Solved

IIS Integrated windows authentication

Posted on 2009-06-27
24
990 Views
Last Modified: 2012-06-27
I've had some troubles with my mobile device. Thought that IIS integrated window authentication was the problem. So I went to IIS -> server name -> web sites -> default website -> directory security -> turn on "enable anonymous access" -> turn of Integrated "windows authentication"
Then selected all the options available because I want windows authentication  off of all the places but I think that's what's gone wrong

Since then i don't have any normal connect from the internet to my (SBS 2003 R2 / SP2) server. No vpn / no owa / no oma
When I logon to /exchange i get the log-in screen but can't login with any login / password.
By /OMA i'm getting   A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator
My mobile phone get's the 0x85010004

That's what i discoverd so far, and I'm sure that i didn't change any other setting.

Did i do something wrong ? By turning of the integrated authentication ? Is there a possibillity  to restore these settings ? I Was almost ready to backup because it was a new installation. But the configuration whas almost complete so i don't have a backup

Thank you verry much for responding !
0
Comment
Question by:Theun111
  • 14
  • 10
24 Comments
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Hello,

Kindly let me know the IIS authentication of the following:
Default website
Exchange
Public
OMA
Microsoft-server-activesync
exchange-oma(if present)

Note: Also it would really help if you can state the authentications of any other VDirs present which I have not mentioned here.

IIS authentication can be found under:
IIS manager=>properties of website/virtual directory =>Directory Security=>Click on the first EDIT button under Authentication and access control,
0
 

Author Comment

by:Theun111
Comment Utility
Hello,

Default website -> only "Enable anonymous access" is enabled
Exchange -> only "Enable anonymous access" is enabled
Public -> only "Enable anonymous access" is enabled
OMA -> only "Enable anonymous access" is enabled
Microsft-server-activesync -> only "Enable anonymous access" is enabled
Exchange-oma only "Enable anonymous access" is enabled

Clienthelp -> only "Enable anonymous access" is enabled
ConnectComputer -> only "Enable anonymous access" is enabled
Exadmin -> only "Enable anonymous access" is enabled
Exchweb -> only "Enable anonymous access" is enabled
Public -> only "Enable anonymous access" is enabled

All the listed mappings are only enabled for anonymous access" is enabled

Thank you verry much for responding.
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Kindly find below the default IIS authentication which are required:

Default website -> only "Enable anonymous access" is enabled
Exchange -> "Basic" should enabled
Public -> "Basic" should enabled
OMA -> "Basic" should enabled
Microsft-server-activesync -> "Basic" should enabled
Exchange-oma only "Basic + Windows Integrated" should enabled

Clienthelp -> only "Enable anonymous access" is enabled
ConnectComputer -> only "Enable anonymous access" is enabled
Exadmin -> "Windows Integrated" should enabled
Exchweb -> only "Enable anonymous access" is enabled


Please note that you can also enable Forms based Authentication(FBA) for OWA login provided you have certificate for OWA, find below the article for that:
http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now enabling the FBA for OWA will block Activesync communication, so kindly follow the below article :
http://support.microsoft.com/kb/817379
0
 

Author Comment

by:Theun111
Comment Utility
Ok. done the first part. Until the links.
Restarted IIS

/Exchange works fine !
/oma gives: Your user account has not been enabled for wireless access. Please contact your system administrator for additional assistance.
mobile phone gives 0x85010004

Can i just go further ? Or is there something else wrong ? Because with the standard settings it has to work. When I configure my telephone etc correctly. Or isn't this so ?
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
As far as mobile devices are windows mobile 5 /windows mobile 6 "/oma" do not come in picture so we can ignore that. Only "/Microsoft-Server-Activesync" comes in picture.
If this is the scenario locate the following registry subkey on Exchange Server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

If in case you find a string value "ExchangeVDir" delete it and initiate an iisreset.
Then try to re-create the activesync profile and sync it with the Exchange Server.
0
 

Author Comment

by:Theun111
Comment Utility
Done this, only still getting the 0x85010004 error on my wm 6.1 device.
Done a hard reset to be sure renamed the mobile phone still nothing is happening.
Logged in on a different name but this has also no effect.

