?
Solved

OWA gets HTTP Error 403 - Forbidden <Help>

Posted on 2008-11-18
30
Medium Priority
?
1,280 Views
Last Modified: 2012-05-05
Hi, i have a weird situation, i have to shutdown my server (2003 R2 standard) over the weekend to change an faulty APC.  Now my OWA is spitting out http/1.1 403 Forbidden errors.

i checked the website for any solutions, i saw some...but it's not helping much??

i was following a post : http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_22869027.html?sfQueryTermInfo=1+owa

asked me to: LeeDerbyshire:
Can you have a look at your IIS logs to get the subcode for that 403?  There are several different types of 403 error.  The simplest being that you should have typed https instead of http to access the content.  If you can paste the IIS log lines containing the 403 error, it might shed some light on the problem.

If you want to rebuild the OWA VDirs, delete them first, then try this:
http://support.microsoft.com/kb/883380
Method 3 is easiest, I think.

i was looking in the metabase.xml -- looking for this part:
<IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">
<Custom
Name="UnknownName_61472"
ID="61472"
Value="207778"
Type="STRING"
UserType="IIS_MD_UT_SERVER"
Attributes="NO_ATTRIBUTES"
/>

i don't see it in my metabase.xml file.  There are # "61472", but the <IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"> these numbers are different.  and i dont want to change the value="0" if it wasn't the same.

I've checked other forums, and their solutions didn't help much.  

I tried restarting IIS, exchange services....no answers there.....

please help.......
0
Comment
Question by:tehmole
  • 17
  • 13
30 Comments
 
LVL 7

Expert Comment

by:cmarandi
ID: 22988474
Looks liek your securities got messed up...

Match your OWA to this:


IIS / Server / Web Sites
Right click the virtual's and go to properties
Directory Security tab
Authentication & Access Control
Edit

These should be the ONLY things marked...

Default Permissions :


Default Web Site     -   Anonymous
Exadmin                      -   Integrated
Exchange                    -   Basic/integrated
Exchweb                     -   Anonymous
Bin                                 -   Basic/integrated
Auth                             -   Basic/integrated
Usa                               -   Basic/integrated
Active Sync                -   Basic
Oma                             -   Basic
Public                           -   Basic/integrated

-      Uncheck the Enable client certificate mapping from all Exchange virtual directories
Steps:
IIS manager => expand Web Sites => Rt. Click on Default Web Site => go to Properties => go to Directory security tab => go to the Edit option in Secure communication => and uncheck Enable client certificate mapping  

-      Uncheck the Enable the Windows directory service mapper from the Web Site properties
Steps:
IIS manager => rt. Click on Web Sites & go to Properties => go to Directory security tab => uncheck the option for Enable the Windows directory service mapper

-      Restarted the IISAdmin service
0
 

Author Comment

by:tehmole
ID: 22988599
thank you for the fast reply cmarandi, i checked everything you just wrote...and still have the  http/1.1 403 forbidden error.
0
 

Author Comment

by:tehmole
ID: 22988610
if someone changed the password for IUSR_DC2 account...would that affect it???
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 7

Expert Comment

by:cmarandi
ID: 22988688
wow.
Yeah I think it would.
Why would someone change the password on a system account?
How would you know what the default password was?

Anyway, on the server itself, can you access owa?  
maybe using https://localhost/exchange
If that's what your url is... but use localhost instead of the domain

0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22988696
The other thing is to check your DNS... it may be possible that your system's entry in the DNS got purged over the weekend because you were offline for 3 days.
0
 

Author Comment

by:tehmole
ID: 22988730
the person that set this up...i don't know what's the default password for that account.  But i remember him saying that it was change to something??????? can i reset it?  this exchange server isn't on SSL.....will have to implement that in the near future....

but when i type http://localhost/exchange - gives me the username/password...once i type that in....goes to HTTP/1.1 403 Forbidden page......
0
 

Author Comment

by:tehmole
ID: 22988825
checked the DNS server, it's working .. no errors....
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22988880
in the dns, do you see the server listed?

let's try http://ip/exchange

meaning instead of domain name try to use the ip address.
0
 

Author Comment

by:tehmole
ID: 22988960
yes the server is listed....i tried both ip and domain name...

can't access OWA from the outside also....
0
 

Author Comment

by:tehmole
ID: 22988984
i tried restarting the IIS server to put back IUSR_XX account into AD....

and place anonymous access for defualt web site and exchweb....

still no luck...

only thing i didn't try is rebooting the system...will have to wait till tonight to do so
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22988989
have you installed owa admin?

