?
Solved

OWA works for admins and not users

Posted on 2007-10-10
22
Medium Priority
?
468 Views
Last Modified: 2012-05-05
I have exchange 2003 installed on a windows 2003 server. Both are updated to the latest service pack and have all updates installed. Everything works find when i access my exchange account over the web via internet exploroer as i am a domain administrator. However when a domain user tries to log on over the we via OWA, they are not authorised and after 3 attempts get a permssion denied error. What settings do i need to check to allow domain users access to OWA. I would like to know directory security settings, IIS settings andanything else that would help. Thank you!

- Oh please bear in mind the windows 2003 box is a domain controller as well as exchange server!!
0
Comment
Question by:tim_ellert
  • 11
  • 9
  • 2
22 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20047560
are you using form based authentication?

is OWA enabled on the actual accounts - in exchange properties of the account
0
 

Author Comment

by:tim_ellert
ID: 20048171
- I am not using forms authentication
- OWA is enabled on the accounts along with activesync, imap etc

perhaps it has something to do with domain servers being more locked down that normal server, and is a permissions thing...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20048221
my guess is IIS permissions are not correct for one....Form based is a lot more fun for OWA....https://technet.microsoft.com/en-us/library/bb123832.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20048278
Does the error message say Permission Denied Due To ACL ?
0
 

Author Comment

by:tim_ellert
ID: 20048695
agfter 3 attempts it goes to a white page which says the following:

Error: Access is Denied.

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20048716
You will need to show the IIS log file entries generated by a failed attempt to use OWA.  Double-click the most recent file in C:\Windows\System32\LogFiles\W3SVC1, and it will open in Notepad.  Scroll to the bottom, and use the times on the left (they are in GMT) to locate your request for /Exchange .  There should be a 401 near the end of the line.  If there is a group of lines created all around the same time, can you paste all of them?
0
 

Author Comment

by:tim_ellert
ID: 20048945
yep.. will do..

also just out of interest i have now enabled forms authentication so i get the pretty logon screen and i still have the same issue. Admins can log on, users cant!

will go check the logs now....
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20048976
Could be because your users don't have the required Read And Execute rights on ASP.DLL .
0
 

Author Comment

by:tim_ellert
ID: 20049036
2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchange/ - 443 stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=ca54f3b8-30eb-49ee-baf9-65350ddffb41;+cadata="0Q2bmOaTKsLXmA8KOGYobU4E6a3VEZ8D5EArTm87N4PrMMGkGwzjXhIiG3MTnQxiqTNOyM9IFq1U=" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 401 5 343 959 0


2007-10-10 14:36:54 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=0 200 0 14312 900 15


2007-10-10 14:37:07 W3SVC1 217.174.250.223 POST /exchweb/bin/auth/owaauth.dll - 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 302 0 401 1081 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchange/ - 443 ehome/stuart.fuller 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG;+sessionid=1f911c9c-abb6-4708-8a19-26ca602bb37d;+cadata="0QvfVb2T32ovPQWEI+3yR/w6u5H6zWDST1ymfrPkAJsdcq7dJchiwEUhPEQaFqCIylcCBHbeANSasOLbDmK0LZg==" https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 401 5 343 971 0


2007-10-10 14:37:07 W3SVC1 217.174.250.223 GET /exchweb/bin/auth/owalogon.asp url=https://mail.e-homeautomation.com/exchange/&reason=2 443 - 81.137.251.198 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506;+.NET+CLR+1.1.4322) ASPSESSIONIDQCSBTDAQ=LEBHKBHCMPOAKAMEAJLLMKLG https://mail.e-homeautomation.com/exchweb/bin/auth/owalogon.asp?url=https://mail.e-homeautomation.com/exchange/&reason=2 200 0 14312 900 15
0
 

Author Comment

by:tim_ellert
ID: 20049127
how would i check the asp.dll permissions?
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20049142
The problem seems to be that every time you send a GET request to /Exchange, the server sends a 401;5 response, even when you're logged in (I assume that ehome is the correct domain name).

If you look at the properties of your Default Web Site (Custom Errors tab) 401;5 is described as 'Authorisation failed by ISAPI/CGI app'.  Which I think means that something else is interfering with the logon.  You don't have SharePoint installed, or anything else that interacts deeply with IIS.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20049153
Search for the file named asp.dll in Explorer, right-click it, and check the NTFS permissions.
0
 

Author Comment

by:tim_ellert
ID: 20049179
i am assuming that "ehome" must be the correct domain or else the admin account would ne be able to log in.

what pemissions should be set for asp.dll
0
 

Author Comment

by:tim_ellert
ID: 20049198
i have nothing else on the box except exchange 2003 and windows 2003 (as domain controller)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20049205
The FBA page and the Logoff pages are both .asp files, which are interpreted by ASP.DLL .  This means that your users need to have at least Read And Execute rights on it.
0
 

Author Comment

by:tim_ellert
ID: 20049222
tried giving asp.dll everyone permission to read and read & execute and still no change
0
 

Author Comment

by:tim_ellert
ID: 20049226
authenticated users have read and read & execute permissions on it
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 2000 total points
ID: 20049344
Do all your users have SMTP address in the same domain as the Administrator?  OWA can only handle mailboxes having email addresses in the primary Default Recipient Policy domain.
0
 

Author Comment

by:tim_ellert
ID: 20049368
yes everyone has an SMTP address of  name@e-homeautomation.com
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20049443
Does it make any difference if you temporarily make one of the users an Administrator?
0
 

Author Comment

by:tim_ellert
ID: 20049454
fixed it!

it was the issue of the SMTP of the user did not match the one in the primary Default Recipient Policy domain.

this support article also helped
http://support.microsoft.com/kb/293386

cheers all! :)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 20049475
Ah, right.  I expect the Administrator had one more email address that other users did not, in addition to @e-homeautomation.com .
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question