Solved

OWA 403 Forbidden (12202) after logon screen.

Posted on 2009-04-07
20
3,279 Views
Last Modified: 2012-05-06
I have been trying to publish OWA. We have a single Exchange 2007 server, running on Server2003, behind an ISA firewall, also on a 2003 server, which is behind a Cisco 857 ADSL router.
The OWA site works perfectly if I browse to it from the ISA server using the internal address. If I try to use the external site though, I get the log on page, but when I enter my username and password I get a Page cannot be displayed mesage with the following technical information: "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I try to log on using incorrect credentials though, I get the proper message telling me that the credentials were incorrect, which suggests that somewhere along the line the credentials are being proplerly verified, but why can't I get to the actual application?
I've tried different authentication methids and fiddled with the internal and external URLs, but everything I do gets the same problem.
I've also tried to publish Outlook Anywhere but that isn't working either. It asks me for credentials when I open outlook, and again, if I type incorrect ones it doesn't accept them, but if I type correct ones it just sits there for a while saying 'trying to connect to exchange', before going back to 'Disconnected'
I've been searching the web, wracking my brain, and running round in circles for days on this, please can someone help!
0
Comment
Question by:silent_waters
  • 11
  • 9
20 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24092473
Can you give some detail on your OWA publishing rule please? Describe all the tabs etc, and also tell me what happens when you use the test rule button?
0
 

Author Comment

by:silent_waters
ID: 24092674
Firewall Rule:
"To" tab: Published site name contains the URL I use to access the site internally: https://<server>.<domain>.local/owa. Requests come from client is selected.
"Public Name" tab: name is the external URL: webmail.<domain>.co.uk
"Authentication Delegation" tab: Set to Basic Authentication
"Application Settings" tab: Using customized HTML forms, form set directory is 'Exchange'
"Users" tab: Requests allowed from All Users
Web Listener:
"Networks" tab: External selected, with the specific IP address assigned for this selected.
"Certificates" tab: Our UCC Certificate is selected which has the internal and external domain names on.
"Authentication" tab: Set to HTML Form authentication, with Windows (Active directory). Under advanced: Require all users to authenticate is selected, and our local domain is entered at the bottom.
Let me know if there is anything else you want, I've tried to include all the important bits but I might have missed something.
Where is the test rule button? I can't find it.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24095306
Did you create this rule using the Publish Exchange Web access wizard?

OK, here's what to do.

From: Anywhere
To: Change the published site name to just the hostname of the OWA Server
Traffic: HTTPS selected and no other options checked
Listener: You have to uncheck Require all users to authenticate, and you can also remove the domain name from the field
Public Name: no change
Paths: <same as internal> and /public/*, /exchweb/*. /Exchange/*
Bridging: Redirect to SSL port 443
Users : All Authenticated Users
Auth delegation: fine
Application: fine

Apply changes and test.

As for Test rule button, you will see it at the bottom of the rule properties dialogue.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:silent_waters
ID: 24095791
That's even worse, now it doesn't even get as far as the logon page, it just goes straight to the 403 error without ever asking for credentials.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24095920
Did you re-configure your Exchange IIS Virtual folders for ISA? Did you use the ISA wizard or follow any guides from technet?

http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
http://technet.microsoft.com/en-us/library/bb794751.aspx

Error 403 usually means access/permission issues, make sure you don't have IP restrictions in place on the OWA HTTP virtual folders and follow the guides above for help.

Good luck!
0
 

Author Comment

by:silent_waters
ID: 24096054
I have already been through those two sites! I found them through google. The first one is the one that I used to set everything up initially, although I've obviously been changing things since because it didn't work.
There are no IP or domain restrictions on the properties of the OWA folder, and it is configuredproperly, and with the correct certificate.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24096219
When you access OWA internally, do you see a password pop-up, FBA page or does it directly takes you to the OWA folder?
0
 

Author Comment

by:silent_waters
ID: 24096246
Password prompt pops up in a little dialog box. (I'm not using forms based auth on the exchange server, if that is what you are wondering!)
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24096328
I assume you are using https internally as well. Anyway did you test the rule from ISA?

Also in the to tab, can you disable the option to "forward the original host header" and select the request appers to come from ISA.
0
 

Author Comment

by:silent_waters
ID: 24096430
Yes, using HTTPS everywhere.
I still can't find that test rule button. Maybe I'm being incredibly stupid, but I can't find it on any of the tabs on the properties page.
Made those changes, same error message.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24097089
That can only mean one thing then. You don't have the service packs installed in your ISA. Delete the OWA rules and listener, install windows updates and ALL ISA updates and follow the technet guide to setup your OWA.
0
 

Author Comment

by:silent_waters
ID: 24108508
Ok, pretty stupid of me to not fully patch the server, but anyhow, it is done now, and I've deleted and recreated the rules and listeners and I get exactly the same problem. I do have a test rule bttno now though, and the rule passes the tests.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24111811
OK, now you can use the logging tab under Monitoring to help with the troubleshooting :-)

Can you try publishing the OWA site using a standard web publishing rule? This will rule out any errors in ISA's FBA. Can you also give some details on your publishing rules and listeners.
0
 

Author Comment

by:silent_waters
ID: 24192311
Sorry for the delay, I've been off for a few days.
How do I use monitoring? I'v had a look under the tabs, but there are no errors logged.
I published the site using a standard web publishing rule, with all the same settings as the exchange publishing rule, except I used basic auth everywhere. I did exactly the same thing.
I don't know if this will help, but I also tried removing the ISA server completely temporarily, and connecting the Exchange server directly to the cisco. I was able to get the password prompt, but after typing in my details I got a long delay and then a 408 timeout error. If I type incorrect credentials it returns to the prompt though, so again it is obviously able to verify the credentials, just not to serve up the pages.
Argh!
0
 

Author Comment

by:silent_waters
ID: 24192320
End of third paragraph should read 'IT did exactly the same thing.'
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24192387
Perhaps it's time to reset your Exchange virtual directories - http://support.microsoft.com/kb/883380
0
 

Author Comment

by:silent_waters
ID: 24192616
Will this work ok with Exchange 2k7? The article is for 2k3
0
 
LVL 14

Assisted Solution

by:Raj-GT
Raj-GT earned 500 total points
ID: 24192772
Do'h! Please use the following guide to remove/recreate Virtual Directories in Exchange 2007 -  http://technet.microsoft.com/en-us/library/bb124811.aspx
0
 

Author Comment

by:silent_waters
ID: 24196206
Created a new virtual directory, same problem. Works perfectly internally, but I only get a password prompt externally.
I think I'm going to have to bite the bullet and shell out for a support incident from MS.
0
 

Accepted Solution

by:
silent_waters earned 0 total points
ID: 24430462
Logged this with MS, and they sorted it out with a patch of some description.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question