Solved

OWA on Exchange 2003 SP2 - client access errors

Posted on 2006-06-20
22
988 Views
Last Modified: 2008-02-01
Hi Everyone,

I have a problem with OWA which is causing problems with client access.

Firstly the software running this is:

Windows 2003 Server std. (this was a 2000 server but has recently been upgraded)
Exchange 2003 SP2

I haven't yet installed windows 2003 server SP1 yet or any updates as I need some advice on the best course of action to solve this problem.

The problem in detail;

From a client browser (I.E v6)  https://server/exchange displays the OWA screen. The box where emails should be just displays "Loading..."

The W3SVC1 log file shows the connection and includes the following;

2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 POLL /exchange/domains/Inbox - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 207
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 - 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
2006-06-20 13:58:04 10.0.0.200 PROPFIND /exchange/domains/Inbox/ - 443 MYDOMAIN\metheuser 10.0.0.25 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 405

I also have MAC Entourage users and they have a similar problem and the W3SVC1 log shows the following;


2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:36 10.0.0.200 PROPFIND /exchange/user2/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 405
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 - 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 401
2006-06-20 08:38:37 10.0.0.200 GET /exchange/ - 443 MYDOMAIN\user2 10.1.0.20 Entourage/11.0+(compatible;+MSIE+6.0;+PPC+Mac+OS+X+10.4.6;+Tasman+1.0) 200


If I try and connect on the exchange 2003 server itself I get different behaviour. I get promtped for a user name and password for the server. However the administrator password which I used to log in to the server doesn't work and after 3 tries it disappears and I'm left with a message that says: "Error: Access is Denied"

The log file shows:

2006-06-20 14:09:36 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:49 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401
2006-06-20 14:09:50 10.0.0.200 GET /exchange - 443 - 10.0.0.200


As far as I can see it's a problem with authorisation for both Windows clients and Macs. The IIS folders for OWA appear to be fine. I have seen some websites pointing to changing authentication methods and also log on locally rights but nothing is overly clear on how OWA should be in a normal working state.

Thanks in advance for any help that can solve this.

HT
0
Comment
Question by:Hightower_8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
22 Comments
 
LVL 18

Expert Comment

by:amaheshwari
ID: 16943166
Have you checked port 443 is it open on your Firewall if it is there.
0
 

Author Comment

by:Hightower_8
ID: 16943248
Hi amaheshwari,

I forgot to mention above that this is purely LAN access at the moment, no firewalls or proxys in the way.

Just directly client to server access.

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16943302
It doesn't seem to like the PROPFIND requests (it returns a 405 - Method Not Allowed status).  See if you can find a URLScan.ini file on the server with PROPFIND listed in DenyVerbs.  Or see if the server is running AntiVirus that blocks WebDAV verbs.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Hightower_8
ID: 16943416
Hi LeeDerbyshire,

No URLScan.ini file to check and no Antivirus installed on the server.

Thanks,

HT

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16943460
The only other thing I can suggest is to look at the Web Service Extensions in IIS Manager, and make sure that MS Exchange is allowed.  WebDAV is normally Disallowed, but I know of one guy that had to enable it to get OWA working.
0
 

Author Comment

by:Hightower_8
ID: 16943573
Hi LeeDerbyshire,

Have allowed WebDAV but still no joy, the logs are still showing 401 errors.

This isn't something to do with a problem with the Exchweb authentication is it, just someone mentioned this deals with requests for OWA.

thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16943652
Exchweb contains the supporting files for OWA, like the images, javascript files, etc.  It is normally set to allow Anonymous Access, except for the bin subfolder.  The 401s are not a problem - that is just the server challenging the browser for the credentials, but the retried request should result in a 20x, not 405 .

Did you read this:
http://support.microsoft.com/?kbid=280823
0
 

Author Comment

by:Hightower_8
ID: 16943797
I did read that KB and did recreate all the OWA folders to begin trouble shooting.

Anonymous access is selected though the user name displays "IUSR_SERVERNAME" and no password stars are showing. Slightly odd when I click browse for username to doublecheck that account is ok, the system resolves it as..