0
 

Author Comment

by:tehmole
ID: 22989018
how would i check that???
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22989063
<START> button
<ALL PROGRAMS>
<MICROSOFT EXCHANGE>

You should see Outlook Web Access Administration.

Just by installing it, it fixes a bunch of issues.

you can get it at

http://www.microsoft.com/downloads/details.aspx?familyid=4BBE7065-A04E-43CA-8220-859212411E10&displaylang=en
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22989240
Also,
instead of rebooting, try this... from the command line, on the server
type

iisreset
0
 

Author Comment

by:tehmole
ID: 22989607
i installed the owa web admin...restarted iis through iisrest...

when i go into https://servername/owaadmin

i get you are not authorized to view this page.....

am i doing something wrong???
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22989619
are you logged in as admin on the server?
0
 
LVL 7

Accepted Solution

by:
cmarandi earned 1500 total points
ID: 22989639
man.. i really think there is security issues.

check your owa security settings like the first response I sent you... I know you mentioned that they are the same, but I'm thinking there is parts that aren't.

on the security stuff, check something and then un-check it to force it to re-apply....
such as give the default website basic authentication and then uncheck it and then apply it.
on some of the virtuals it's gonna ask you to apply to the child also, and pick all the child and let it apply.

then iisreset again
0
 

Author Comment

by:tehmole
ID: 22989753
i triple checked the security settings......

i unchecked...checked...apply the settings.......iisrest.....still 403
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22989821
what about the owa admin on the server as domain administrator?
0
 

Author Comment

by:tehmole
ID: 22989962
yes sir...
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22990074
didn't want to have to lead you to this, but let's reset OWA:

http://support.microsoft.com/default.aspx?kbid=883380

0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22990084
&*^#

you already did that

see if your numbers now match what the article wants.
0
 

Author Comment

by:tehmole
ID: 22990686
i am pulling out my hair with this situation....i was trying this method...but got stuck on this:
In the Find what box, type 61472, and then click Find Next to locate the following area in this file: <IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">
<Custom
Name="UnknownName_61472"
ID="61472"
Value="207778"
Type="STRING"
UserType="IIS_MD_UT_SERVER"
Attributes="NO_ATTRIBUTES"
/>
there are multiple "61472" entries...but doesn't have the same  IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">

should i still change the values to "0" for those that have Name="UnknowName_61472"?
 
that's where i'm stuck....
0
 

Author Comment

by:tehmole
ID: 22994534
good morning to all,

i tried to reboot the server last night, hopefully it will kick back to the normal shape, nope, didn't work.. still spit out the http 1.1 403 forbidden error......

i've looked through alot of forums and tech sheets, non seems to work....can someone please help.......urgent....thank you
0
 

Author Comment

by:tehmole
ID: 22994809
update:  i got OWAAdmin to start up, i changed ASP.net to version 2.0 on the OWAAdmin/bin

i was looking through the tabs, can't really see anything i can tweak to resolve my situation....
0
 

Author Comment

by:tehmole
ID: 22994965
update: i think i got it to work again: here's what i did: i took out the IUSER account, restarted IIS to generate that account again....unchecked all the default security permissions, double checked with another server running OWA, to see if it matches up.....restarted IIS and BAM it's working...but then there's a problem...always a problem....all the icons are messed up...see the attached file....

Snap1.jpg
0
 

Author Comment

by:tehmole
ID: 22995342
we're shaking and moving now....it get the icons back by changing the security on exchweb from IUSER_xx with Integrated windows authentication......

now when i logoff...it says access denied.... did i mess something up????
0
 

Author Comment

by:tehmole
ID: 23005540
seems to be resolved in some way...still have some weird problems....i'll give cmarandi the points for helping out....
0
 

Author Closing Comment

by:tehmole
ID: 31517999
thank you for your help.....learned some good stuff.....thanks again
0
 
LVL 7

Expert Comment

by:cmarandi
ID: 23005868
sorry I didn't respond... I was out of the office yesterday... I'm glad you got it to work.  I learned something too about the IUSER Id's..
Thanks for the points.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses
Course of the Month17 days, 8 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question