Ultramarathonman
asked on
OWA and iPhone not working on Exchange 2007
I just completed my transition to Exchange 2007 this morning and decommissioned Exchange 2003. Everything seems to be working fine except I can't get iPhone users to connect and OWA doesn't work. They both worked on Exchange 2003.
ASKER
Here are some additional details. From an outside computer trying to reach http://mail.domainname.com/exchange I get 403-Forbidden: Access is denied. I am never prompted for credentials. Same thing when I try http://mail.domainname.com/owa. Same thing when I try https with both owa and exchange
Internally I try 172.25.X.X/exchange and I get the same 403 error. If I use https I get "There is a problem with this websites security certificate". If I click continue to this website (not recommended) I am prompted for credentials. When I put in my credentials it takes me back to the certificate error. If I again choose continue I get a 404-File or directory not found with the certificate error still showning on the status bar.
I do not have a certificate server or one purchased from any authority. I hope you have enough information here to start with. Thanks.
Internally I try 172.25.X.X/exchange and I get the same 403 error. If I use https I get "There is a problem with this websites security certificate". If I click continue to this website (not recommended) I am prompted for credentials. When I put in my credentials it takes me back to the certificate error. If I again choose continue I get a 404-File or directory not found with the certificate error still showning on the status bar.
I do not have a certificate server or one purchased from any authority. I hope you have enough information here to start with. Thanks.
You need to change the certificate to start with.
The self generated certificate that is supplied with Exchange is not supported for Exchange ActiveSync, which is how the iPhone will connect.
My blog posting here goes in to what is required to change the certificate.
http://www.sembee.co.uk/archive/2008/05/30/78.aspx
The access denied would tend to indicate that restrictions are on the IIS server in some way, or you are pointing the firewall at the wrong server. Check both of those.
You did install the CAS role on the server? In IIS manager you can see the Exchange virtual directories?
-M
The self generated certificate that is supplied with Exchange is not supported for Exchange ActiveSync, which is how the iPhone will connect.
My blog posting here goes in to what is required to change the certificate.
http://www.sembee.co.uk/archive/2008/05/30/78.aspx
The access denied would tend to indicate that restrictions are on the IIS server in some way, or you are pointing the firewall at the wrong server. Check both of those.
You did install the CAS role on the server? In IIS manager you can see the Exchange virtual directories?
-M
Do you have an ISA server? The external 403 could come from there. It would help if you could find the relevant IIS log entries - in IIS there are 20 subcodes (i.e. different reasons) for 403.
ASKER
I do not have an ISA server. I use a Sonicwall firewall.
Okay. Can you find the IIS log entries (from your OWA server) generated when you try to use OWA?
ASKER
Where are those log entries? I don't find anything related with a time stamp of when I attempt to make the connection.
Usually in C:\Windows\System32\LogFil es\W3SVC1 . Note that the times are in GMT.
ASKER
Oh, this is on Windows Server 2008 by the way.
I think you'll find them in C:\Inetpub\logs\logfiles .
ASKER
I don't see anything in the files related
Can you see lines containing GET and /owa ? If not, look at the properties of the Default Web Site, and make sure that logging is enabled. Then look at the properties of owa, and make sure that Log Visits is checked. Note that the times in these files are in GMT.
ASKER
Those log file entries show a 403.4 response, which just means that SSL is required, and you should be using https:// . No mystery there. Can you see any entries where the port number is 443 (i.e. https), not 80. If not, then maybe your Default Web Site is not actually configured to listen on port 443?
ASKER
I do see that owa is set to both 80 and 443 From the server, if I click on the 443 application for owa it tries to open it locally. I have added the errors that I get from that to the attached log plus the 443 errors from the log file.
log.txt
log.txt
When you try to open the FBA logon page, you are getting a 404.3 error, which makes me think that the server is not configured to handle ASP.Net (the FBA logon page is an .aspx page). You can either turn FBA off for a quick fix, or make sure that the ASP.Net extension is set to Allowed in IIS.
ASKER
Turning off FBA didn't fix it. Another bit of info. When I first tried to get this working, it told me ASP.net wasn't installed on the server. I added ASP.net and it's accompanying components. Maybe I need to start from scratch. Would that be easier? Not the server but just OWA and iPhone support. What would be the best way to accomplish that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have attached a screenshot of the get-owavirtualdirectory output. It references 2000/2003 stuff which doesn't exist anymore. Could that be the problem? OWA does say 2007 though.
getowa.doc
getowa.doc
The 2000/2003 VDirs are normal. They are there for legacy applications.
ASKER
Ok, so I will just try the remove and then new?
Yes, it might help. Read the get-help carefully - some parameters require a colon, while others don't.
ASKER
Ok, I did that successfully. When I (internally) go to servername.domainname/owa I get a 4.03 Forbidden. Access is denied. I am not prompted for credentials.
Are you using https:// in your URL?
ASKER
Have another look at your IIS log file, and see if the external https requests are reaching the server.
ASKER
Ok, once I cleared the cache on the external machine and tried it again, it is prompting me and working now externally using HTTPS:// It is also still working inside. I will try an iPhone now. Not sure if they are related at all but maybe something we did will have it working now as well.
ASKER
iPhones are working too. Thanks for the help.
However you have provided very little information to work with. No indication in what way they don't work, whether it works internally, whether it has worked at all.
You need to provide more information on the configuration and what is actually happening.
-M