Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1007
  • Last Modified:

OWA on Exchange 2003 SP2 - client access errors

Hi Everyone,

I have a problem with OWA which is causing problems with client access.

Firstly the software running this is:

Windows 2003 Server std. (this was a 2000 server but has recently been upgraded)
Exchange 2003 SP2

I haven't yet installed windows 2003 server SP1 yet or any updates as I need some advice on the best course of action to solve this problem.

The problem in detail;

From a client browser (I.E v6)  https://server/exchange displays the OWA screen. The box where emails should be just displays "Loading..."

The W3SVC1 log file shows the connection and includes the following;

2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 207
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 405

I also have MAC Entourage users and they have a similar problem and the W3SVC1 log shows the following;


2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 405
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 200


If I try and connect on the exchange 2003 server itself I get different behaviour. I get promtped for a user name and password for the server. However the administrator password which I used to log in to the server doesn't work and after 3 tries it disappears and I'm left with a message that says: "Error: Access is Denied"

The log file shows:

2006-06-20 14:09:36 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200


As far as I can see it's a problem with authorisation for both Windows clients and Macs. The IIS folders for OWA appear to be fine. I have seen some websites pointing to changing authentication methods and also log on locally rights but nothing is overly clear on how OWA should be in a normal working state.

Thanks in advance for any help that can solve this.

HT
0
Hightower_8
Asked:
Hightower_8
  • 12
  • 9
1 Solution
 
amaheshwariCommented:
Have you checked port 443 is it open on your Firewall if it is there.
0
 
Hightower_8Author Commented:
Hi amaheshwari,

I forgot to mention above that this is purely LAN access at the moment, no firewalls or proxys in the way.

Just directly client to server access.

Thanks,

HT
0
 
LeeDerbyshireCommented:
It doesn't seem to like the PROPFIND requests (it returns a 405 - Method Not Allowed status).  See if you can find a URLScan.ini file on the server with PROPFIND listed in DenyVerbs.  Or see if the server is running AntiVirus that blocks WebDAV verbs.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Hightower_8Author Commented:
Hi LeeDerbyshire,

No URLScan.ini file to check and no Antivirus installed on the server.

Thanks,

HT

0
 
LeeDerbyshireCommented:
The only other thing I can suggest is to look at the Web Service Extensions in IIS Manager, and make sure that MS Exchange is allowed.  WebDAV is normally Disallowed, but I know of one guy that had to enable it to get OWA working.
0
 
Hightower_8Author Commented:
Hi LeeDerbyshire,

Have allowed WebDAV but still no joy, the logs are still showing 401 errors.

This isn't something to do with a problem with the Exchweb authentication is it, just someone mentioned this deals with requests for OWA.

thanks,

HT
0
 
LeeDerbyshireCommented:
Exchweb contains the supporting files for OWA, like the images, javascript files, etc.  It is normally set to allow Anonymous Access, except for the bin subfolder.  The 401s are not a problem - that is just the server challenging the browser for the credentials, but the retried request should result in a 20x, not 405 .

Did you read this:
http://support.microsoft.com/?kbid=280823
0
 
Hightower_8Author Commented:
I did read that KB and did recreate all the OWA folders to begin trouble shooting.

Anonymous access is selected though the user name displays "IUSR_SERVERNAME" and no password stars are showing. Slightly odd when I click browse for username to doublecheck that account is ok, the system resolves it as..

"SERVERNAME\IUSR_SERVERNAME"

What should this be? "IUSR_SERVERNAME" or "SERVERNAME\IUSR_SERVERNAME"

and should there be at least a stared out password?

Thanks,

HT
0
 
LeeDerbyshireCommented:
The IUSR_SERVERNAME (in either form) should be okay.  It's a local account, not a domain account, and you would have other very significant problems if the server couldn't log on with it.  It might be worth checking in ADUC that it's not locked out, or disabled.

There should be a hidden password in there.  You will never know what it is, because IIS maintains it automatically.  One thing you could try is to specify another account (with admin rights), for a temporary test.  Now that the password is gone, though, I don't know how you re-establish the SAM/IIS synchronization.
0
 
Hightower_8Author Commented:
The IUSR_SERVERNAME account as you point out is local so it wouldn't be in ADUC?

Before I try I the account change there have been some developments in access the actual emails in the mailboxes.

If I use firefox I get a "Prompt" and I'm asked for a username and password. Once this is in the OWA screen opens and my emails are there. Also one of the MAC users said he could get to emails via a MAC internet browser (not sure what it is yet). So does this give out anymore clues?



0
 
LeeDerbyshireCommented:
No, it would be in Computer Management/Local Users And Groups .

It works in non-MS browsers because OWA sends them the 'Basic' OWA GUI, instead of the 'Premium' one (if you had FBA enabled, you would see the choice on the logon screen).  The Premium version uses client-side WebDAV requests - like the PROPFIND that your server is blocking.  If you look at your IIS logs when a non-MS browser is using OWA, then the entries will be different.
0
 
Hightower_8Author Commented:
yep, the account is ok, not disabled etc.

ok, so that explains why it works with firefox.

The annoying thing is that used to work fine with both i.e. and entourage. I think the problem must have started after exchange SP2 went on and subsequent reboot.

Currently reading http://support.microsoft.com/default.aspx?scid=kb;en-us;327843&Product=exch2003 to see if the folder permissions are ok..

Thanks,

HT
0
 
LeeDerbyshireCommented:
Did you try resetting them with this:
http://support.microsoft.com/?kbid=883380
0
 
Hightower_8Author Commented:
yep did that yesterday before posting this question.
0
 
LeeDerbyshireCommented:
It might be worth checking your davex.dll file, to make sure that your Authenticated Users have Read and Execute permissions on it.

Also, if you look at the properties of the Web Sites container in IIS manager, is the ASP.NET ISAPI filter enabled with a green up arrow showing?
0
 
Hightower_8Author Commented:
can confirm davex.dll has read and execute permissions and ASP.NET ISAPI filter is green.
0
 
LeeDerbyshireCommented:
The only thing I can think now, is that something in the OS service pack might help.  I can't find anything relevant to PROPFIND and that 405 status.  As a quick fix, you could use 'segmentation' to disable the Premium or 'Rich' interface completely:
http://support.microsoft.com/?id=833340
0
 
Hightower_8Author Commented:
yep, this really has me stumped at the moment, I've been reading Microsoft KBs for days now and still nowhere closer :(

I'll make sure my backups ran ok for exchange and then I'll schedule some downtime for the SP1 and updates install. Probably do this Friday night incase I run into problems and plus can reboot and kick the server around as now users will be in.

Will update after the SP and updates are on... fingers crossed this solves it anotherwise I'm going to have to clone myself in order to get on with the other wrok I need to do  :\

thanks,

HT
0
 
Hightower_8Author Commented:
Slight delay on installing the SP and updates, should take place tonight.

thanks,

HT
0
 
Hightower_8Author Commented:
Right some good news, after installing windows 2003 SP1 and all the latest updates from windows update last night, OWA now works with I.E 6. I'm yet to try the MAC users but I'm a lot more hopeful now.

Will update.

thanks,

HT
0
 
LeeDerbyshireCommented:
Good luck.  I hope it all works well.
0
 
Hightower_8Author Commented:
The MACs work! I have some tweaking do with the certificates for the MACs but I'm just glad they both work again.

Thanks to LeeDerbyshire.

Will assign points now.

Cheers,

HT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now