Oma is ok as far as i can see Administrator can login so it is a permissions problem. That i will find out only the active sync is more a problem.
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Do we have Certificate on Exchange Server?
If no can you tell me that when configuring the Activesync profile on your phone are you using SSL enabled or deselected.
Also try to browse http://mail.domain.com/microsoft-server-activesync and login, tell me what is the result or error you get.
0
 

Author Comment

by:Theun111
Comment Utility
The standard certificate from sbs.
But no verisign certificat yet, on the mobile phone there is no SSL selected

when i try to browse to the mail.domain/microsoft-server/activsync First i have login with my login name / password then i get a http: 501/ 505
"The website is unable to display the webpage"
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
IN IIS manager what is the authentication enabled and is SSL enabled?
For
Default website
Microsoft-Server-Activesync properties
0
 

Author Comment

by:Theun111
Comment Utility
default website:
non is enabled only anonymous access
I have the options which i can select: server certificate / view / edit
require secure channel (SSH)= not enabled
ignore client certificate
enable client certificate mapping = not enabled
enable cerificate trust list = not enabled
default domain = blank

Microsoft-Server-Activesync:
Only basic authentication = on
default domain: is the domain of the server
I have the options which i can select: view / edit
server certificate = grey - non clickable
require secure channel (SSH) = not enabled


0
 

Author Comment

by:Theun111
Comment Utility
btw i've done a iisreset in cmd only the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters
is not coming back is this correct ? Or must is restart the whole server ?
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Restart of the Server is not required, however I did see one culprit which can cause the issue we are facing "default domain: is the domain of the server" which is normally "\".
Kindly do the same and test it from mobile device and let me know the result.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Theun111
Comment Utility
That's what i thought to, that's why i typed it.
ok. changed the domainname in to \ and to nothing but still no result.

Thank you so far for the support !
0
 

Author Comment

by:Theun111
Comment Utility
At the moment we are (I think) a step further. I've put the registry key back
The phone says: syncing maps but now i'm getting a 0x85010014 error.

Reset the whole phone again this didn't help also read that some people changed the telephone name. Which didn't help either. So now i'm going to try some other things.

0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Hello Theun111,
Kindly remove the registry key which you have just created and initiate an iisreset.
Then again please confirm the authentication on Exchange virtual directory in IIS.
0
 

Author Comment

by:Theun111
Comment Utility
Default website -> Enable anonymous access is only on
Microsoft-Server-Activesync -> Basic authentication is only on
Everything looks the same

If you need more information please say so.
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Hello Theun111,
I am sorry that I wasn't clear enough in before log. I was asking about the authentication set on "/exchange" virtual directory in IIS of Exchange Server.
 
0
 

Author Comment

by:Theun111
Comment Utility
Doesn't matter now youre clear haha
hereby:
Basic authentication is only on
\ is the default domain.
0
 
LVL 4

Expert Comment

by:aletjolly
Comment Utility
Hello Theun111,
Kindly enable Basic+WIndows Integrated authentication for the "/exchange" virtual directory in IIS of Exchange Server.
Initiate an iisreset and then try to sync mobile device with the Exchange Server.
0
 

Author Comment

by:Theun111
Comment Utility
Hallo Aletjolly,

enabled basic + windows integrated authentication.
But sorry still getting the 0x85010014 error on the mobilephone
0
 

Author Comment

by:Theun111
Comment Utility
Just wanted to tell you, that at the moment everything is working !!
Changed 2 things looking @ a working installation and looking at a vmware sbs which i wass working on just to test but which was a fresh install.

The 2+the registry key where things:
Default website added Integrated windows authentication
Exchange - added the default domain
Put back the registry which deleted first because they where in both installations there
A iisreset (which) i forgot the first time

I'm going to try later on which one did the trick because I want to know exactly why it did occur.
you will hear this from me as soon as possible !
0
 

Author Comment

by:Theun111
Comment Utility
Ok. it was the V by default website.

First of all Aletjolly thank you for your patience. And for helping me to get threw the IIS configuration.
Learnt al lot ! One last question can I now go further with the other links ? For the certificate etc. ?

http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now enabling the FBA for OWA will block Activesync communication, so kindly follow the below article :
http://support.microsoft.com/kb/817379

Points are going to you !

Ps. First i'm making a backup of the IIS configuration ;)
0
 
LVL 4

Accepted Solution

by:
aletjolly earned 250 total points
Comment Utility
Theun111, if you want to implement Certificate on the Exchange Server then yes please follow the articles:
http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now with Certificate in place it may break the Activesync communication, so kindly follow:
http://support.microsoft.com/kb/817379

And yes do take the backup of the IIS.  ;)
http://support.microsoft.com/kb/324277
0
 

Author Comment

by:Theun111
Comment Utility
I'm going to try the certificate and IIS another time.

Thank you verry much again !
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now