OWA 403 Forbidden (12202) after logon screen.
I have been trying to publish OWA. We have a single Exchange 2007 server, running on Server2003, behind an ISA firewall, also on a 2003 server, which is behind a Cisco 857 ADSL router.
The OWA site works perfectly if I browse to it from the ISA server using the internal address. If I try to use the external site though, I get the log on page, but when I enter my username and password I get a Page cannot be displayed mesage with the following technical information: "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I try to log on using incorrect credentials though, I get the proper message telling me that the credentials were incorrect, which suggests that somewhere along the line the credentials are being proplerly verified, but why can't I get to the actual application?
I've tried different authentication methids and fiddled with the internal and external URLs, but everything I do gets the same problem.
I've also tried to publish Outlook Anywhere but that isn't working either. It asks me for credentials when I open outlook, and again, if I type incorrect ones it doesn't accept them, but if I type correct ones it just sits there for a while saying 'trying to connect to exchange', before going back to 'Disconnected'
I've been searching the web, wracking my brain, and running round in circles for days on this, please can someone help!
The OWA site works perfectly if I browse to it from the ISA server using the internal address. If I try to use the external site though, I get the log on page, but when I enter my username and password I get a Page cannot be displayed mesage with the following technical information: "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I try to log on using incorrect credentials though, I get the proper message telling me that the credentials were incorrect, which suggests that somewhere along the line the credentials are being proplerly verified, but why can't I get to the actual application?
I've tried different authentication methids and fiddled with the internal and external URLs, but everything I do gets the same problem.
I've also tried to publish Outlook Anywhere but that isn't working either. It asks me for credentials when I open outlook, and again, if I type incorrect ones it doesn't accept them, but if I type correct ones it just sits there for a while saying 'trying to connect to exchange', before going back to 'Disconnected'
I've been searching the web, wracking my brain, and running round in circles for days on this, please can someone help!
Raj-GT
Can you give some detail on your OWA publishing rule please? Describe all the tabs etc, and also tell me what happens when you use the test rule button?
ASKER
Firewall Rule:
"To" tab: Published site name contains the URL I use to access the site internally: https://<server>.<domain>.
"Public Name" tab: name is the external URL: webmail.<domain>.co.uk
"Authentication Delegation" tab: Set to Basic Authentication
"Application Settings" tab: Using customized HTML forms, form set directory is 'Exchange'
"Users" tab: Requests allowed from All Users
Web Listener:
"Networks" tab: External selected, with the specific IP address assigned for this selected.
"Certificates" tab: Our UCC Certificate is selected which has the internal and external domain names on.
"Authentication" tab: Set to HTML Form authentication, with Windows (Active directory). Under advanced: Require all users to authenticate is selected, and our local domain is entered at the bottom.
Let me know if there is anything else you want, I've tried to include all the important bits but I might have missed something.
Where is the test rule button? I can't find it.
"To" tab: Published site name contains the URL I use to access the site internally: https://<server>.<domain>.
"Public Name" tab: name is the external URL: webmail.<domain>.co.uk
"Authentication Delegation" tab: Set to Basic Authentication
"Application Settings" tab: Using customized HTML forms, form set directory is 'Exchange'
"Users" tab: Requests allowed from All Users
Web Listener:
"Networks" tab: External selected, with the specific IP address assigned for this selected.
"Certificates" tab: Our UCC Certificate is selected which has the internal and external domain names on.
"Authentication" tab: Set to HTML Form authentication, with Windows (Active directory). Under advanced: Require all users to authenticate is selected, and our local domain is entered at the bottom.
Let me know if there is anything else you want, I've tried to include all the important bits but I might have missed something.
Where is the test rule button? I can't find it.
Did you create this rule using the Publish Exchange Web access wizard?
OK, here's what to do.
From: Anywhere
To: Change the published site name to just the hostname of the OWA Server
Traffic: HTTPS selected and no other options checked
Listener: You have to uncheck Require all users to authenticate, and you can also remove the domain name from the field
Public Name: no change
Paths: <same as internal> and /public/*, /exchweb/*. /Exchange/*
Bridging: Redirect to SSL port 443
Users : All Authenticated Users
Auth delegation: fine
Application: fine
Apply changes and test.
As for Test rule button, you will see it at the bottom of the rule properties dialogue.
OK, here's what to do.
From: Anywhere
To: Change the published site name to just the hostname of the OWA Server
Traffic: HTTPS selected and no other options checked
Listener: You have to uncheck Require all users to authenticate, and you can also remove the domain name from the field
Public Name: no change
Paths: <same as internal> and /public/*, /exchweb/*. /Exchange/*
Bridging: Redirect to SSL port 443
Users : All Authenticated Users
Auth delegation: fine
Application: fine
Apply changes and test.
