Solved

IIS Integrated windows authentication

Posted on 2009-06-27
24
1,012 Views
Last Modified: 2012-06-27
I've had some troubles with my mobile device. Thought that IIS integrated window authentication was the problem. So I went to IIS -> server name -> web sites -> default website -> directory security -> turn on "enable anonymous access" -> turn of Integrated "windows authentication"
Then selected all the options available because I want windows authentication  off of all the places but I think that's what's gone wrong

Since then i don't have any normal connect from the internet to my (SBS 2003 R2 / SP2) server. No vpn / no owa / no oma
When I logon to /exchange i get the log-in screen but can't login with any login / password.
By /OMA i'm getting   A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator
My mobile phone get's the 0x85010004

That's what i discoverd so far, and I'm sure that i didn't change any other setting.

Did i do something wrong ? By turning of the integrated authentication ? Is there a possibillity  to restore these settings ? I Was almost ready to backup because it was a new installation. But the configuration whas almost complete so i don't have a backup

Thank you verry much for responding !
0
Comment
Question by:Theun111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 10
24 Comments
 
LVL 4

Expert Comment

by:aletjolly
ID: 24727068
Hello,

Kindly let me know the IIS authentication of the following:
Default website
Exchange
Public
OMA
Microsoft-server-activesync
exchange-oma(if present)

Note: Also it would really help if you can state the authentications of any other VDirs present which I have not mentioned here.

IIS authentication can be found under:
IIS manager=>properties of website/virtual directory =>Directory Security=>Click on the first EDIT button under Authentication and access control,
0
 

Author Comment

by:Theun111
ID: 24727181
Hello,

Default website -> only "Enable anonymous access" is enabled
Exchange -> only "Enable anonymous access" is enabled
Public -> only "Enable anonymous access" is enabled
OMA -> only "Enable anonymous access" is enabled
Microsft-server-activesync -> only "Enable anonymous access" is enabled
Exchange-oma only "Enable anonymous access" is enabled

Clienthelp -> only "Enable anonymous access" is enabled
ConnectComputer -> only "Enable anonymous access" is enabled
Exadmin -> only "Enable anonymous access" is enabled
Exchweb -> only "Enable anonymous access" is enabled
Public -> only "Enable anonymous access" is enabled

All the listed mappings are only enabled for anonymous access" is enabled

Thank you verry much for responding.
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24728131
Kindly find below the default IIS authentication which are required:

Default website -> only "Enable anonymous access" is enabled
Exchange -> "Basic" should enabled
Public -> "Basic" should enabled
OMA -> "Basic" should enabled
Microsft-server-activesync -> "Basic" should enabled
Exchange-oma only "Basic + Windows Integrated" should enabled

Clienthelp -> only "Enable anonymous access" is enabled
ConnectComputer -> only "Enable anonymous access" is enabled
Exadmin -> "Windows Integrated" should enabled
Exchweb -> only "Enable anonymous access" is enabled


Please note that you can also enable Forms based Authentication(FBA) for OWA login provided you have certificate for OWA, find below the article for that:
http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now enabling the FBA for OWA will block Activesync communication, so kindly follow the below article :
http://support.microsoft.com/kb/817379
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:Theun111
ID: 24734163
Ok. done the first part. Until the links.
Restarted IIS

/Exchange works fine !
/oma gives: Your user account has not been enabled for wireless access. Please contact your system administrator for additional assistance.
mobile phone gives 0x85010004

Can i just go further ? Or is there something else wrong ? Because with the standard settings it has to work. When I configure my telephone etc correctly. Or isn't this so ?
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24734990
As far as mobile devices are windows mobile 5 /windows mobile 6 "/oma" do not come in picture so we can ignore that. Only "/Microsoft-Server-Activesync" comes in picture.
If this is the scenario locate the following registry subkey on Exchange Server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

If in case you find a string value "ExchangeVDir" delete it and initiate an iisreset.
Then try to re-create the activesync profile and sync it with the Exchange Server.
0
 

Author Comment

by:Theun111
ID: 24735694
Done this, only still getting the 0x85010004 error on my wm 6.1 device.
Done a hard reset to be sure renamed the mobile phone still nothing is happening.
Logged in on a different name but this has also no effect.

