We help IT Professionals succeed at work.

OWA works for admins and not users

521 Views
Last Modified: 2012-05-05
I have exchange 2003 installed on a windows 2003 server. Both are updated to the latest service pack and have all updates installed. Everything works find when i access my exchange account over the web via internet exploroer as i am a domain administrator. However when a domain user tries to log on over the we via OWA, they are not authorised and after 3 attempts get a permssion denied error. What settings do i need to check to allow domain users access to OWA. I would like to know directory security settings, IIS settings andanything else that would help. Thank you!

- Oh please bear in mind the windows 2003 box is a domain controller as well as exchange server!!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006

Commented:
are you using form based authentication?

is OWA enabled on the actual accounts - in exchange properties of the account

Author

Commented:
- I am not using forms authentication
- OWA is enabled on the accounts along with activesync, imap etc

perhaps it has something to do with domain servers being more locked down that normal server, and is a permissions thing...
CERTIFIED EXPERT
Top Expert 2006

Commented:
my guess is IIS permissions are not correct for one....Form based is a lot more fun for OWA....https://technet.microsoft.com/en-us/library/bb123832.aspx
CERTIFIED EXPERT

Commented:
Does the error message say Permission Denied Due To ACL ?

Author

Commented:
agfter 3 attempts it goes to a white page which says the following:

Error: Access is Denied.

CERTIFIED EXPERT

Commented:
You will need to show the IIS log file entries generated by a failed attempt to use OWA.  Double-click the most recent file in C:\Windows\System32\LogFiles\W3SVC1, and it will open in Notepad.  Scroll to the bottom, and use the times on the left (they are in GMT) to locate your request for /Exchange .  There should be a 401 near the end of the line.  If there is a group of lines created all around the same time, can you paste all of them?

Author

Commented:
yep.. will do..

also just out of interest i have now enabled forms authentication so i get the pretty logon screen and i still have the same issue. Admins can log on, users cant!

will go check the logs now....
CERTIFIED EXPERT

Commented:
Could be because your users don't have the required Read And Execute rights on ASP.DLL .

Author

Commented:
2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchange/ - 443 stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=ca54f3b8-30eb-49ee-baf9-65350ddffb41;+cadata="0Q2bmOaTKsLXmA8KOGYobU4E6a3VEZ8D5EArTm87N4PrMMGkGwzjXhIiG3MTnQxiqTNOyM9IFq1U=" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 401 5 343 959 0


2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 200 0 14312 900 15


2007-10-10 14:37:07 W3SVC1 217.174.250.223 POST /exchweb/bin/auth/owaauth.dll - 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 302 0 401 1081 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchange/ - 443 ehome/stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=1f911c9c-abb6-4708-8a19-26ca602bb37d;+cadata="0QvfVb2T32ovPQWEI+3yR/w6u5H6zWDST1ymfrPkAJsdcq7dJchiwEUhPEQaFqCIylcCBHbeANSasOLbDmK0LZg==" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 401 5 343 971 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 200 0 14312 900 15

Author

Commented:
how would i check the asp.dll permissions?
CERTIFIED EXPERT

Commented:
The problem seems to be that every time you send a GET request to /Exchange, the server sends a 401;5 response, even when you're logged in (I assume that ehome is the correct domain name).

If you look at the properties of your Default Web Site (Custom Errors tab) 401;5 is described as 'Authorisation failed by ISAPI/CGI app'.  Which I think means that something else is interfering with the logon.  You don't have SharePoint installed, or anything else that interacts deeply with IIS.
CERTIFIED EXPERT

Commented:
Search for the file named asp.dll in Explorer, right-click it, and check the NTFS permissions.

Author

Commented:
i am assuming that "ehome" must be the correct domain or else the admin account would ne be able to log in.

what pemissions should be set for asp.dll

Author

Commented:
i have nothing else on the box except exchange 2003 and windows 2003 (as domain controller)
CERTIFIED EXPERT

Commented:
The FBA page and the Logoff pages are both .asp files, which are interpreted by ASP.DLL .  This means that your users need to have at least Read And Execute rights on it.

Author

Commented:
tried giving asp.dll everyone permission to read and read & execute and still no change

Author

Commented:
authenticated users have read and read & execute permissions on it
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
yes everyone has an SMTP address of  name@e-homeautomation.com
CERTIFIED EXPERT

Commented:
Does it make any difference if you temporarily make one of the users an Administrator?

Author

Commented:
fixed it!

it was the issue of the SMTP of the user did not match the one in the primary Default Recipient Policy domain.

this support article also helped
http://support.microsoft.com/kb/293386

cheers all! :)
CERTIFIED EXPERT

Commented:
Ah, right.  I expect the Administrator had one more email address that other users did not, in addition to @e-homeautomation.com .

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.