"SERVERNAME\IUSR_SERVERNAME"

What should this be? "IUSR_SERVERNAME" or "SERVERNAME\IUSR_SERVERNAME"

and should there be at least a stared out password?

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16944707
The IUSR_SERVERNAME (in either form) should be okay.  It's a local account, not a domain account, and you would have other very significant problems if the server couldn't log on with it.  It might be worth checking in ADUC that it's not locked out, or disabled.

There should be a hidden password in there.  You will never know what it is, because IIS maintains it automatically.  One thing you could try is to specify another account (with admin rights), for a temporary test.  Now that the password is gone, though, I don't know how you re-establish the SAM/IIS synchronization.
0
 

Author Comment

by:Hightower_8
ID: 16949635
The IUSR_SERVERNAME account as you point out is local so it wouldn't be in ADUC?

Before I try I the account change there have been some developments in access the actual emails in the mailboxes.

If I use firefox I get a "Prompt" and I'm asked for a username and password. Once this is in the OWA screen opens and my emails are there. Also one of the MAC users said he could get to emails via a MAC internet browser (not sure what it is yet). So does this give out anymore clues?



0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16949743
No, it would be in Computer Management/Local Users And Groups .

It works in non-MS browsers because OWA sends them the 'Basic' OWA GUI, instead of the 'Premium' one (if you had FBA enabled, you would see the choice on the logon screen).  The Premium version uses client-side WebDAV requests - like the PROPFIND that your server is blocking.  If you look at your IIS logs when a non-MS browser is using OWA, then the entries will be different.
0
 

Author Comment

by:Hightower_8
ID: 16949834
yep, the account is ok, not disabled etc.

ok, so that explains why it works with firefox.

The annoying thing is that used to work fine with both i.e. and entourage. I think the problem must have started after exchange SP2 went on and subsequent reboot.

Currently reading http://support.microsoft.com/default.aspx?scid=kb;en-us;327843&Product=exch2003 to see if the folder permissions are ok..

Thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16949887
Did you try resetting them with this:
http://support.microsoft.com/?kbid=883380
0
 

Author Comment

by:Hightower_8
ID: 16949896
yep did that yesterday before posting this question.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16950022
It might be worth checking your davex.dll file, to make sure that your Authenticated Users have Read and Execute permissions on it.

Also, if you look at the properties of the Web Sites container in IIS manager, is the ASP.NET ISAPI filter enabled with a green up arrow showing?
0
 

Author Comment

by:Hightower_8
ID: 16950058
can confirm davex.dll has read and execute permissions and ASP.NET ISAPI filter is green.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
ID: 16950111
The only thing I can think now, is that something in the OS service pack might help.  I can't find anything relevant to PROPFIND and that 405 status.  As a quick fix, you could use 'segmentation' to disable the Premium or 'Rich' interface completely:
http://support.microsoft.com/?id=833340
0
 

Author Comment

by:Hightower_8
ID: 16950176
yep, this really has me stumped at the moment, I've been reading Microsoft KBs for days now and still nowhere closer :(

I'll make sure my backups ran ok for exchange and then I'll schedule some downtime for the SP1 and updates install. Probably do this Friday night incase I run into problems and plus can reboot and kick the server around as now users will be in.

Will update after the SP and updates are on... fingers crossed this solves it anotherwise I'm going to have to clone myself in order to get on with the other wrok I need to do  :\

thanks,

HT
0
 

Author Comment

by:Hightower_8
ID: 17029589
Slight delay on installing the SP and updates, should take place tonight.

thanks,

HT
0
 

Author Comment

by:Hightower_8
ID: 17057027
Right some good news, after installing windows 2003 SP1 and all the latest updates from windows update last night, OWA now works with I.E 6. I'm yet to try the MAC users but I'm a lot more hopeful now.

Will update.

thanks,

HT
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 17057068
Good luck.  I hope it all works well.
0
 

Author Comment

by:Hightower_8
ID: 17074735
The MACs work! I have some tweaking do with the certificates for the MACs but I'm just glad they both work again.

Thanks to LeeDerbyshire.

Will assign points now.

Cheers,

HT
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video discusses moving either the default database or any database to a new volume.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question