Solved

Exchange 2003 email access requires extended logon credentials (domain\user) for POP and HTTP access

Posted on 2006-11-11
18
518 Views
Last Modified: 2012-08-13
On a new domain with Exchange 2003 SP2 I am having the problem that every time a user needs to access email via POP or HTTP they must type the username in the form of:  domain\user or user@domain.  In every other setup I've ever done I've never seen this.  We would much rather prefer to just type the uesrname as everyone is used to.  Why could it be requiring the extended logon credentials and how do we stop it?

I have also just recently realized that this is true for POP and HTTP via IE 6 & 7 on dozens of machines, however oddly enough this problem does not affect Firefox browsers which access webmail with username alone?????

0
Comment
Question by:caperionllc
  • 8
  • 6
  • 3
18 Comments
 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
Hi caperionllc,

If the mailbox alias does not match the username, you will experience problems like this - particularly with POP3 (not so sure about OWA, but it would make sense as OWA does use the alias as well)

If you create a brand new user called test123 with a mailbox alias of test123 - do you have the same problems?

For OWA, that is quite odd, and while this may seem like a daft question, are you certain this server is on Exchange SP2?

-red
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility
red, I'm not quite sure what you are talking about.  every single user was created new with exchange accounts at the same time.

please advise

- jon
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
By default, Exchange requires domain\username for login to OWA. For POP3 it required domain\username\alias.

You can make some changes to OWA to remove the domain\ requirement of the username. If you are using forms based authentication for OWA (which requires SSL) and you have Service Pack 2 installed, then you don't need to make any changes as there was an undocumented change that removed the requirement on that page.

To the best of my knowledge though, the requirement for POP3 authentication to be in the format I have outlined above has not changed.

Simon.
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility

Thank you for the info, I currently manage about 5 other Exchange servers all for small companies, none of which have upgraded to Exchange SP2 yet, none of which have forms based auth enabled, and none of which require more than a username for checking their POP or OWA.  

One very noticable difference is that the other companies, all being small organizations and wanting to save $, are all running either SBE or Exchange on a Domain Controller.  If this is the big difference that makes Exchange not require the "domain\" then it seems like a good advantage against Microsoft's "don't install Exchange on a DC" policy.

Still looking for answers . . . .
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
SBS is different. You cannot compare what happens on SBS to the full product. Microsoft make changes to the configuration of SBS as an SBS server will not be part of a multi-domain site. If you have Exchange in multiple domains, and you have a single frontend server, then Exchange needs to know which domain is being used to authenticate against.

Furthermore, did you setup those other sites? If not, then you cannot compare how they are setup now, to an out of the box experience. The change to the configuration of Exchange to not require the domain\ is a very common one and it wouldn't surprise me in the slightest if that change had been made on other servers. That change is fine while you are using a single domain model, but as soon as you switch to multiple domains, you have to change your behaviour.

Simon.
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility
Simon,

Yes I also did the installs for the other sites.  Each varries slightly and a couple of them are Standard Edition and the others SBS.  In fact this domain was previously setup in the exact same manor with the difference that they have grown to 4 servers since the original 1 that was running both Exchange and a DC.  And prior to the erase and re-install we never had this issue, so it is indeed very new.

Not to get too much off the subject, the computer had to be erased because several months back the WMI services became seriously corrupted due to a motherboard failure and replace.  After a great deal of troubleshooting and long past the acceptable restore from backup period, we resorted to the Microsoft supported solution of "Re-install Windows".

Now here we are with the same network and almost identical setup with the difference that now another server is acting as  the DC and only Exchange is being placed back on this server, also this server now has Exchange SP2 which could not be applied previously with the WMI errors.

Answering above questions, yes this is definatly SP2, all email accounts are identical to doman user names and were created at the same time as the user account through the add new user option in AD.  This setup only manages a single domain.
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility

VERRRRY INTERESTING!  This was the only domain controller previously, and it was completely erased and rebuilt, no import/export of active directory or exchange.  The domain was recreated using a slightly different domain name (was ___inc.local and is now ___.local) to make certian there would be no question as to which domain every computer and user was loggin into.  Now when I go into AD and open the properties of any user account, then under the Account tab, and in the username section, the domain drop down list now has the old and new domains listed.  

