xpedia
asked on
403.4 error IIS6 and Exchange 2003
I have an Exchange 2003 front end server, OS Windows 2003, IIS6 at a remote location. I was attempting to enable SSL and http to https redirect. Somewhere in the process I messed up so I remove everything, uninstalled exchange, IIS and rebooted. I reinstalled IIS, then Exchange. Now when I go to http://localhost behavior is as expected, but when I go to http://localhost/exchange, I get the 403.4 ssl required error. There is no cert installed and ssl is not enabled. Is there something in the registry that I missed? An OS reinstall is not an option. If I right click Exchange virtual directory and select browse in IIS manager, the same thing happens
Add an SSL certificate to it, then disable "require SSL" in the directory security tab
ASKER
Thanks, I'll give it a try when I get home, but require ssl is currently not selected in the directory security tab.
If that doesn't do it, then I would be resetting the virtual directories - but I would have expected an uninstall/reinstall to do that just as well...
ASKER
Installed cert, enabled SSL on Exchange directory and public. Result http://localhost/exchange 403.4 error
https://localhost/exchange you get the FBA login that I enabled. Enter username and password and then I get o 403.4 error again. I remove require SSL, not http://localhost/exchange give pre fba login box, I log in and get 403.4 error again
https://localhost/exchange you get the FBA login that I enabled. Enter username and password and then I get o 403.4 error again. I remove require SSL, not http://localhost/exchange give pre fba login box, I log in and get 403.4 error again
Can you paste the IIS Log File entries generated when you try to use OWA? Double-click the latest file in C:\Windows\System32\LogFil es\W3SVC1 , and it will open in Notepad. Scroll down until you can see your latest GET request for /Exchange, and show us the lines created (you will see the numbers 403 4 near the end of the line/s). Note that the times in the log file are in GMT.
ASKER
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-12 05:57:25
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-12 05:57:25 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 4 5
2007-10-12 05:58:27 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-12 05:58:41 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
2007-10-12 06:00:17 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 4 5
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon .asp url=https://localhost/exchange&reason=0 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 200 0 0
2007-10-12 06:00:54 W3SVC1 127.0.0.1 POST /exchweb/bin/auth/owaauth. dll - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 200 0 0
2007-10-12 06:00:54 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
2007-10-12 06:01:12 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon .asp url=https://localhost/exchange&reason=0 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 200 0 0
2007-10-12 06:02:24 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 4 5
2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
#Version: 1.0
#Date: 2007-10-12 05:57:25
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-12 05:57:25 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 05:58:27 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 05:58:41 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:00:17 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon
2007-10-12 06:00:54 W3SVC1 127.0.0.1 POST /exchweb/bin/auth/owaauth.
2007-10-12 06:00:54 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:01:12 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon
2007-10-12 06:02:24 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
Thanks. When you ask for /Exchange on port 80 (http) it returns a 403;4 . We have established that this means that SSL required. If you are 100% certain that the 'Require SSL' checkbox is not enabled on your 'Exchange' Virtual Directory in IIS Manager, then something really strange is happening. I've certainly not heard of it before.
When you go to https://server/exchange , you are seeing the FBA logon page, but the error you get after that is slightly different - 403;0 . The problem with that is, if you look at the Custom Errors tab in IIS Manager, it isn't even listed, so we can't find out what causes it.
You might try deleting the Exchange VDir altogether, and use this to re-create it (I think method 3 is easiest):
http://support.microsoft.com/kb/883380
When you go to https://server/exchange , you are seeing the FBA logon page, but the error you get after that is slightly different - 403;0 . The problem with that is, if you look at the Custom Errors tab in IIS Manager, it isn't even listed, so we can't find out what causes it.
You might try deleting the Exchange VDir altogether, and use this to re-create it (I think method 3 is easiest):
http://support.microsoft.com/kb/883380
ASKER
Followed step 3, this gets the same result. Disabled FBA still getting 403.4
I've been supporting Exchange for years and have never seen anything like this either. The don't have an os disk at the remote site, I may have to vpn it to them and just do a reinstall.
I've been supporting Exchange for years and have never seen anything like this either. The don't have an os disk at the remote site, I may have to vpn it to them and just do a reinstall.
I don't think you're getting a 403;4. If you look at the last few lines you pasted earlier (without FBA enabled):
2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
It looks like you get a 403;0 . This isn't supposed to exist, which makes it very hard to troubleshoot. This is so puzzling that I've emailed the Exchange MVP mailing list about it. Hopefully someone from MS will chip in with an answer.
2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
It looks like you get a 403;0 . This isn't supposed to exist, which makes it very hard to troubleshoot. This is so puzzling that I've emailed the Exchange MVP mailing list about it. Hopefully someone from MS will chip in with an answer.
ASKER
That is very interesting http://localhost/Exchange, gives you this:
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Logs show this:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 02:21:57
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 02:21:57 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-13 02:22:04 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
2007-10-13 02:22:23 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-13 02:22:31 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Logs show this:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 02:21:57
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 02:21:57 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 02:22:04 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 02:22:23 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 02:22:31 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
What happens if you do type https://localhost/exchange ?
One suggestion I have received is that you make sure in your AD account details that OWA is enabled. I think that you would probably receive a more helpful message if it was not, but it may be worth checking.
One suggestion I have received is that you make sure in your AD account details that OWA is enabled. I think that you would probably receive a more helpful message if it was not, but it may be worth checking.
ASKER
typing https://localhost/exchange gives this page cannot be displayed\page unavailable, this is with the cert uninstalled. With the cert installed we get Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)
Version: 1.0
#Date: 2007-10-13 03:25:24
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:25:24 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-13 03:27:53 W3SVC1 127.0.0.1 GET /exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-13 03:28:00 W3SVC1 127.0.0.1 GET /exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 03:29:44
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:29:44 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 401 2 2148074254
2007-10-13 03:29:53 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+M SIE+6.0;+W indows+NT+ 5.2;+SV1;+ .NET+CLR+1 .1.4322) 403 0 0
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)
Version: 1.0
#Date: 2007-10-13 03:25:24
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:25:24 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 03:27:53 W3SVC1 127.0.0.1 GET /exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 03:28:00 W3SVC1 127.0.0.1 GET /exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 03:29:44
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:29:44 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+M
2007-10-13 03:29:53 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+M
ASKER
yes Outlook Web Access is enable on my account.
I thought it would be, but since somebody suggested it, I thought I'd pass it on. I've had some contact with the Exchange dev team, and even they think the 403;0 log entries look strange. We'll have to hope that they come back with something.
ASKER
I guess we have no choice, will reinstall the OS
ASKER
Well I did a reinstall of the OS, installed Exchange 2003, set as a front end server. When going to http://newmachine/exchange, it still says https is required. This leads me to believe that there may never was an issue with this server. Issue must be with the original backend sever which is currents housing exchange and serving as an OWA server
what if you go to http://backend/exchange?
You don't have SSL required on the backend server, do you?
ASKER
ssl is required on the back end. The customer did not have a front end server before now.
http://backend/exchange gives the 403.4 error
http://backend/exchange gives the 403.4 error
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Lee, I must have enabled it when I did my initial security audit.