jfsheaco
asked on
how to prevent Integrated Windows Authentication on Exchange virtual directory from getting uncheck after reboot
I am using Forms Based Authentication and Thawte SSL on a front-end Exchange server that is in domain1. We have other backend Exchange servers in different domain. When we use Exchange Activesync from our smartphones, it works with users whose accounts exist in domain1, but not for users in other domains, who get a 0x85010014 error.
After going through the information in the other threads regarding the error, the best solution that worked was enabling 'Integrated Windows Authentication' on the /Exchange virtual directory for the front-end and backend servers. However, we saw that IWA gets unchecked everytime any of the Exchange servers get rebooted - I believe this is a function of the DS2MB process.
What can be done so that IWA gets permanently checked even after an Exchange server reboot?
After going through the information in the other threads regarding the error, the best solution that worked was enabling 'Integrated Windows Authentication' on the /Exchange virtual directory for the front-end and backend servers. However, we saw that IWA gets unchecked everytime any of the Exchange servers get rebooted - I believe this is a function of the DS2MB process.
What can be done so that IWA gets permanently checked even after an Exchange server reboot?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmm. In theory, if you have a FE/BE setup, you should never need to do this, since FBA and SSL only usually get enabled on the FE. Is there any chance you enabled FBA, or required SSL on one of your BE servers?
ASKER
No, I have definitely confirmed that we do not have FBA or SSL enabled on any of our backend servers.
So, you should be able to select both Integrated and Basic Authentication on the BE without it being changed by the DS2MB process. Is that not the case for your BE servers? Remember that you must do this in Exchange System Manager, not IIS manager.
ASKER
Yes, I can definitely check this on the BE servers, but not the front-end.
So, when you have checked both Basic and Integrated for the problem BE in Exchange System Manager, does it get properly propagated to IIS Manager on the same BE server?
ASKER
I setup a secondary front-end server just to compare a new clean install with my current setup. I confirmed that with the FE-BE setup, all you definitely need to do is setup the IA on the BE server and it doesn't really need to be checked on the FE server. What threw me off was that the 'Exchange-Activesync' virtual directory had 'Require SSL' checked and I believe only the Exchange virtual directory should have SSL checked. It is working now for all users in the different domains.
ASKER