the actual domain name.
The setting for is configured in the Account tab for each user in ADUC.  Even if you have multiple domains, you can elect to have everyone use the same to standardize logons. They do not need to remember which domain they belong to.
philcicconeAuthor Commented:
Yeah, that works -- but I am back to my same problem.

I want the username to default to just the username, no DOMAIN\username or entry.

I know this is possible because I have done it without IA enabled but now that ActiveSync has to continue to work I am stuck. I wonder if I can combat it somehow with turining IA off and still getting ActiveSync to connect somehow....
It can't be done without forms based authentication.
Trust me - I have tried.

Any reason you aren't using FBA? Does that mean you aren't using SSL? I wouldn't dream of deploying OWA, OMA or EAS without SSL - I don't want the usernames and passwords going across in the clear.

philcicconeAuthor Commented:
Testing now, 1 activesync device and 1 OWA user :)

SSL will be a requirment before allowing production use, we have over a hundred employees who will access.

 I will switch on FBA and see what happens.... Will update
Sembee, do you mean that AS doesn't work without IA, not FBA?  Surely, FBA breaks AS badly if it's on the mailbox server?  As far as I can tell, you definitely need Integrated Auth on the Exchange VDir for ActiveSync.
I haven't been able to get Integrated Authentication, the default domain and EAS to work without FBA.

Despite what Microsoft say, if you are using SSL, I can get FBA, EAS, OMA and OWA all working on the same site. No additional virtual directories or servers required.

You have to have Integrated enabled on /exchange, but if you are using SSL/FBA you also need to have basic. By enabling FBA it disabled integrated authentication. All I do is enable FBA, then do an IISRESET which commits the metabase changes. Then turn Integrated back on. If you don't do the IISRESET then the metabase changes don't commit and when the machine is rebooted or the services restarted, EAS is broken.

The other thing that breaks EAS is having require SSL enabled on the /exchange virtual directory.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Right, so you have to kind of trick it?  I will have to try this.  Doesn't DS2MB keep removing the IA setting, though?  It sounds like you have done this often enough to be sure that it doesn't.
The setting hasn't been reset on the servers I have done it with.
I expect that it will get reset as part of any service pack for Exchange, and maybe on hotfixes etc. However it certainly survives regular reboots and I simply check it after rebooting from a patch or hotfix.

I have a page in prep for my web site, so I am prepared to stick my neck out that it works. I haven't seen any downsides yet either.

philcicconeAuthor Commented:
OK - made some progress but still yet a new problem.

FBA is working. SSL is working. ActiveSync will work only if not using SSL.

We are signing our own certs, activesync is complaining that the cert is not signed and wont sync. Following the advice of others on the net I have exported the public cert and installed it as a root cert on my mobile device. Still, even after a restart, the error remains.

The new problem is off topic to that of the original question, so at the request of my helpers I will close this and award points -- unless you have some ideas before I do so :)

Overall - the objective has been achieved in that FBA does not require a domain name and activesync still works (without using SSL).

Personally, I have no problem continuing here (I've taken part in threads much, much longer than this), but you are less likely to get other people involved.  It's not always about getting points quickly - it's a great way to learn things, too, when you're trying to help someone.

You can possibly remove the requirement for SSL on /Exchange, but only open port 443 to the outside world, so it can only be reached when using SSL.
I am working on another question that is using a Sprint device that has run in to the exact same problem with self signed certificates. I have deployed it successfully with purchased certificates, because I don't use home grown certificates in any deployments.

Does it look like Windows Mobile 5.0 has an issue with self signed certificates? I haven't got an emulator with MSFP, so can't test that for myself, and I don't want to wreck my deployed environment.

There is a another alternative. I wouldn't recommend it for deployment, but I think I may have found how to disable certificate checking on Windows Mobile 5.0. There was a utility for Windows Mobile 2003, but nothing similar for Windows Mobile 5.0. This is untested.

You will need a registry editor - I use PHM myself but there are others.
When you get the registry editor open, go to the following location:

There will be two keys below that. One of them will have your EAS settings in it.
Create a new key of type DWORD, with the name of SECURE and value of 0.
That should allow connection over https but without the certificate checking.
I stress that it is untested - it is one of the things I am yet to test.

philcicconeAuthor Commented:
OK great guys! I will test both of your suggestions to see what works. I wont be able to get to this till tomorrow as I am in the middle of a BES migration at the moment and then time for dinner. I will write back mid-morning. - Phil
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.