As for Test rule button, you will see it at the bottom of the rule properties dialogue.
ASKER
That's even worse, now it doesn't even get as far as the logon page, it just goes straight to the 403 error without ever asking for credentials.
Did you re-configure your Exchange IIS Virtual folders for ISA? Did you use the ISA wizard or follow any guides from technet?
http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
http://technet.microsoft.com/en-us/library/bb794751.aspx
Error 403 usually means access/permission issues, make sure you don't have IP restrictions in place on the OWA HTTP virtual folders and follow the guides above for help.
Good luck!
http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
http://technet.microsoft.com/en-us/library/bb794751.aspx
Error 403 usually means access/permission issues, make sure you don't have IP restrictions in place on the OWA HTTP virtual folders and follow the guides above for help.
Good luck!
ASKER
I have already been through those two sites! I found them through google. The first one is the one that I used to set everything up initially, although I've obviously been changing things since because it didn't work.
There are no IP or domain restrictions on the properties of the OWA folder, and it is configuredproperly, and with the correct certificate.
There are no IP or domain restrictions on the properties of the OWA folder, and it is configuredproperly, and with the correct certificate.
When you access OWA internally, do you see a password pop-up, FBA page or does it directly takes you to the OWA folder?
ASKER
Password prompt pops up in a little dialog box. (I'm not using forms based auth on the exchange server, if that is what you are wondering!)
I assume you are using https internally as well. Anyway did you test the rule from ISA?
Also in the to tab, can you disable the option to "forward the original host header" and select the request appers to come from ISA.
Also in the to tab, can you disable the option to "forward the original host header" and select the request appers to come from ISA.
ASKER
Yes, using HTTPS everywhere.
I still can't find that test rule button. Maybe I'm being incredibly stupid, but I can't find it on any of the tabs on the properties page.
Made those changes, same error message.
I still can't find that test rule button. Maybe I'm being incredibly stupid, but I can't find it on any of the tabs on the properties page.
Made those changes, same error message.
That can only mean one thing then. You don't have the service packs installed in your ISA. Delete the OWA rules and listener, install windows updates and ALL ISA updates and follow the technet guide to setup your OWA.
ASKER
Ok, pretty stupid of me to not fully patch the server, but anyhow, it is done now, and I've deleted and recreated the rules and listeners and I get exactly the same problem. I do have a test rule bttno now though, and the rule passes the tests.
OK, now you can use the logging tab under Monitoring to help with the troubleshooting :-)
Can you try publishing the OWA site using a standard web publishing rule? This will rule out any errors in ISA's FBA. Can you also give some details on your publishing rules and listeners.
Can you try publishing the OWA site using a standard web publishing rule? This will rule out any errors in ISA's FBA. Can you also give some details on your publishing rules and listeners.
ASKER
Sorry for the delay, I've been off for a few days.
How do I use monitoring? I'v had a look under the tabs, but there are no errors logged.
I published the site using a standard web publishing rule, with all the same settings as the exchange publishing rule, except I used basic auth everywhere. I did exactly the same thing.
I don't know if this will help, but I also tried removing the ISA server completely temporarily, and connecting the Exchange server directly to the cisco. I was able to get the password prompt, but after typing in my details I got a long delay and then a 408 timeout error. If I type incorrect credentials it returns to the prompt though, so again it is obviously able to verify the credentials, just not to serve up the pages.
Argh!
How do I use monitoring? I'v had a look under the tabs, but there are no errors logged.
I published the site using a standard web publishing rule, with all the same settings as the exchange publishing rule, except I used basic auth everywhere. I did exactly the same thing.
I don't know if this will help, but I also tried removing the ISA server completely temporarily, and connecting the Exchange server directly to the cisco. I was able to get the password prompt, but after typing in my details I got a long delay and then a 408 timeout error. If I type incorrect credentials it returns to the prompt though, so again it is obviously able to verify the credentials, just not to serve up the pages.
Argh!
ASKER
End of third paragraph should read 'IT did exactly the same thing.'
Perhaps it's time to reset your Exchange virtual directories - http://support.microsoft.com/kb/883380
ASKER
Will this work ok with Exchange 2k7? The article is for 2k3
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Created a new virtual directory, same problem. Works perfectly internally, but I only get a password prompt externally.
I think I'm going to have to bite the bullet and shell out for a support incident from MS.
I think I'm going to have to bite the bullet and shell out for a support incident from MS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.