OWA denies access after changing default permissions

Hi I have a problem that my OWA and company web have always worked fine,I changed the access to the webpage in iis default web to no anonymous access and when I clicked apply it asks if I wanted to change the permissions to a bunch of other files in list I said yes as I thought it would need to be applied thoughout and now I get this problem please help thanks
fessiambreAsked:
Who is Participating?
 
SembeeCommented:
The Exchange permissions are very complex. You have basically wrecked them. Trying to recreate them by hand is almost impossible. The folder reset works in many cases, but otherwise you are looking at the reinstall of IIS and Exchange because of the close relationship between IIS and Exchange.

Simon.
0
 
SembeeCommented:
Some version information would be nice.

Simon.
0
 
fessiambreAuthor Commented:
Sorry, this is the operating system  SBS 2003 with intergrated exchange
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You could just rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email), but I'm afraid that it wouldn't actually reset EVERYTHING properly.

Therefore, my recomendation is that you reinstall IIS and Exchange per this KB article...  http://support.microsoft.com/kb/320202

Jeff
TechSoEasy
0
 
SembeeCommented:
You might get away with resetting the virtual folders.
http://support.microsoft.com/default.aspx?kbid=883380

Simon.
0
 
fessiambreAuthor Commented:
Do I have to be so drastic, All I did was say apply these permission changes to exadmin,exchange,exchange-oma,exchweb etc when I changed the default web site permissions under directory security. everything was fine before that. any other suggestions
0
 
fessiambreAuthor Commented:
Simon do you recall the screen I am talking about? in directory security?
0
 
SembeeCommented:
I know exactly what you have done. By choosing the replace permissions you have wrecked most of the operation of Exchange. It isn't just OWA, but Exchange itself. Public Folder access also goes through IIS.
While you can try and reset it manually, it will be almost impossible to be sure that everything is set correctly.

Simon
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
That's why I recommended the KB article above... it's simple to follow and it works!

Jef
TechSoEasy
0
 
fessiambreAuthor Commented:
I will try the suggs thanks guys.
0
 
fessiambreAuthor Commented:
I found this recommendation on experts exchange in a differnt area, I followed it and it worked just posting it here for you to maybe use at a later date thanks guys I am going to give points to both of you because both your recommendations were very good and would have works but it seemed like the long way.

This sounds like a permission setting problem on your Exchange IIS. Make sure all these settings are on their default settings.

Directory security settings:
Exchange :- Integrated and Basic ticked, place your domain name in the field provided
ExchWeb :- Anonymous access
Public :- Same as Exchange folder
ExAdmin :- Integrated only

I got these settings from an Exchange 2003 server as I don't have an Exchange 2000 server, but it should be the same.

If that doesn't work you can go the secure route, https. In my experience it has solved 99% of my OWA login problems. This is something that is very well documented on msexchange.org, you will need to use OWA forms based authentication.

Cheers.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
fessiambre,

In the future, if you're going to quote another post, it's customary to provide a link so that others can learn from any other discussion within that question.

In this case, the comments came from http:Q_21633485.html

The fact is that running the CEICW as I had recommended above would have changed those permissions.  Did you ever try that?

If you look on your server in C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\IcwdetailsXX.htm (where XX = the incremental number generated every time you run the CEICW) you'll find a nice description of everything that was modified during that run of the CEICW.  Here's what it would say regarding what the wizard does in IIS:

Internet Information Services (IIS) will be configured as
follows:

      Restrict default Web site of IIS to only respond to
requests from the local network.

      Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

      Allow access to Outlook Web Access to the Internet
by modifying the IP permissions of the Web site for the
following IIS Web site directories to allow clients from any
IP address to connect: /exchange/, /exchweb/, /public/.
Additionally, the Default Web site is configured for Forms
Based Authentication (also called Cookie Authentication).
The Public folder is also configured to accept Windows
Integrated Authentication.

      Allow access to Window Sharepoint Services to the
Internet by modifying the IP permissions for the Intranet
IIS Web site directory to allow clients from any IP address
to connect.

      Allow access to Remote Web Workplace to the Internet
by modifying the IP permissions for the Remote IIS Web site
directory to allow clients from any IP address to connect.

      Allow access to Server performance and usage reports
to the Internet by modifying the IP permissions for the
Monitoring IIS Web site directory to allow clients from any
IP address to connect.

      Allow access to Outlook Mobile Access to the
Internet by modifying the IP permissions for the OMA and
Microsoft-Server-ActiveSync IIS Web site directories to
allow clients from any IP address to connect. The
Exchange-oma IIS Web site directory is set to never require
SSL and to deny access to all computers except the computer
running Windows Small Business Server.

      Allow access to Outlook via the Internet to the
Internet by modifying the IP permissions for the Rpc IIS Web
site directory to allow clients from any IP address to
connect.
      

This is why you should always use the wizards in SBS!

Jeff
TechSoEasy




0
 
fessiambreAuthor Commented:
Hi Jeff, Sorry about not posting the link to the previous comment. I will remember that in the future. As for your advice,  I did run the wizard first as you suggested and it did not work for me. I did not want to get into restoring the iis and the exchange it seemed to complicated for a live machine that was working fairly well. But as always I respect your advice and try to follow it to the letter. Thanks again.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
No problem... I should state that the info that I posted above comes from the output of what the CEICW is "SUPPOSED" to do, not what it actually does.  That would be contained in the icwlog.txt file which is in C:\Program Files\Microsoft Windows Small Business Server\Support

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.