OWA gets HTTP Error 403 - Forbidden <Help>

Hi, i have a weird situation, i have to shutdown my server (2003 R2 standard) over the weekend to change an faulty APC.  Now my OWA is spitting out http/1.1 403 Forbidden errors.

i checked the website for any solutions, i saw some...but it's not helping much??

i was following a post : http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_22869027.html?sfQueryTermInfo=1+owa

asked me to: LeeDerbyshire:
Can you have a look at your IIS logs to get the subcode for that 403?  There are several different types of 403 error.  The simplest being that you should have typed https instead of http to access the content.  If you can paste the IIS log lines containing the 403 error, it might shed some light on the problem.

If you want to rebuild the OWA VDirs, delete them first, then try this:
http://support.microsoft.com/kb/883380
Method 3 is easiest, I think.

i was looking in the metabase.xml -- looking for this part:
<IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">
<Custom
Name="UnknownName_61472"
ID="61472"
Value="207778"
Type="STRING"
UserType="IIS_MD_UT_SERVER"
Attributes="NO_ATTRIBUTES"
/>

i don't see it in my metabase.xml file.  There are # "61472", but the <IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"> these numbers are different.  and i dont want to change the value="0" if it wasn't the same.

I've checked other forums, and their solutions didn't help much.  

I tried restarting IIS, exchange services....no answers there.....

please help.......
tehmoleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cmarandiCommented:
Looks liek your securities got messed up...

Match your OWA to this:


IIS / Server / Web Sites
Right click the virtual's and go to properties
Directory Security tab
Authentication & Access Control
Edit

These should be the ONLY things marked...

Default Permissions :


Default Web Site     -   Anonymous
Exadmin                      -   Integrated
Exchange                    -   Basic/integrated
Exchweb                     -   Anonymous
Bin                                 -   Basic/integrated
Auth                             -   Basic/integrated
Usa                               -   Basic/integrated
Active Sync                -   Basic
Oma                             -   Basic
Public                           -   Basic/integrated

-      Uncheck the Enable client certificate mapping from all Exchange virtual directories
Steps:
IIS manager => expand Web Sites => Rt. Click on Default Web Site => go to Properties => go to Directory security tab => go to the Edit option in Secure communication => and uncheck Enable client certificate mapping  

-      Uncheck the Enable the Windows directory service mapper from the Web Site properties
Steps:
IIS manager => rt. Click on Web Sites & go to Properties => go to Directory security tab => uncheck the option for Enable the Windows directory service mapper

-      Restarted the IISAdmin service
0
tehmoleAuthor Commented:
thank you for the fast reply cmarandi, i checked everything you just wrote...and still have the  http/1.1 403 forbidden error.
0
tehmoleAuthor Commented:
if someone changed the password for IUSR_DC2 account...would that affect it???
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

cmarandiCommented:
wow.
Yeah I think it would.
Why would someone change the password on a system account?
How would you know what the default password was?

Anyway, on the server itself, can you access owa?  
maybe using https://localhost/exchange
If that's what your url is... but use localhost instead of the domain

0
cmarandiCommented:
The other thing is to check your DNS... it may be possible that your system's entry in the DNS got purged over the weekend because you were offline for 3 days.
0
tehmoleAuthor Commented:
the person that set this up...i don't know what's the default password for that account.  But i remember him saying that it was change to something??????? can i reset it?  this exchange server isn't on SSL.....will have to implement that in the near future....

but when i type http://localhost/exchange - gives me the username/password...once i type that in....goes to HTTP/1.1 403 Forbidden page......
0
tehmoleAuthor Commented:
checked the DNS server, it's working .. no errors....
0
cmarandiCommented:
in the dns, do you see the server listed?

let's try http://ip/exchange

meaning instead of domain name try to use the ip address.
0
tehmoleAuthor Commented:
yes the server is listed....i tried both ip and domain name...

can't access OWA from the outside also....
0
tehmoleAuthor Commented:
i tried restarting the IIS server to put back IUSR_XX account into AD....

and place anonymous access for defualt web site and exchweb....

still no luck...

only thing i didn't try is rebooting the system...will have to wait till tonight to do so
0
cmarandiCommented:
have you installed owa admin?