Oma is ok as far as i can see Administrator can login so it is a permissions problem. That i will find out only the active sync is more a problem.
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24735765
Do we have Certificate on Exchange Server?
If no can you tell me that when configuring the Activesync profile on your phone are you using SSL enabled or deselected.
Also try to browse http://mail.domain.com/microsoft-server-activesync and login, tell me what is the result or error you get.
0
 

Author Comment

by:Theun111
ID: 24735840
The standard certificate from sbs.
But no verisign certificat yet, on the mobile phone there is no SSL selected

when i try to browse to the mail.domain/microsoft-server/activsync First i have login with my login name / password then i get a http: 501/ 505
"The website is unable to display the webpage"
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24736071
IN IIS manager what is the authentication enabled and is SSL enabled?
For
Default website
Microsoft-Server-Activesync properties
0
 

Author Comment

by:Theun111
ID: 24736536
default website:
non is enabled only anonymous access
I have the options which i can select: server certificate / view / edit
require secure channel (SSH)= not enabled
ignore client certificate
enable client certificate mapping = not enabled
enable cerificate trust list = not enabled
default domain = blank

Microsoft-Server-Activesync:
Only basic authentication = on
default domain: is the domain of the server
I have the options which i can select: view / edit
server certificate = grey - non clickable
require secure channel (SSH) = not enabled


0
 

Author Comment

by:Theun111
ID: 24736597
btw i've done a iisreset in cmd only the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters
is not coming back is this correct ? Or must is restart the whole server ?
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24736902
Restart of the Server is not required, however I did see one culprit which can cause the issue we are facing "default domain: is the domain of the server" which is normally "\".
Kindly do the same and test it from mobile device and let me know the result.
0
 

Author Comment

by:Theun111
ID: 24737173
That's what i thought to, that's why i typed it.
ok. changed the domainname in to \ and to nothing but still no result.

Thank you so far for the support !
0
 

Author Comment

by:Theun111
ID: 24738294
At the moment we are (I think) a step further. I've put the registry key back
The phone says: syncing maps but now i'm getting a 0x85010014 error.

Reset the whole phone again this didn't help also read that some people changed the telephone name. Which didn't help either. So now i'm going to try some other things.

0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24738821
Hello Theun111,
Kindly remove the registry key which you have just created and initiate an iisreset.
Then again please confirm the authentication on Exchange virtual directory in IIS.
0
 

Author Comment

by:Theun111
ID: 24739120
Default website -> Enable anonymous access is only on
Microsoft-Server-Activesync -> Basic authentication is only on
Everything looks the same

If you need more information please say so.
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24743137
Hello Theun111,
I am sorry that I wasn't clear enough in before log. I was asking about the authentication set on "/exchange" virtual directory in IIS of Exchange Server.
 
0
 

Author Comment

by:Theun111
ID: 24743723
Doesn't matter now youre clear haha
hereby:
Basic authentication is only on
\ is the default domain.
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24743995
Hello Theun111,
Kindly enable Basic+WIndows Integrated authentication for the "/exchange" virtual directory in IIS of Exchange Server.
Initiate an iisreset and then try to sync mobile device with the Exchange Server.
0
 

Author Comment

by:Theun111
ID: 24744108
Hallo Aletjolly,

enabled basic + windows integrated authentication.
But sorry still getting the 0x85010014 error on the mobilephone
0
 

Author Comment

by:Theun111
ID: 24744280
Just wanted to tell you, that at the moment everything is working !!
Changed 2 things looking @ a working installation and looking at a vmware sbs which i wass working on just to test but which was a fresh install.

The 2+the registry key where things:
Default website added Integrated windows authentication
Exchange - added the default domain
Put back the registry which deleted first because they where in both installations there
A iisreset (which) i forgot the first time

I'm going to try later on which one did the trick because I want to know exactly why it did occur.
you will hear this from me as soon as possible !
0
 

Author Comment

by:Theun111
ID: 24746723
Ok. it was the V by default website.

First of all Aletjolly thank you for your patience. And for helping me to get threw the IIS configuration.
Learnt al lot ! One last question can I now go further with the other links ? For the certificate etc. ?

http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now enabling the FBA for OWA will block Activesync communication, so kindly follow the below article :
http://support.microsoft.com/kb/817379

Points are going to you !

Ps. First i'm making a backup of the IIS configuration ;)
0
 
LVL 4

Accepted Solution

by:
aletjolly earned 250 total points
ID: 24752952
Theun111, if you want to implement Certificate on the Exchange Server then yes please follow the articles:
http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

Now with Certificate in place it may break the Activesync communication, so kindly follow:
http://support.microsoft.com/kb/817379

And yes do take the backup of the IIS.  ;)
http://support.microsoft.com/kb/324277
0
 

Author Comment

by:Theun111
ID: 24912831
I'm going to try the certificate and IIS another time.

Thank you verry much again !
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question