Solved

OWA denies access after changing default permissions

Posted on 2006-11-24
14
314 Views
Last Modified: 2008-02-01
Hi I have a problem that my OWA and company web have always worked fine,I changed the access to the webpage in iis default web to no anonymous access and when I clicked apply it asks if I wanted to change the permissions to a bunch of other files in list I said yes as I thought it would need to be applied thoughout and now I get this problem please help thanks
0
Comment
Question by:fessiambre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18009124
Some version information would be nice.

Simon.
0
 

Author Comment

by:fessiambre
ID: 18009331
Sorry, this is the operating system  SBS 2003 with intergrated exchange
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 18009441
You could just rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email), but I'm afraid that it wouldn't actually reset EVERYTHING properly.

Therefore, my recomendation is that you reinstall IIS and Exchange per this KB article...  http://support.microsoft.com/kb/320202

Jeff
TechSoEasy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 104

Expert Comment

by:Sembee
ID: 18009447
You might get away with resetting the virtual folders.
http://support.microsoft.com/default.aspx?kbid=883380

Simon.
0
 

Author Comment

by:fessiambre
ID: 18009494
Do I have to be so drastic, All I did was say apply these permission changes to exadmin,exchange,exchange-oma,exchweb etc when I changed the default web site permissions under directory security. everything was fine before that. any other suggestions
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 18009501
The Exchange permissions are very complex. You have basically wrecked them. Trying to recreate them by hand is almost impossible. The folder reset works in many cases, but otherwise you are looking at the reinstall of IIS and Exchange because of the close relationship between IIS and Exchange.

Simon.
0
 

Author Comment

by:fessiambre
ID: 18009510
Simon do you recall the screen I am talking about? in directory security?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18009516
I know exactly what you have done. By choosing the replace permissions you have wrecked most of the operation of Exchange. It isn't just OWA, but Exchange itself. Public Folder access also goes through IIS.
While you can try and reset it manually, it will be almost impossible to be sure that everything is set correctly.

Simon
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18009518
That's why I recommended the KB article above... it's simple to follow and it works!

Jef
TechSoEasy
0
 

Author Comment

by:fessiambre
ID: 18009533
I will try the suggs thanks guys.
0
 

Author Comment

by:fessiambre
ID: 18033810
I found this recommendation on experts exchange in a differnt area, I followed it and it worked just posting it here for you to maybe use at a later date thanks guys I am going to give points to both of you because both your recommendations were very good and would have works but it seemed like the long way.

This sounds like a permission setting problem on your Exchange IIS. Make sure all these settings are on their default settings.

Directory security settings:
Exchange :- Integrated and Basic ticked, place your domain name in the field provided
ExchWeb :- Anonymous access
Public :- Same as Exchange folder
ExAdmin :- Integrated only

I got these settings from an Exchange 2003 server as I don't have an Exchange 2000 server, but it should be the same.

If that doesn't work you can go the secure route, https. In my experience it has solved 99% of my OWA login problems. This is something that is very well documented on msexchange.org, you will need to use OWA forms based authentication.

Cheers.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18037349
fessiambre,

In the future, if you're going to quote another post, it's customary to provide a link so that others can learn from any other discussion within that question.

In this case, the comments came from http:Q_21633485.html

The fact is that running the CEICW as I had recommended above would have changed those permissions.  Did you ever try that?

If you look on your server in C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\IcwdetailsXX.htm (where XX = the incremental number generated every time you run the CEICW) you'll find a nice description of everything that was modified during that run of the CEICW.  Here's what it would say regarding what the wizard does in IIS:

Internet Information Services (IIS) will be configured as
follows:

      Restrict default Web site of IIS to only respond to
requests from the local network.

      Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

      Allow access to Outlook Web Access to the Internet
by modifying the IP permissions of the Web site for the
following IIS Web site directories to allow clients from any
IP address to connect: /exchange/, /exchweb/, /public/.
Additionally, the Default Web site is configured for Forms
Based Authentication (also called Cookie Authentication).
The Public folder is also configured to accept Windows
Integrated Authentication.

      Allow access to Window Sharepoint Services to the
Internet by modifying the IP permissions for the Intranet
IIS Web site directory to allow clients from any IP address
to connect.

      Allow access to Remote Web Workplace to the Internet
by modifying the IP permissions for the Remote IIS Web site
directory to allow clients from any IP address to connect.

      Allow access to Server performance and usage reports
to the Internet by modifying the IP permissions for the
Monitoring IIS Web site directory to allow clients from any
IP address to connect.

      Allow access to Outlook Mobile Access to the
Internet by modifying the IP permissions for the OMA and
Microsoft-Server-ActiveSync IIS Web site directories to
allow clients from any IP address to connect. The
Exchange-oma IIS Web site directory is set to never require
SSL and to deny access to all computers except the computer
running Windows Small Business Server.

      Allow access to Outlook via the Internet to the
Internet by modifying the IP permissions for the Rpc IIS Web
site directory to allow clients from any IP address to
connect.
      

This is why you should always use the wizards in SBS!

Jeff
TechSoEasy




0
 

Author Comment

by:fessiambre
ID: 18037881
Hi Jeff, Sorry about not posting the link to the previous comment. I will remember that in the future. As for your advice,  I did run the wizard first as you suggested and it did not work for me. I did not want to get into restoring the iis and the exchange it seemed to complicated for a live machine that was working fairly well. But as always I respect your advice and try to follow it to the letter. Thanks again.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18039073
No problem... I should state that the info that I posted above comes from the output of what the CEICW is "SUPPOSED" to do, not what it actually does.  That would be contained in the icwlog.txt file which is in C:\Program Files\Microsoft Windows Small Business Server\Support

Jeff
TechSoEasy
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
In-place Upgrading Dirsync to Azure AD Connect
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question