Solved

OWA denies access after changing default permissions

Posted on 2006-11-24
14
275 Views
Last Modified: 2008-02-01
Hi I have a problem that my OWA and company web have always worked fine,I changed the access to the webpage in iis default web to no anonymous access and when I clicked apply it asks if I wanted to change the permissions to a bunch of other files in list I said yes as I thought it would need to be applied thoughout and now I get this problem please help thanks
0
Comment
Question by:fessiambre
  • 6
  • 4
  • 4
14 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Some version information would be nice.

Simon.
0
 

Author Comment

by:fessiambre
Comment Utility
Sorry, this is the operating system  SBS 2003 with intergrated exchange
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 250 total points
Comment Utility
You could just rerun the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email), but I'm afraid that it wouldn't actually reset EVERYTHING properly.

Therefore, my recomendation is that you reinstall IIS and Exchange per this KB article...  http://support.microsoft.com/kb/320202

Jeff
TechSoEasy
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
You might get away with resetting the virtual folders.
http://support.microsoft.com/default.aspx?kbid=883380

Simon.
0
 

Author Comment

by:fessiambre
Comment Utility
Do I have to be so drastic, All I did was say apply these permission changes to exadmin,exchange,exchange-oma,exchweb etc when I changed the default web site permissions under directory security. everything was fine before that. any other suggestions
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
The Exchange permissions are very complex. You have basically wrecked them. Trying to recreate them by hand is almost impossible. The folder reset works in many cases, but otherwise you are looking at the reinstall of IIS and Exchange because of the close relationship between IIS and Exchange.

Simon.
0
 

Author Comment

by:fessiambre
Comment Utility
Simon do you recall the screen I am talking about? in directory security?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I know exactly what you have done. By choosing the replace permissions you have wrecked most of the operation of Exchange. It isn't just OWA, but Exchange itself. Public Folder access also goes through IIS.
While you can try and reset it manually, it will be almost impossible to be sure that everything is set correctly.

Simon
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
That's why I recommended the KB article above... it's simple to follow and it works!

Jef
TechSoEasy
0
 

Author Comment

by:fessiambre
Comment Utility
I will try the suggs thanks guys.
0
 

Author Comment

by:fessiambre
Comment Utility
I found this recommendation on experts exchange in a differnt area, I followed it and it worked just posting it here for you to maybe use at a later date thanks guys I am going to give points to both of you because both your recommendations were very good and would have works but it seemed like the long way.

This sounds like a permission setting problem on your Exchange IIS. Make sure all these settings are on their default settings.

Directory security settings:
Exchange :- Integrated and Basic ticked, place your domain name in the field provided
ExchWeb :- Anonymous access
Public :- Same as Exchange folder
ExAdmin :- Integrated only

I got these settings from an Exchange 2003 server as I don't have an Exchange 2000 server, but it should be the same.

If that doesn't work you can go the secure route, https. In my experience it has solved 99% of my OWA login problems. This is something that is very well documented on msexchange.org, you will need to use OWA forms based authentication.

Cheers.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
fessiambre,

In the future, if you're going to quote another post, it's customary to provide a link so that others can learn from any other discussion within that question.

In this case, the comments came from http:Q_21633485.html

The fact is that running the CEICW as I had recommended above would have changed those permissions.  Did you ever try that?

If you look on your server in C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\IcwdetailsXX.htm (where XX = the incremental number generated every time you run the CEICW) you'll find a nice description of everything that was modified during that run of the CEICW.  Here's what it would say regarding what the wizard does in IIS:

Internet Information Services (IIS) will be configured as
follows:

      Restrict default Web site of IIS to only respond to
requests from the local network.

      Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

      Allow access to Outlook Web Access to the Internet
by modifying the IP permissions of the Web site for the
following IIS Web site directories to allow clients from any
IP address to connect: /exchange/, /exchweb/, /public/.
Additionally, the Default Web site is configured for Forms
Based Authentication (also called Cookie Authentication).
The Public folder is also configured to accept Windows
Integrated Authentication.

      Allow access to Window Sharepoint Services to the
Internet by modifying the IP permissions for the Intranet
IIS Web site directory to allow clients from any IP address
to connect.

      Allow access to Remote Web Workplace to the Internet
by modifying the IP permissions for the Remote IIS Web site
directory to allow clients from any IP address to connect.

      Allow access to Server performance and usage reports
to the Internet by modifying the IP permissions for the
Monitoring IIS Web site directory to allow clients from any
IP address to connect.

      Allow access to Outlook Mobile Access to the
Internet by modifying the IP permissions for the OMA and
Microsoft-Server-ActiveSync IIS Web site directories to
allow clients from any IP address to connect. The
Exchange-oma IIS Web site directory is set to never require
SSL and to deny access to all computers except the computer
running Windows Small Business Server.

      Allow access to Outlook via the Internet to the
Internet by modifying the IP permissions for the Rpc IIS Web
site directory to allow clients from any IP address to
connect.
      

This is why you should always use the wizards in SBS!

Jeff
TechSoEasy




0
 

Author Comment

by:fessiambre
Comment Utility
Hi Jeff, Sorry about not posting the link to the previous comment. I will remember that in the future. As for your advice,  I did run the wizard first as you suggested and it did not work for me. I did not want to get into restoring the iis and the exchange it seemed to complicated for a live machine that was working fairly well. But as always I respect your advice and try to follow it to the letter. Thanks again.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
No problem... I should state that the info that I posted above comes from the output of what the CEICW is "SUPPOSED" to do, not what it actually does.  That would be contained in the icwlog.txt file which is in C:\Program Files\Microsoft Windows Small Business Server\Support

Jeff
TechSoEasy
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now