[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3374
  • Last Modified:

OWA 403 Forbidden (12202) after logon screen.

I have been trying to publish OWA. We have a single Exchange 2007 server, running on Server2003, behind an ISA firewall, also on a 2003 server, which is behind a Cisco 857 ADSL router.
The OWA site works perfectly if I browse to it from the ISA server using the internal address. If I try to use the external site though, I get the log on page, but when I enter my username and password I get a Page cannot be displayed mesage with the following technical information: "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I try to log on using incorrect credentials though, I get the proper message telling me that the credentials were incorrect, which suggests that somewhere along the line the credentials are being proplerly verified, but why can't I get to the actual application?
I've tried different authentication methids and fiddled with the internal and external URLs, but everything I do gets the same problem.
I've also tried to publish Outlook Anywhere but that isn't working either. It asks me for credentials when I open outlook, and again, if I type incorrect ones it doesn't accept them, but if I type correct ones it just sits there for a while saying 'trying to connect to exchange', before going back to 'Disconnected'
I've been searching the web, wracking my brain, and running round in circles for days on this, please can someone help!
0
silent_waters
Asked:
silent_waters
  • 11
  • 9
2 Solutions
 
Raj-GTSystems EngineerCommented:
Can you give some detail on your OWA publishing rule please? Describe all the tabs etc, and also tell me what happens when you use the test rule button?
0
 
silent_watersAuthor Commented:
Firewall Rule:
"To" tab: Published site name contains the URL I use to access the site internally: https://<server>.<domain>.local/owa. Requests come from client is selected.
"Public Name" tab: name is the external URL: webmail.<domain>.co.uk
"Authentication Delegation" tab: Set to Basic Authentication
"Application Settings" tab: Using customized HTML forms, form set directory is 'Exchange'
"Users" tab: Requests allowed from All Users
Web Listener:
"Networks" tab: External selected, with the specific IP address assigned for this selected.
"Certificates" tab: Our UCC Certificate is selected which has the internal and external domain names on.
"Authentication" tab: Set to HTML Form authentication, with Windows (Active directory). Under advanced: Require all users to authenticate is selected, and our local domain is entered at the bottom.
Let me know if there is anything else you want, I've tried to include all the important bits but I might have missed something.
Where is the test rule button? I can't find it.
0
 
Raj-GTSystems EngineerCommented:
Did you create this rule using the Publish Exchange Web access wizard?

OK, here's what to do.

From: Anywhere
To: Change the published site name to just the hostname of the OWA Server
Traffic: HTTPS selected and no other options checked
Listener: You have to uncheck Require all users to authenticate, and you can also remove the domain name from the field
Public Name: no change
Paths: <same as internal> and /public/*, /exchweb/*. /Exchange/*
Bridging: Redirect to SSL port 443
Users : All Authenticated Users
Auth delegation: fine
Application: fine

Apply changes and test.

As for Test rule button, you will see it at the bottom of the rule properties dialogue.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
silent_watersAuthor Commented:
That's even worse, now it doesn't even get as far as the logon page, it just goes straight to the 403 error without ever asking for credentials.
0
 
Raj-GTSystems EngineerCommented:
Did you re-configure your Exchange IIS Virtual folders for ISA? Did you use the ISA wizard or follow any guides from technet?

http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
http://technet.microsoft.com/en-us/library/bb794751.aspx

Error 403 usually means access/permission issues, make sure you don't have IP restrictions in place on the OWA HTTP virtual folders and follow the guides above for help.

Good luck!
0
 
silent_watersAuthor Commented:
I have already been through those two sites! I found them through google. The first one is the one that I used to set everything up initially, although I've obviously been changing things since because it didn't work.
There are no IP or domain restrictions on the properties of the OWA folder, and it is configuredproperly, and with the correct certificate.
0
 
Raj-GTSystems EngineerCommented:
When you access OWA internally, do you see a password pop-up, FBA page or does it directly takes you to the OWA folder?
0
 
silent_watersAuthor Commented:
Password prompt pops up in a little dialog box. (I'm not using forms based auth on the exchange server, if that is what you are wondering!)
0
 
Raj-GTSystems EngineerCommented:
I assume you are using https internally as well. Anyway did you test the rule from ISA?

Also in the to tab, can you disable the option to "forward the original host header" and select the request appers to come from ISA.
0
 
silent_watersAuthor Commented:
Yes, using HTTPS everywhere.
I still can't find that test rule button. Maybe I'm being incredibly stupid, but I can't find it on any of the tabs on the properties page.
Made those changes, same error message.
0
 
Raj-GTSystems EngineerCommented:
That can only mean one thing then. You don't have the service packs installed in your ISA. Delete the OWA rules and listener, install windows updates and ALL ISA updates and follow the technet guide to setup your OWA.
0
 
silent_watersAuthor Commented:
Ok, pretty stupid of me to not fully patch the server, but anyhow, it is done now, and I've deleted and recreated the rules and listeners and I get exactly the same problem. I do have a test rule bttno now though, and the rule passes the tests.
0
 
Raj-GTSystems EngineerCommented:
OK, now you can use the logging tab under Monitoring to help with the troubleshooting :-)

Can you try publishing the OWA site using a standard web publishing rule? This will rule out any errors in ISA's FBA. Can you also give some details on your publishing rules and listeners.
0
 
silent_watersAuthor Commented:
Sorry for the delay, I've been off for a few days.
How do I use monitoring? I'v had a look under the tabs, but there are no errors logged.
I published the site using a standard web publishing rule, with all the same settings as the exchange publishing rule, except I used basic auth everywhere. I did exactly the same thing.
I don't know if this will help, but I also tried removing the ISA server completely temporarily, and connecting the Exchange server directly to the cisco. I was able to get the password prompt, but after typing in my details I got a long delay and then a 408 timeout error. If I type incorrect credentials it returns to the prompt though, so again it is obviously able to verify the credentials, just not to serve up the pages.
Argh!
0
 
silent_watersAuthor Commented:
End of third paragraph should read 'IT did exactly the same thing.'
0
 
Raj-GTSystems EngineerCommented:
Perhaps it's time to reset your Exchange virtual directories - http://support.microsoft.com/kb/883380
0
 
silent_watersAuthor Commented:
Will this work ok with Exchange 2k7? The article is for 2k3
0
 
Raj-GTSystems EngineerCommented:
Do'h! Please use the following guide to remove/recreate Virtual Directories in Exchange 2007 -  http://technet.microsoft.com/en-us/library/bb124811.aspx
0
 
silent_watersAuthor Commented:
Created a new virtual directory, same problem. Works perfectly internally, but I only get a password prompt externally.
I think I'm going to have to bite the bullet and shell out for a support incident from MS.
0
 
silent_watersAuthor Commented:
Logged this with MS, and they sorted it out with a patch of some description.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now