Solved

OWA on Exchange 2003 SP2 - client access errors

Posted on 2006-06-20
22
978 Views
Last Modified: 2008-02-01
Hi Everyone,

I have a problem with OWA which is causing problems with client access.

Firstly the software running this is:

Windows 2003 Server std. (this was a 2000 server but has recently been upgraded)
Exchange 2003 SP2

I haven't yet installed windows 2003 server SP1 yet or any updates as I need some advice on the best course of action to solve this problem.

The problem in detail;

From a client browser (I.E v6)  https://server/exchange displays the OWA screen. The box where emails should be just displays "Loading..."

The W3SVC1 log file shows the connection and includes the following;

2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 207
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 405

I also have MAC Entourage users and they have a similar problem and the W3SVC1 log shows the following;


2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 405
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 200


If I try and connect on the exchange 2003 server itself I get different behaviour. I get promtped for a user name and password for the server. However the administrator password which I used to log in to the server doesn't work and after 3 tries it disappears and I'm left with a message that says: "Error: Access is Denied"

The log file shows:

2006-06-20 14:09:36 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200


As far as I can see it's a problem with authorisation for both Windows clients and Macs. The IIS folders for OWA appear to be fine. I have seen some websites pointing to changing authentication methods and also log on locally rights but nothing is overly clear on how OWA should be in a normal working state.

Thanks in advance for any help that can solve this.

HT
0
Comment
Question by:Hightower_8
  • 12
  • 9
22 Comments
 
LVL 18

Expert Comment

by:amaheshwari
Comment Utility
Have you checked port 443 is it open on your Firewall if it is there.
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi amaheshwari,

I forgot to mention above that this is purely LAN access at the moment, no firewalls or proxys in the way.

Just directly client to server access.

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
It doesn't seem to like the PROPFIND requests (it returns a 405 - Method Not Allowed status).  See if you can find a URLScan.ini file on the server with PROPFIND listed in DenyVerbs.  Or see if the server is running AntiVirus that blocks WebDAV verbs.
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi LeeDerbyshire,

No URLScan.ini file to check and no Antivirus installed on the server.

Thanks,

HT

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
The only other thing I can suggest is to look at the Web Service Extensions in IIS Manager, and make sure that MS Exchange is allowed.  WebDAV is normally Disallowed, but I know of one guy that had to enable it to get OWA working.
0
 

Author Comment

by:Hightower_8
Comment Utility
Hi LeeDerbyshire,

Have allowed WebDAV but still no joy, the logs are still showing 401 errors.

This isn't something to do with a problem with the Exchweb authentication is it, just someone mentioned this deals with requests for OWA.

thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Exchweb contains the supporting files for OWA, like the images, javascript files, etc.  It is normally set to allow Anonymous Access, except for the bin subfolder.  The 401s are not a problem - that is just the server challenging the browser for the credentials, but the retried request should result in a 20x, not 405 .

Did you read this:
http://support.microsoft.com/?kbid=280823
0
 

Author Comment

by:Hightower_8
Comment Utility
I did read that KB and did recreate all the OWA folders to begin trouble shooting.

Anonymous access is selected though the user name displays "IUSR_SERVERNAME" and no password stars are showing. Slightly odd when I click browse for username to doublecheck that account is ok, the system resolves it as..

"SERVERNAME\IUSR_SERVERNAME"

What should this be? "IUSR_SERVERNAME" or "SERVERNAME\IUSR_SERVERNAME"

and should there be at least a stared out password?

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
The IUSR_SERVERNAME (in either form) should be okay.  It's a local account, not a domain account, and you would have other very significant problems if the server couldn't log on with it.  It might be worth checking in ADUC that it's not locked out, or disabled.

There should be a hidden password in there.  You will never know what it is, because IIS maintains it automatically.  One thing you could try is to specify another account (with admin rights), for a temporary test.  Now that the password is gone, though, I don't know how you re-establish the SAM/IIS synchronization.
0
 

Author Comment

by:Hightower_8
Comment Utility
The IUSR_SERVERNAME account as you point out is local so it wouldn't be in ADUC?

Before I try I the account change there have been some developments in access the actual emails in the mailboxes.

If I use firefox I get a "Prompt" and I'm asked for a username and password. Once this is in the OWA screen opens and my emails are there. Also one of the MAC users said he could get to emails via a MAC internet browser (not sure what it is yet). So does this give out anymore clues?



0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
No, it would be in Computer Management/Local Users And Groups .

It works in non-MS browsers because OWA sends them the 'Basic' OWA GUI, instead of the 'Premium' one (if you had FBA enabled, you would see the choice on the logon screen).  The Premium version uses client-side WebDAV requests - like the PROPFIND that your server is blocking.  If you look at your IIS logs when a non-MS browser is using OWA, then the entries will be different.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Hightower_8
Comment Utility
yep, the account is ok, not disabled etc.

ok, so that explains why it works with firefox.

The annoying thing is that used to work fine with both i.e. and entourage. I think the problem must have started after exchange SP2 went on and subsequent reboot.

Currently reading http://support.microsoft.com/default.aspx?scid=kb;en-us;327843&Product=exch2003 to see if the folder permissions are ok..

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Did you try resetting them with this:
http://support.microsoft.com/?kbid=883380
0
 

Author Comment

by:Hightower_8
Comment Utility
yep did that yesterday before posting this question.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
It might be worth checking your davex.dll file, to make sure that your Authenticated Users have Read and Execute permissions on it.

Also, if you look at the properties of the Web Sites container in IIS manager, is the ASP.NET ISAPI filter enabled with a green up arrow showing?
0
 

Author Comment

by:Hightower_8
Comment Utility
can confirm davex.dll has read and execute permissions and ASP.NET ISAPI filter is green.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
Comment Utility
The only thing I can think now, is that something in the OS service pack might help.  I can't find anything relevant to PROPFIND and that 405 status.  As a quick fix, you could use 'segmentation' to disable the Premium or 'Rich' interface completely:
http://support.microsoft.com/?id=833340
0
 

Author Comment

by:Hightower_8
Comment Utility
yep, this really has me stumped at the moment, I've been reading Microsoft KBs for days now and still nowhere closer :(

I'll make sure my backups ran ok for exchange and then I'll schedule some downtime for the SP1 and updates install. Probably do this Friday night incase I run into problems and plus can reboot and kick the server around as now users will be in.

Will update after the SP and updates are on... fingers crossed this solves it anotherwise I'm going to have to clone myself in order to get on with the other wrok I need to do  :\

thanks,

HT
0
 

Author Comment

by:Hightower_8
Comment Utility
Slight delay on installing the SP and updates, should take place tonight.

thanks,

HT
0
 

Author Comment

by:Hightower_8
Comment Utility
Right some good news, after installing windows 2003 SP1 and all the latest updates from windows update last night, OWA now works with I.E 6. I'm yet to try the MAC users but I'm a lot more hopeful now.

Will update.

thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Good luck.  I hope it all works well.
0
 

Author Comment

by:Hightower_8
Comment Utility
The MACs work! I have some tweaking do with the certificates for the MACs but I'm just glad they both work again.

Thanks to LeeDerbyshire.

Will assign points now.

Cheers,

HT
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now