Solved

Internet clients not able to access OWA

Posted on 2008-06-12
17
350 Views
Last Modified: 2010-04-21
The login screen just keeps reposting.  
0
Comment
Question by:jpipkins
  • 8
  • 6
  • 3
17 Comments
 
LVL 6

Expert Comment

by:Nyah247
ID: 21772356
Are you using FBA?  Can people access it externally?  Have you added all your internal IP sets to direct access under Configuration > Networks > Internal > (right click) properties > Web browser > "Directly access there servers or domains".  You should also have your internal domains added to the domains tab.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21772412
Usually when i have seen this the problem is either permission related on the IIS directories on the Exchange server or with the authentication setup going through ISA.  Here are some good references:

Publishing OWA with ISA
http://www.microsoft.com/technet/isa/2004/plan/owapublishing.mspx
http://www.isaserver.org/tutorials/2004owafba.html

Fix OWA
http://www.petri.co.il/fixing_a_damaged_or_incorrectly_configured_owa_2003_installation.htm
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21772421
yes, using FBA.

I can access the OWA login screen, but it now just goes to a Error Code 64: Host not available.  This morning it would just repost the login screen.

Very simple internal network: single domain, single internal IP set.  Everything is as you suggest.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21772509
Any errors on Exchange?  Is IIS started on the Exchange box?  What about your AppPools?  Any failed?  If you cannot get to it internally...you should be bypassing for internal...than your problem is probably with OWA.  Might want to take a peek at the ISA logs as well.
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21773650
Make sure FBA is enabled only on the ISA server and not on the Exchange server.

Also check permissions in IIS for your Exchange, OWA and Public virtual directories - make sure their authentication methods are set to only use basic authentication, and anonymous access is not enabled for them.
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21774010
exchange error: MTA service not started(wasn't started by default, so I never set it up to start)

I can log on internally (from the server).

Eric: this is an SBS2003 server, where ISA and Exchange are on the same box.  

I get the login screen, but when i enter my credentials, i get Error Code 64: Host not available.
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21774048
You can enable FBA in ISA2004 and in Exchange2003 - should be enabled only in ISA2004 - even if both on the same box as in SBS ;-)

It's worth firing up ISA2004 management and starting off a logging query under the monitoring section. Try hitting OWA externally and see what shows up in the logs (if anything).
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21809711
First, sorry about the delay...I've been out of town.

Ok, I've gotten it to where I can log on externally, except it doesn't use the normal OWA logon screen which I guess is the FBA from within Exchange.  Instead I get a pop-up logon box.   I turned FBA off in the http protocol properties under the server.  Is that right?  How do I turn FBA on in ISA so that I get the OWA logon screen?
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 11

Expert Comment

by:EricTViking
ID: 21810973
Sounds like you're winning now :-)

You can enable FBA in the properties of the OWA Web Listener in ISA server.  This can be found within the properties of the OWA publishing rule.

Here's a good article for you (scroll down about half way) - http://www.isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-FBA-OWA-Connections-Internal-External-Clients-Part2.html
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21812670
That's the article I was using last night.  I used the CEICW wizard to publish the mail server and modified the SBS Web listener to match his settings and did get it to work, but only when I used a https on the url.  It wouldn't forward the http to https, so I kept working on it.  Of course, now it won't work at all.  I get a OWA logon screen, and after I login, I get a 500 error page.  The real scary part is that when I try to reset and start over using the CEICW, the firewall fails to complete the configuration step.

Internally, if I go to http://servername/exchange, it works fine but no logon.  If I go to http://mail.domain.com/exchange, it forwards to https and I get a popup login screen that won't authenticate when I enter credentials (bounces back to me three times, then I get an Access Denied page).

Now I really don't know what the hell's going on.
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21812777
The usual problem with OWA is that you have Exchange Server, Internet Information Services and ISA Server to configure to get it to work. All three have to be correctly setup and it's easy to end up going round in circles making changes.

I would start from Exchange, make sure Exchange is setup correctly i.e. make sure FBA is disabled in exchange.

Then go through IIS and make sure you have the virtual directory permissions set correctly. Also make sure the correct cert is installed on the IIS default website (or whichever you have OWA setup in). There's a good chance your system is a bit fubar after running wizards and tweaking - this kb might help to get you back to a solid IIS baseline - http://support.microsoft.com/kb/883380.   Also this one has worked for me in the past - http://support.microsoft.com/kb/320202 - sometimes with OWA the configuration is actually correct but things are just plain buggered and a fresh start is what's required.

Finally work on ISA server making one change at a time and noting what you do. There are so many settings that can be changed it is best to be methodical.

0
 
LVL 7

Author Comment

by:jpipkins
ID: 21818085
IT WORKS...almost.  I can access the site remotely and everything works great except for one little detail: previously typing mail.domain.com/exchange would bring up http://mail.domain.com/exchange which would forward to https://mail.domain.com/exchange.  Now, http://mail.domain.com/exchange gets a "Website cannot be displayed" error page.  Any ideas?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21820025
Check the settings for the OWA rule in ISA server to make sure you have the correct domain name (FQDN).  

The FQDN mail.domain.com must resolve internally to the IP address of your Exchange server too.

What happens if you try mail.domain.com/OWA BTW?
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21821950
OWA rule Public Name is correct.  The To in the rule points to the internal FQDN that it created (publishing.domain.local) which resolves to the same ip as mail.domain.com.

Internal mail.domain.com resolves to my internal ip address of server.

I think you're on to something on the OWA site access, something's not right for sure.  Some results:

Internally:
http://servername/exchange - straight into OWA, no logon required.
http://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
https://mail.domain.com/exchange - Get the popup logon dialog (no FBA), but won't authenticate, access denied page.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - Get the OWA login form, get 404 page after authentication.

Externally:
http://mail.domain.com/exchange - IE Cannot display the page.
https://mail.domain.com/exchange - Works perfectly, OWA login, authenticates, everything.
http://mail.domain.com/owa - Page cannot be found.
https://mail.domain.com/owa - 403 Page-Server denied the URL.


Eric, thank you so much for your help!
0
 
LVL 11

Accepted Solution

by:
EricTViking earned 500 total points
ID: 21822111
This is where it gets confusing ;-)

Internally you are hitting the internal NIC of the ISA server which will bypass the web listener on the external NIC. So you won't get FBA internally.

Externally you are hitting the ISA server external NIC which gets picked up by the web listener - this applies FBA for you.

An added complication can be that internet explorer when used internally may have the ISA server down as 'local intranet' which will make it authenticate slightly differently that when used externally.

Regarding authentication it would be worth double checking the authentication methods on the Exchange & OWA virtual dirs in IIS. Make sure OWA uses the same authentication settings as Exchange.

Externally everything is working really - https://mail.domain.com/exchange gets you in so I would go with that.

You can then tweak the settings to get the same URL working internally and your users will have continuity of naming convention. Could almost be a whole new question ;-)
0
 
LVL 7

Author Comment

by:jpipkins
ID: 21822203
Thanks, Eric.  I'll get a new question to get the internal OWA sites working properly, but I've got to run and won't be able to do that until tomorrow morning.
0
 
LVL 7

Author Closing Comment

by:jpipkins
ID: 31466675
Thanks Eric!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now