Link to home
Create AccountLog in
Avatar of mcminc
mcminc

asked on

440 Login Timeout, Exchange 2007 OWA Forms Authentication

I am trying to implement OWA on Windows Server 2003 with Exchange 2007, accessible from the web. In order to do this I was informed I needed to enable forms authentication. Whether or not this is entirely true, I would still rather enable forms authentication.

I have purchased a Commercial Certificate and used the common name mail.mbnlaw.com. I enabled Outlook Anywhere and used the external host name of mail.mbnlaw.com. Under OWA properties the internal address is set to https://exchange.mbnlaw.mbnlaw.com/owa . The external address is set to https://mail.mbnlaw.com .

Authentication under OWA properties is set to Integrated Windows Authentication in both IIS and Exchange Management Console.

The firewall (WatchGuard) has port 443 opened for this server.

The domain mail.mbnlaw.com resolves to the correct public IP address when doing a nslookup. (The pubic IP address to the Exchange server.)

Now, when I try to open https://exchange.mbnlaw.mbnlaw.com/owa it immediately gives the error: 440 Login Timeout.

I have reset the passwords, to match, for the IUSR_EXCHANGE and IWAM_EXCHANGE accounts and ran a script to sync these accounts on the Active Directory with IIS. I did an iisreset afterwards as well.

I am still getting the 440 Login Timeout error.

My question is, what steps do I need to take to publish OWA 2007 to the web using a third party firewall. If it is easier and if I am close to completing the above task, what else could I try to resolve the 440 Login Timeout error? I don't mean to pose two questions, but they are both related and I am giving you experts the option of picking the easiest route to getting OWA working on the web.
Avatar of coolsport00
coolsport00
Flag of United States of America image

In the EMC, you need to check Forms-based auth; in IIS, you need to check Basic Authentication only (if Anonymous is checked in IIS, uncheck it). This article will give you detailed info on coinfiguring forms-based auth for your OWA:
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx

Regards.
~coolsport00
Also...according to a couple other articles, may be a IUSR pwd/permission issue. See this other EE post, specifically what you may potentially (but hopefully not) have to do:
https://www.experts-exchange.com/questions/22571511/owa-not-working-in-exchange-2007-440-Login-Timeout.html
ASKER CERTIFIED SOLUTION
Avatar of coolsport00
coolsport00
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of mcminc
mcminc

ASKER

Thanks for the reply.

I had ran across the MS KB article earlier, but since you posted, I have reset the authentication for IIS back to Basic Authentication. It is still giving the 440 Login Timeout error.

I had already tried resetting the passwords for the IUSR_EXCHANGE and IWAM_EXCHANGE AD accounts and went through the procedure of resetting it in IIS after which I ran iisreset. This did not work the first time so I tried it one more time just to make sure I performed all the steps correctly. This has not corrected the issue.

I have also tried disabling FBA and doing another iisreset, re enabling FBA and performing another iisreset. Still the 440 Login Timeout error still occurs.

I am afraid that I may need to perform the removal of IIS and reinstallation.
If you've performed everything documented in those posts, unfortunately that is the next step....
Avatar of mcminc

ASKER

I went ahead and manually created the registery values for the cookie timeouts as the MS KB suggests. Just so you know, the only thing the first MS KB you posted goes over is setting the Cookie timeouts and the three different types of Form based authentication. It doesn't mention anything about enabling FBA or any of the IIS settings for this to work. However enabling FBA in OWA 2007 isn't a complicated task provided everything works as it should.

FYI, the original guy that setup the PDC and Exchange no longer works for the company and I have a feeling this is something he has been stumped on for a while. There is no telling what I am going to have to do to correct this. Luckily you guys can lead me in the right direction.

I will remove and reinstall IIS this afternoon and reply back witht he results.

Thanks again for the help.
You are correct...my apologies...here is the article for that: http://technet.microsoft.com/en-us/library/aa998867(EXCHG.80).aspx

Ahh...so, you got the left-overs, did you? Nice. I've been at my org for 2+ yrs and still dealing with those kinds of things. :)
Avatar of mcminc

ASKER

Well I removed IIS and reinstalled it. During the EMS commands I needed to run to restore OWA Virtual Directories, I ran into the following error:

"Domain Controller 'mbn1.mbnlaw.mbnlaw.com' Operating System Version is 5.0 (2195) Service Pack 4. The minimum version required is 5.2 (3790) Service Pack 1."

Yes the PDC is Server 2000 and so is the BDC! I may have to install another Server 2003 box just repair the Virtual Directories. Do you have any suggestions for this besides install another Server 2003 box? The PDC running 2K maybe the root to the whole problem here.
Oh my!!! Well, from what I've seen, you can install it, but there are some caveats. Here are a few articles that describe exactly what the prereq's are:
http://www.msexchange.org/tutorials/Installing-Exchange-2007-Part1.html
http://msexchangeteam.com/archive/2007/07/30/446579.aspx
http://technet.microsoft.com/en-us/library/aa996719.aspx

If this is your GC, then no, you can't do it. Reconcile what you have in your environment with the articles listed here and let me know...
Avatar of mcminc

ASKER

Ok, The 2K server has been demoted and now the PDC and BDC are both Win2k3 boxes. I was able to run the last commands on the KB article that had me remove IIS and the Exchange Client Access role. The first command has you remove the virtual directories. The last four commands had me recreate the virtual directories minus one, the OWA (Default Web Site) directory.

When I opened the EMC afterwards, the OWA virtual directory came up with an inconsistency error and it told me to remove it. Now for the life of me can't figure out the syntax to add it back. I need it to be Exchange 2007 compatible only so I can set the internal and external url's different.

Plus now everytime I open the EMC I get a warning:

"OAB Virtual Directory "oab (Default Web Site)" exists in the Active Directory, but not the IIS metabase. Please recreate the oab virtual directory."

I am about to recreate the oab Virtual Directory in Active Sync.
Avatar of mcminc

ASKER

The last sentence is wrong. I actually need to know how to recreate the OAB virtual directory in the OAB Distribution.
Avatar of mcminc

ASKER

Ok, I just removed the Exchange Client Access role again and readded it and bam everything is working now!
AWESOME!!! Great to hear that. :)
geez... I'm stuck in this problem as well...
440 Login Timeout
as can be seen from https://www.experts-exchange.com/questions/24261543/OWA-2007-Failed-440-Login-Timeout.html?anchorAnswerId=23975418#a23975418

any idea would be greatly appreciated.