Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Logon issues with OWA since I raised the functional level of the Domain to 2003 native.

Posted on 2008-10-29
14
612 Views
Last Modified: 2012-05-05
Prior to raising the functional level OWA worked with users logging in using domain\username. Now the login box prompts the user repeatedly. Users can send and receive messages but are prompted to enter username and password every few seconds. The functional level was at 2000 mixed. I raised it to 2003 native two weeks ago. other items to note: window updates were also applied that day. I also have a reciently installed Go Daddy certificate on the OWA site. What do I have to change to allow owa to authenticate with one prompt?
0
Comment
Question by:DawnMcCreary
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 7

Expert Comment

by:manu4u
ID: 22831012
You should remove "INTEGRATED AUTHENTICATION " 

IIS --> Default website --> Exchange , right click properties , go to directory security and authentication .. there

Then restart the IIS Service or restart the server..

Hope this helps
0
 

Author Comment

by:DawnMcCreary
ID: 22831271
manu4u,
Thanks for your suggestion, however, on the Exchange item Integrated Windows Authentication is not checked. Only Basic authentication is checked. On the Exadmin item only Integrated Windows Authentication is checked. On the Exchange-OMA item both integrated and basic are checked.
I restarted the IIS Service (just in case) and tested OWA. It's still prompting.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22831286
Rather than simply removing - please inform us about the authentication that the particular directory holds.

FYI

Anonymous - This means that any one can log on without providing any credentials.
Basic - This means that you are supposed to provide credentials (within those pop-ups)
Windows Integrated - This means that Exchange / IIS would pull up the information logged on to windows profile and allow you to log in to "your own mailbox" using windows profile credentials.

That is why it is so important to understand what you do - where you do in IIS.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:DawnMcCreary
ID: 22831387
We'd like our users to be able to login with their AD credentials and open their own mail box. At times they are logging into OWA from a home or hotel computer and would not be using their company AD credentials to login to the OS. They would have to be prompted for their AD credentials as they browse to OWA then. Exchange Geek, does this answer your question?
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22831645
The reason is simple - you have Windows integrated authentication enabled - this would explain why users who are logged into the domain DO NOT have problems - however when those same users log in from hotels / cafes they are repeatedly being prompted for permission since, they no longer are part of the domain.

To resolve this - please uncheck windows integrated and select only basic for /Exchange virtual directory.

Run iisreset from command prompt and verify the result.

Awaiting your response.

Oh by the way hope i did answer your query.
0
 
LVL 7

Expert Comment

by:manu4u
ID: 22831687
Go addy certificate, is it configured correctly?
0
 

Author Comment

by:DawnMcCreary
ID: 22831798
Exchange Geek,
All users are having trouble logging into OWA. I am testing from inside the network on my regular pc and I am getting these prompts. I assume my go daddy certificate is correctly configured. I followed the directions that go daddy offered and had help from another network admin. I'm not a certificate expert by any means so any information on checking on it's configuration would also be appriciated.  
As I mentioned above, "on the Exchange item Integrated Windows Authentication is not checked. Only Basic authentication is checked."
Thanks for hanging in with me on this. Do you think the issue was created when I raised the functional level of my domain?
0
 
LVL 9

Accepted Solution

by:
BDoellefeld earned 500 total points
ID: 22836253
It is most certainly IIS permissions. I would look a little deeper into the IIS permissions versus just which auth mode. Check this article specifically the section titled "Checking the security permissions in Internet Information Services (IIS)".
http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html  
0
 

Author Closing Comment

by:DawnMcCreary
ID: 31511160
This solution was perfect. Resetting the OWA folders was simple. The link had great instructions and resolved the issue in short order. Thanks BDoellefeld for your very expert help.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22841775
It seems the issue has been resolved - however do you mind posting what exactly was the resolution and how did you go about fixing it.

It does help EE forum when some one documents the exact steps taken, troubleshooting done and resolved.

thanks.
0
 

Author Comment

by:DawnMcCreary
ID: 22842027
I followed the directions to reset the OWA folders in IIS as described in this link:  http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html.  Here are the exact steps I used. Refer to the link for more details and images:
1.Start IIS on the Exchange server.
2.Backup the metabase just in case. Right-click Default Web Site, click All Tasks, and then click Save Configuration to a File. Type a filename for the file and click OK.
3.Expand Default Web Site, and then delete the following virtual directories:
4.Microsoft-Server-ActiveSync
OMA
Exadmin
Exchange
Public
ExchWeb
5.Close IIS
Start Metabase Explorer. Click Start, All Programs, IIS Resources, and then click Metabase Explorer.
6.Expand the LM key, right-click the DS2MB key, and then click Delete.
7.Close Metabase Explorer.
8.Restart the Microsoft Exchange System Attendant service. This will re-create the virtual directories in IIS.
9.Check the security permissions in Internet Information Services (IIS)
10.Open IIS. Expand the default website. Right Click the Exchange Virtual Directory. Ensure there is a Check next to Basic Authentication, Click OK twice.
11.Right click the ExchWeb Virtual Directory. Ensure there is a Check next to Anonymous access.
12.Check the folder security permissions using windows explorer
13.Right-click the Exchweb folder, and then click Properties. Click the Security tab.
14.Verify that the Authenticated Users group has the following permissions:
Read and execute
List folder contents
Read
15.If the Authenticated Users group is not listed in the Access Control List, click Add to add the Authenticated Users group. Add the correct permissions as listed in step 14.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22842241
I know that article - since i do recommend that to many people. Question in that is - you still have no clue - which permission got reset - since you never got time to check permissions.

This was exactly what many administrators would like to know. Break-fix is easy and simple however when you perform root-cause-analysis - it gets too tough to simple walk in and remove reinstall stuff.

I am glad that this delete and recreate stuff helped you out.

Congrats.
0
 

Author Comment

by:DawnMcCreary
ID: 22842348
My permissions were set exactly the same before and after the reset. I assume something was corrupted in the virtual directories and therefore needed a reset. OWA was working well before we raised the functional level of the domain so that may have caused a security mismatch, I guess. Who knows, it's microsoft!
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22842490
Hahaha yea thats the best line - who knows what its Microsoft.

0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article runs through the process of deploying a single EXE application selectively to a group of user.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question