How is this so if the entire domain was created fresh????  
Where is this populated from?  
If I remove the old domain from this list, will this fix my problem as there will only be one to log onto???
And the real bugger . . . . why does OWA on Firefox always work with just the username (no forms based auth being used)?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The firefox question is very easy. It uses basic authentication. Internet Explorer uses integrated authentication. Integrated authentication requires the use of the domain part somewhere. Even when you make changes to the authentication settings, all you are doing is telling Exchange to presume that the domain is domain\, nothing more.

Did you restore anything from backups? System state for example?

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:caperionllc
Comment Utility

Ok, so is it possible to tell the server that all POP authentication should be basic auth???  Does that even make sense?

And is it correct that I can easily change the authentication method for OWA to basic for all browsers?
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility

sorry, the answer to your question, no, no backups were restored, including system state etc.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
POP3 is basic authentication. It cannot be anything else.
The only time I have seen the format changed from the format that I have posted above (domain\username\alias) is when the username and the alias are identical.
Even then it requires domain\username or username@domain type format. I don't know of a location where you can change that.  

Simon.
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility

that may be correct in most cases but out of all of the servers I manage this is the ONLY one that is requiring what you say.  and it didn't used to require it.  like I say the only thing I can think of is that now the server is not also a DC?

what are the down sides to installing AD on an Exchange server?  I know when you shutdown AD stops before exchange causing for very slow and incorrect shut down, however that is easily fixed with a simple batch file that stop services in the proper order and shuts down.

0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The downsides to installing AD on Exchange is that it isn't supported. You should not change the role of the server once Exchange is installed. If it was a member server then it must stay a member server. Changing the role usually breaks most of the web functionality, including OWA, RPC over HTTPS etc.

The only reason I can think that it works differently on a domain controller is because there is nothing else for it to use. That would be one of those features that works despite what you have done, not because.

If you hit a web site that is on a member server which requires integrated authentication, then enter just username and password, if the authentication fails you will find that the username comes back machine-name\username. That is because Integrated Authentication without the domain\ will try the local user account database, not the domain account database. Entering domain\username forces the web server to use the domain database.
On a domain controller there is no local user account database, just the domain, so it can only pass it through to the domain.

I don't install standard Exchange on to domain controllers. Most of my deployments are either SBS or high end Enterprise deployments. If the client is purchasing Exchange then it is either SBS or Exchange on a dedicated box. I don't do the middle option of full Exchange on a domain controller because there is very little point and it complicates the deployment. If the client has outgrown SBS then they should have a dedicated machine.

Simon.
0
 
LVL 2

Author Comment

by:caperionllc
Comment Utility

I agree with your policies and procedures.  And you have helped very much in understanding why I am in the situation.

Now I am back to the initial question of how to stop this machine from requiring domain\ when loggin on via POP or OWA.

It did not previously require it (probably because it was a DC) and being an office full of construction workers and very NON-SAVVY users, they simply wont accept the change.  In addition, it is too much to ask that they use the convention "uers@___.local" when their email address is  "user@___.com" they can hardly remember a passowrd of abc123.  

If CEO says it must be fixed then I am stuck finding a solution.  Any more suggestions from here?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
As far as I am aware the requirement for the domain cannot be changed for POP3. Microsoft might be able to tell you different, but if that is possible I haven't seen it documented anywhere.

For OWA there are a number of solutions.

On Exchange 2003 with an SSL secured site, simply enable Forms Based Authentication.
If you aren't using SSL then you have bigger problems to worry about than the users not putting in domain\ as without SSL all of your usernames and passwords are going across in the clear - which they will with POP3 (which is why I don't deploy POP3 to clients any longer).

On other versions, setting the default domain and default realm (where applicable) on the /exchange virtual directory in IIS Manager will also remove the domain\ requirement.

Simon.
0
 
LVL 39

Accepted Solution

by:
redseatechnologies earned 500 total points
Comment Utility
I have only seen POP3 from Exchange want the full Domain\user\alias if the username and alias are different - otherwise just username works for me.

-red
0
 
LVL 39

Expert Comment

by:redseatechnologies
Comment Utility
Hi caperionllc,

Is there any reason why you selected my answer instead of splitting the points with Sembee?

I really only answered half the question :)

If you wanted, Sembee would be able to re-open the question for you and you could click the "Split Points" button down the bottom (just above the comment box).

-red
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now