Solved

Subdomain Users Unable to Log into OWA after parent domain Administrator Password Change.

Posted on 2009-07-10
33
1,014 Views
Last Modified: 2012-05-07
I have a single Exchange 2003 server.

company.local (NETBIOS--DOMAIN) subdomain.company.local (NETBIOS--SUBDOMAIN).

My network admin was recently laid off so I changed Administrator password for DOMAIN and SUBDOMAIN. Since the change users that log into SUBDOMAIN are unable to log into OWA.

The user are using the form SUBDOMAIN\username and entering their domain password which worked prior to the password change. Error Message: You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.

Users who log into the parent domain are able to logon using DOMAIN\username.
0
Comment
Question by:wfwalshiii
  • 16
  • 14
  • 2
  • +1
33 Comments
 
LVL 8

Expert Comment

by:Npatang
ID: 24825916
try running the domain prep in the child doamin, that shokd fix the issue
0
 
LVL 8

Expert Comment

by:XCHExpert
ID: 24826066
Run the command from your subdomain
From Exchange Setup CD drive, from command prompt or from Start-Run

setup.exe /domainprep
0
 

Author Comment

by:wfwalshiii
ID: 24826172
OK - I ran Domain prep on the server that controls the child domain. No change.

Do I need to restart Exchange services and/or IIS?
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24826180
try restarting the system Attndant service
0
 

Author Comment

by:wfwalshiii
ID: 24826255
OK I have restarted System Attendant Service and IIS. Still no change.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24826352
try the replication between teh Parent DC and chid DC
0
 

Author Comment

by:wfwalshiii
ID: 24826566
Thank you.

I forced replication. Restarted IIS & System Attendant. Still no change.

0
 
LVL 40

Expert Comment

by:Subsun
ID: 24826696
Is the Child domain users able to access OWA http://exchangeserver/exchange
Also try with http://frontendserver/exchange
Check the front end server event logs and paste relevant error logs.
Check if the name resolution for child domain is ok from front end servers using nslookup.
0
 

Author Comment

by:wfwalshiii
ID: 24826711
Accessiblity is not an issue. It's when they attempt to log in...from anywhere. They receive this Error Message: You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.
0
 

Author Comment

by:wfwalshiii
ID: 24826727
NSLookup finds child domain and resolves the address correctly.

This is a single server setup - no frontend/backend server.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24826743
Try createing the test user and then try with that also if possible send us the IIS logs from exchange server
0
 
LVL 40

Expert Comment

by:Subsun
ID: 24826744
Any error logs in application logs?
0
 

Author Comment

by:wfwalshiii
ID: 24830532
npatang: Created test user. Can login, set up Outlook (03), and send & receive. Cannot log into OWA.

I don't see any IIS Events in the application log. I am I looking in the right spot?
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24830548
on the exchange server go to RUN > IIS logs > W2SVC1> Click on the logs with the latest dates and you will get it..

But did you try reoccurring the issue today or else that will not show up in the log files
0
 

Author Comment

by:wfwalshiii
ID: 24830723
I just tried toggling Forms Based Authentication. With FBA off, subdomain users can log on. With FBA enabled, they cannot. Maybe that will narrow the problem down?
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24830740
are you putting the same crdential which you were putting the FBA?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:wfwalshiii
ID: 24830758
Exactly the same: subdomain\testuser and the password
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24830772
Only thiing I can think of is If I can see anything in IIS logs.. If you upload that.. Try doing IIS reset and enable the FBA and check again
0
 

Author Comment

by:wfwalshiii
ID: 24830828
OK. Here's the last 5 minutes of log.
ex090711.log
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24830870
These are not showing anything, not much data.. get me the yesterday's log.. or you can try reoccurring the issue and then stop and start the default website and then try sending the latest logs again
0
 

Author Comment

by:wfwalshiii
ID: 24830972
OK. This log is every detailing the following steps.

I stopped IIS. Renamed log file so it would create a new one.
Started IIS.
FBA is off.
I logged on succesfully using subdomain\testuser.
Logged back off

On exchange, I enabled FBA. Did iisreset.

Tried to logging onto OWA as subdomain\testuser. Failed.

On exchange, I disabled FBA. Did iisreset.
Tried to log onto OWA as subdomain\testuser. Succeeded.

Took a copy of the log to post here.
ex090711.log
0
 

Author Comment

by:wfwalshiii
ID: 24830996
Npatang, thank you for taking all this time to work with me on a Saturday. I appreciate it!
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24831000
Most welcom sir . I am checking on your file itself
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24831043
on your exchange server go to 'c:\program Files\exchsrvr\exchweb\bin\suth"  You will find 2 files OWaauth.dll  and owalogon.asp .
try checking the permission of both thefiles and make sure that we have Authenticated useres added to it.
If not add them and make sure we give all the read permission to them .....
Do Isreset enable the fba and try logging in
0
 

Author Comment

by:wfwalshiii
ID: 24831123
Authenticated Users was already there with the following permissions enabled: Read & Execute, Read
0
 
LVL 8

Accepted Solution

by:
Npatang earned 500 total points
ID: 24831134
See is Iuser account is located Local user group? If no move to Local user group do IIS reset and login.
If yes try moving the iuser account to local administrator group .. do the iisreset and try login .. let me know both the results ..
0
 

Author Comment

by:wfwalshiii
ID: 24831155
I put IUSR_EXCHANGE into local Users group. Did iisreset. No change.
Then I put IUSR_EXCHANGE into local Administrators group. Did iisreset. No change.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24831204
What certficate you are using on the server ?
0
 

Author Comment

by:wfwalshiii
ID: 24831234
Certificate purchased from Godaddy.com
0
 
LVL 8

Assisted Solution

by:Npatang
Npatang earned 500 total points
ID: 24831246
try scheduling the reboot of server .. see if that fixs it ... Coming to the exact solution is hard ...
0
 

Author Comment

by:wfwalshiii
ID: 24831488
Thank you Npatang! I think the solution was putting iusr_exchange in the Local Users & Administrators groups. It didn't take effect until after the reboot, however.
0
 

Author Comment

by:wfwalshiii
ID: 24831570
I removed IUSR_EXCHANGE from the local Administrators group, rebooted and it still works.
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24831585
well thats seems intresting .. anyways so far irt sworking you so well and good ..
Actually some permisisons issues has reset I think
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now