Solved

OWA 403 Forbidden (12202) after logon screen.

Posted on 2009-04-07
20
3,240 Views
Last Modified: 2012-05-06
I have been trying to publish OWA. We have a single Exchange 2007 server, running on Server2003, behind an ISA firewall, also on a 2003 server, which is behind a Cisco 857 ADSL router.
The OWA site works perfectly if I browse to it from the ISA server using the internal address. If I try to use the external site though, I get the log on page, but when I enter my username and password I get a Page cannot be displayed mesage with the following technical information: "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I try to log on using incorrect credentials though, I get the proper message telling me that the credentials were incorrect, which suggests that somewhere along the line the credentials are being proplerly verified, but why can't I get to the actual application?
I've tried different authentication methids and fiddled with the internal and external URLs, but everything I do gets the same problem.
I've also tried to publish Outlook Anywhere but that isn't working either. It asks me for credentials when I open outlook, and again, if I type incorrect ones it doesn't accept them, but if I type correct ones it just sits there for a while saying 'trying to connect to exchange', before going back to 'Disconnected'
I've been searching the web, wracking my brain, and running round in circles for days on this, please can someone help!
0
Comment
Question by:silent_waters
  • 11
  • 9
20 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24092473
Can you give some detail on your OWA publishing rule please? Describe all the tabs etc, and also tell me what happens when you use the test rule button?
0
 

Author Comment

by:silent_waters
ID: 24092674
Firewall Rule:
"To" tab: Published site name contains the URL I use to access the site internally: https://<server>.<domain>.local/owa. Requests come from client is selected.
"Public Name" tab: name is the external URL: webmail.<domain>.co.uk
"Authentication Delegation" tab: Set to Basic Authentication
"Application Settings" tab: Using customized HTML forms, form set directory is 'Exchange'
"Users" tab: Requests allowed from All Users
Web Listener:
"Networks" tab: External selected, with the specific IP address assigned for this selected.
"Certificates" tab: Our UCC Certificate is selected which has the internal and external domain names on.
"Authentication" tab: Set to HTML Form authentication, with Windows (Active directory). Under advanced: Require all users to authenticate is selected, and our local domain is entered at the bottom.
Let me know if there is anything else you want, I've tried to include all the important bits but I might have missed something.
Where is the test rule button? I can't find it.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24095306
Did you create this rule using the Publish Exchange Web access wizard?

OK, here's what to do.

From: Anywhere
To: Change the published site name to just the hostname of the OWA Server
Traffic: HTTPS selected and no other options checked
Listener: You have to uncheck Require all users to authenticate, and you can also remove the domain name from the field
Public Name: no change
Paths: <same as internal> and /public/*, /exchweb/*. /Exchange/*
Bridging: Redirect to SSL port 443
Users : All Authenticated Users
Auth delegation: fine
Application: fine

Apply changes and test.

As for Test rule button, you will see it at the bottom of the rule properties dialogue.
0
 

Author Comment

by:silent_waters
ID: 24095791
That's even worse, now it doesn't even get as far as the logon page, it just goes straight to the 403 error without ever asking for credentials.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24095920
Did you re-configure your Exchange IIS Virtual folders for ISA? Did you use the ISA wizard or follow any guides from technet?

http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
http://technet.microsoft.com/en-us/library/bb794751.aspx

Error 403 usually means access/permission issues, make sure you don't have IP restrictions in place on the OWA HTTP virtual folders and follow the guides above for help.

Good luck!
0
 

Author Comment

by:silent_waters
ID: 24096054
I have already been through those two sites! I found them through google. The first one is the one that I used to set everything up initially, although I've obviously been changing things since because it didn't work.
There are no IP or domain restrictions on the properties of the OWA folder, and it is configuredproperly, and with the correct certificate.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24096219
When you access OWA internally, do you see a password pop-up, FBA page or does it directly takes you to the OWA folder?
0
 

Author Comment

by:silent_waters
ID: 24096246
Password prompt pops up in a little dialog box. (I'm not using forms based auth on the exchange server, if that is what you are wondering!)
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24096328
I assume you are using https internally as well. Anyway did you test the rule from ISA?

Also in the to tab, can you disable the option to "forward the original host header" and select the request appers to come from ISA.
0
 

Author Comment

by:silent_waters
ID: 24096430
Yes, using HTTPS everywhere.
I still can't find that test rule button. Maybe I'm being incredibly stupid, but I can't find it on any of the tabs on the properties page.
Made those changes, same error message.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Expert Comment

by:Raj-GT
ID: 24097089
That can only mean one thing then. You don't have the service packs installed in your ISA. Delete the OWA rules and listener, install windows updates and ALL ISA updates and follow the technet guide to setup your OWA.
0
 

Author Comment

by:silent_waters
ID: 24108508
Ok, pretty stupid of me to not fully patch the server, but anyhow, it is done now, and I've deleted and recreated the rules and listeners and I get exactly the same problem. I do have a test rule bttno now though, and the rule passes the tests.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24111811
OK, now you can use the logging tab under Monitoring to help with the troubleshooting :-)

Can you try publishing the OWA site using a standard web publishing rule? This will rule out any errors in ISA's FBA. Can you also give some details on your publishing rules and listeners.
0
 

Author Comment

by:silent_waters
ID: 24192311
Sorry for the delay, I've been off for a few days.
How do I use monitoring? I'v had a look under the tabs, but there are no errors logged.
I published the site using a standard web publishing rule, with all the same settings as the exchange publishing rule, except I used basic auth everywhere. I did exactly the same thing.
I don't know if this will help, but I also tried removing the ISA server completely temporarily, and connecting the Exchange server directly to the cisco. I was able to get the password prompt, but after typing in my details I got a long delay and then a 408 timeout error. If I type incorrect credentials it returns to the prompt though, so again it is obviously able to verify the credentials, just not to serve up the pages.
Argh!
0
 

Author Comment

by:silent_waters
ID: 24192320
End of third paragraph should read 'IT did exactly the same thing.'
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24192387
Perhaps it's time to reset your Exchange virtual directories - http://support.microsoft.com/kb/883380
0
 

Author Comment

by:silent_waters
ID: 24192616
Will this work ok with Exchange 2k7? The article is for 2k3
0
 
LVL 14

Assisted Solution

by:Raj-GT
Raj-GT earned 500 total points
ID: 24192772
Do'h! Please use the following guide to remove/recreate Virtual Directories in Exchange 2007 -  http://technet.microsoft.com/en-us/library/bb124811.aspx
0
 

Author Comment

by:silent_waters
ID: 24196206
Created a new virtual directory, same problem. Works perfectly internally, but I only get a password prompt externally.
I think I'm going to have to bite the bullet and shell out for a support incident from MS.
0
 

Accepted Solution

by:
silent_waters earned 0 total points
ID: 24430462
Logged this with MS, and they sorted it out with a patch of some description.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now