Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 721
  • Last Modified:

403.4 error IIS6 and Exchange 2003

I have an Exchange 2003 front end server, OS Windows 2003, IIS6 at a remote location. I was attempting to enable SSL and http to https redirect. Somewhere in the process I messed up so I remove everything, uninstalled exchange, IIS and rebooted. I reinstalled IIS, then Exchange. Now when I go to http://localhost behavior is as expected, but when I go to http://localhost/exchange, I get the 403.4 ssl required error. There is no cert installed and ssl is not enabled. Is there something in the registry that I missed? An OS reinstall is not an option. If I right click Exchange virtual directory and select browse in IIS manager, the same thing happens
0
xpedia
Asked:
xpedia
  • 11
  • 7
  • 2
  • +1
1 Solution
 
redseatechnologiesCommented:
Add an SSL certificate to it, then disable "require SSL" in the directory security tab
0
 
xpediaAuthor Commented:
Thanks, I'll give it a try when I get home, but require ssl is currently not selected in the directory security tab.
0
 
redseatechnologiesCommented:
If that doesn't do it, then I would be resetting the virtual directories - but I would have expected an uninstall/reinstall to do that just as well...
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
xpediaAuthor Commented:
Installed cert, enabled SSL on Exchange directory and public. Result http://localhost/exchange  403.4 error
https://localhost/exchange you get the FBA login that I enabled. Enter username and password and then I get o 403.4 error again. I remove require SSL, not http://localhost/exchange give pre fba login box, I log in and get 403.4 error again
0
 
LeeDerbyshireCommented:
Can you paste the IIS Log File entries generated when you try to use OWA?  Double-click the latest file in C:\Windows\System32\LogFiles\W3SVC1 , and it will open in Notepad.  Scroll down until you can see your latest GET request for /Exchange, and show us the lines created (you will see the numbers 403 4 near the end of the line/s).  Note that the times in the log file are in GMT.
0
 
xpediaAuthor Commented:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-12 05:57:25
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-12 05:57:25 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 4 5
2007-10-12 05:58:27 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-12 05:58:41 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
2007-10-12 06:00:17 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 4 5
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-12 06:00:46 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon.asp url=https://localhost/exchange&reason=0 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 200 0 0
2007-10-12 06:00:54 W3SVC1 127.0.0.1 POST /exchweb/bin/auth/owaauth.dll - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 200 0 0
2007-10-12 06:00:54 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
2007-10-12 06:01:12 W3SVC1 127.0.0.1 GET /exchweb/bin/auth/owalogon.asp url=https://localhost/exchange&reason=0 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 200 0 0
2007-10-12 06:02:24 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 4 5
2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
0
 
LeeDerbyshireCommented:
Thanks.  When you ask for /Exchange on port 80 (http) it returns a 403;4 .  We have established that this means that SSL required.  If you are 100% certain that the 'Require SSL' checkbox is not enabled on your 'Exchange' Virtual Directory in IIS Manager, then something really strange is happening.  I've certainly not heard of it before.

When you go to https://server/exchange , you are seeing the FBA logon page, but the error you get after that is slightly different - 403;0 .  The problem with that is, if you look at the Custom Errors tab in IIS Manager, it isn't even listed, so we can't find out what causes it.

You might try deleting the Exchange VDir altogether, and use this to re-create it (I think method 3 is easiest):
http://support.microsoft.com/kb/883380
0
 
xpediaAuthor Commented:
Followed step 3, this gets the same result. Disabled FBA still getting 403.4
I've been supporting Exchange for years and have never seen anything like this either. The don't have an os  disk at the remote site, I may have to vpn it to them and just do a reinstall.
0
 
LeeDerbyshireCommented:
I don't think you're getting a 403;4.  If you look at the last few lines you pasted earlier (without FBA enabled):

2007-10-12 06:04:30 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254

2007-10-12 06:05:26 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0

It looks like you get a 403;0 .  This isn't supposed to exist, which makes it very hard to troubleshoot.  This is so puzzling that I've emailed the Exchange MVP mailing list about it.  Hopefully someone from MS will chip in with an answer.
0
 
xpediaAuthor Commented:
That is very interesting  http://localhost/Exchange, gives you this:
Please try the following:

Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.

Logs show this:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 02:21:57
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 02:21:57 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-13 02:22:04 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
2007-10-13 02:22:23 W3SVC1 127.0.0.1 GET /Exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-13 02:22:31 W3SVC1 127.0.0.1 GET /Exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0

0
 
LeeDerbyshireCommented:
What happens if you do type https://localhost/exchange ?

One suggestion I have received is that you make sure in your AD account details that OWA is enabled.  I think that you would probably receive a more helpful message if it was not, but it may be worth checking.
0
 
xpediaAuthor Commented:
typing https://localhost/exchange  gives this page cannot be displayed\page unavailable, this is with the cert uninstalled. With the cert installed we get Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)
Version: 1.0
#Date: 2007-10-13 03:25:24
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:25:24 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-13 03:27:53 W3SVC1 127.0.0.1 GET /exchange - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-13 03:28:00 W3SVC1 127.0.0.1 GET /exchange - 80 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-10-13 03:29:44
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-10-13 03:29:44 W3SVC1 127.0.0.1 GET /exchange - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2007-10-13 03:29:53 W3SVC1 127.0.0.1 GET /exchange - 443 elau 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 0 0
0
 
xpediaAuthor Commented:
yes Outlook Web Access is enable on my account.
0
 
LeeDerbyshireCommented:
I thought it would be, but since somebody suggested it, I thought I'd pass it on.  I've had some contact with the Exchange dev team, and even they think the 403;0 log entries look strange.  We'll have to hope that they come back with something.
0
 
xpediaAuthor Commented:
I guess we have no choice, will reinstall the OS
0
 
xpediaAuthor Commented:
Well I did a reinstall of the OS, installed Exchange 2003, set as a front end server. When going to http://newmachine/exchange, it still says https is required. This leads me to believe that there may never was an issue with this server. Issue must be with the original backend sever which is currents housing exchange and serving as an OWA server
0
 
kieran_bCommented:
what if you go to http://backend/exchange?
0
 
LeeDerbyshireCommented:
You don't have SSL required on the backend server, do you?
0
 
xpediaAuthor Commented:
ssl is required on the back end. The customer did not have a front end server before now.

http://backend/exchange gives the 403.4 error
0
 
LeeDerbyshireCommented:
Remove it from the BE server.  The FE can only proxy requests to the BE on port 80, which means that SSL can not be required on the /Exchange VDir on the BE.
0
 
xpediaAuthor Commented:
Thanks Lee, I must have enabled it when I did my initial security audit.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 11
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now