OWA works for admins and not users

I have exchange 2003 installed on a windows 2003 server. Both are updated to the latest service pack and have all updates installed. Everything works find when i access my exchange account over the web via internet exploroer as i am a domain administrator. However when a domain user tries to log on over the we via OWA, they are not authorised and after 3 attempts get a permssion denied error. What settings do i need to check to allow domain users access to OWA. I would like to know directory security settings, IIS settings andanything else that would help. Thank you!

- Oh please bear in mind the windows 2003 box is a domain controller as well as exchange server!!
tim_ellertAsked:
Who is Participating?
 
LeeDerbyshireCommented:
Do all your users have SMTP address in the same domain as the Administrator?  OWA can only handle mailboxes having email addresses in the primary Default Recipient Policy domain.
0
 
Jay_Jay70Commented:
are you using form based authentication?

is OWA enabled on the actual accounts - in exchange properties of the account
0
 
tim_ellertAuthor Commented:
- I am not using forms authentication
- OWA is enabled on the accounts along with activesync, imap etc

perhaps it has something to do with domain servers being more locked down that normal server, and is a permissions thing...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Jay_Jay70Commented:
my guess is IIS permissions are not correct for one....Form based is a lot more fun for OWA....https://technet.microsoft.com/en-us/library/bb123832.aspx
0
 
LeeDerbyshireCommented:
Does the error message say Permission Denied Due To ACL ?
0
 
tim_ellertAuthor Commented:
agfter 3 attempts it goes to a white page which says the following:

Error: Access is Denied.

0
 
LeeDerbyshireCommented:
You will need to show the IIS log file entries generated by a failed attempt to use OWA.  Double-click the most recent file in C:\Windows\System32\LogFiles\W3SVC1, and it will open in Notepad.  Scroll to the bottom, and use the times on the left (they are in GMT) to locate your request for /Exchange .  There should be a 401 near the end of the line.  If there is a group of lines created all around the same time, can you paste all of them?
0
 
tim_ellertAuthor Commented:
yep.. will do..

also just out of interest i have now enabled forms authentication so i get the pretty logon screen and i still have the same issue. Admins can log on, users cant!

will go check the logs now....
0
 
LeeDerbyshireCommented:
Could be because your users don't have the required Read And Execute rights on ASP.DLL .
0
 
tim_ellertAuthor Commented:
2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchange/ - 443 stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=ca54f3b8-30eb-49ee-baf9-65350ddffb41;+cadata="0Q2bmOaTKsLXmA8KOGYobU4E6a3VEZ8D5EArTm87N4PrMMGkGwzjXhIiG3MTnQxiqTNOyM9IFq1U=" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 401 5 343 959 0


2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 200 0 14312 900 15


2007-10-10 14:37:07 W3SVC1 217.174.250.223 POST /exchweb/bin/auth/owaauth.dll - 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 302 0 401 1081 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchange/ - 443 ehome/stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=1f911c9c-abb6-4708-8a19-26ca602bb37d;+cadata="0QvfVb2T32ovPQWEI+3yR/w6u5H6zWDST1ymfrPkAJsdcq7dJchiwEUhPEQaFqCIylcCBHbeANSasOLbDmK0LZg==" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 401 5 343 971 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 200 0 14312 900 15
0
 
tim_ellertAuthor Commented:
how would i check the asp.dll permissions?
0
 
LeeDerbyshireCommented:
The problem seems to be that every time you send a GET request to /Exchange, the server sends a 401;5 response, even when you're logged in (I assume that ehome is the correct domain name).

If you look at the properties of your Default Web Site (Custom Errors tab) 401;5 is described as 'Authorisation failed by ISAPI/CGI app'.  Which I think means that something else is interfering with the logon.  You don't have SharePoint installed, or anything else that interacts deeply with IIS.
0
 
LeeDerbyshireCommented:
Search for the file named asp.dll in Explorer, right-click it, and check the NTFS permissions.
0
 
tim_ellertAuthor Commented:
i am assuming that "ehome" must be the correct domain or else the admin account would ne be able to log in.

what pemissions should be set for asp.dll
0
 
tim_ellertAuthor Commented:
i have nothing else on the box except exchange 2003 and windows 2003 (as domain controller)
0
 
LeeDerbyshireCommented:
The FBA page and the Logoff pages are both .asp files, which are interpreted by ASP.DLL .  This means that your users need to have at least Read And Execute rights on it.
0
 
tim_ellertAuthor Commented:
tried giving asp.dll everyone permission to read and read & execute and still no change
0
 
tim_ellertAuthor Commented:
authenticated users have read and read & execute permissions on it
0
 
tim_ellertAuthor Commented:
yes everyone has an SMTP address of  name@e-homeautomation.com
0
 
LeeDerbyshireCommented:
Does it make any difference if you temporarily make one of the users an Administrator?
0
 
tim_ellertAuthor Commented:
fixed it!

it was the issue of the SMTP of the user did not match the one in the primary Default Recipient Policy domain.

this support article also helped
http://support.microsoft.com/kb/293386

cheers all! :)
0
 
LeeDerbyshireCommented:
Ah, right.  I expect the Administrator had one more email address that other users did not, in addition to @e-homeautomation.com .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.