0
tehmoleAuthor Commented:
how would i check that???
0
cmarandiCommented:
<START> button
<ALL PROGRAMS>
<MICROSOFT EXCHANGE>

You should see Outlook Web Access Administration.

Just by installing it, it fixes a bunch of issues.

you can get it at

http://www.microsoft.com/downloads/details.aspx?familyid=4BBE7065-A04E-43CA-8220-859212411E10&displaylang=en
0
cmarandiCommented:
Also,
instead of rebooting, try this... from the command line, on the server
type

iisreset
0
tehmoleAuthor Commented:
i installed the owa web admin...restarted iis through iisrest...

when i go into https://servername/owaadmin

i get you are not authorized to view this page.....

am i doing something wrong???
0
cmarandiCommented:
are you logged in as admin on the server?
0
cmarandiCommented:
man.. i really think there is security issues.

check your owa security settings like the first response I sent you... I know you mentioned that they are the same, but I'm thinking there is parts that aren't.

on the security stuff, check something and then un-check it to force it to re-apply....
such as give the default website basic authentication and then uncheck it and then apply it.
on some of the virtuals it's gonna ask you to apply to the child also, and pick all the child and let it apply.

then iisreset again
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tehmoleAuthor Commented:
i triple checked the security settings......

i unchecked...checked...apply the settings.......iisrest.....still 403
0
cmarandiCommented:
what about the owa admin on the server as domain administrator?
0
tehmoleAuthor Commented:
yes sir...
0
cmarandiCommented:
didn't want to have to lead you to this, but let's reset OWA:

http://support.microsoft.com/default.aspx?kbid=883380

0
cmarandiCommented:
&*^#

you already did that

see if your numbers now match what the article wants.
0
tehmoleAuthor Commented:
i am pulling out my hair with this situation....i was trying this method...but got stuck on this:
In the Find what box, type 61472, and then click Find Next to locate the following area in this file: <IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">
<Custom
Name="UnknownName_61472"
ID="61472"
Value="207778"
Type="STRING"
UserType="IIS_MD_UT_SERVER"
Attributes="NO_ATTRIBUTES"
/>
there are multiple "61472" entries...but doesn't have the same  IIsConfigObject Location="/LM/DS2MB/HighWaterMarks/{79F81D41-A652-4375-85F0-41A16037CC85}">

should i still change the values to "0" for those that have Name="UnknowName_61472"?
 
that's where i'm stuck....
0
tehmoleAuthor Commented:
good morning to all,

i tried to reboot the server last night, hopefully it will kick back to the normal shape, nope, didn't work.. still spit out the http 1.1 403 forbidden error......

i've looked through alot of forums and tech sheets, non seems to work....can someone please help.......urgent....thank you
0
tehmoleAuthor Commented:
update:  i got OWAAdmin to start up, i changed ASP.net to version 2.0 on the OWAAdmin/bin

i was looking through the tabs, can't really see anything i can tweak to resolve my situation....
0
tehmoleAuthor Commented:
update: i think i got it to work again: here's what i did: i took out the IUSER account, restarted IIS to generate that account again....unchecked all the default security permissions, double checked with another server running OWA, to see if it matches up.....restarted IIS and BAM it's working...but then there's a problem...always a problem....all the icons are messed up...see the attached file....

Snap1.jpg
0
tehmoleAuthor Commented:
we're shaking and moving now....it get the icons back by changing the security on exchweb from IUSER_xx with Integrated windows authentication......

now when i logoff...it says access denied.... did i mess something up????
0
tehmoleAuthor Commented:
seems to be resolved in some way...still have some weird problems....i'll give cmarandi the points for helping out....
0
tehmoleAuthor Commented:
thank you for your help.....learned some good stuff.....thanks again
0
cmarandiCommented:
sorry I didn't respond... I was out of the office yesterday... I'm glad you got it to work.  I learned something too about the IUSER Id's..
Thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.