Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OWA HTTP/1.1 403 Forbidden in Exchange 2003

Posted on 2009-12-01
35
Medium Priority
?
3,327 Views
Last Modified: 2012-06-22
We are using Exchange 2003.  OWA was working fine last week and for the previous 6 months.  Today OWA doesn't work.  When we try to login as any user except for Administrator we get HTTP/1.1 403 Forbidden.

I tried the following already.
- http://support.microsoft.com/kb/883380
- Checked form based authentication
- Allow ASP to run.
- Checked all the security in IIS
- Installed latest Windows Updates
- Tried with Firefox and Internet Explorer.
0
Comment
Question by:Rosspope
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 16
35 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943188
Have you restarted IIS when you have made all the changes?
0
 

Author Comment

by:Rosspope
ID: 25943196
yes
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943420
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:Rosspope
ID: 25943640
Demazter -->  We are not getting the OWA 2003 Error Message when trying to access FreeDocs.  We are getting it when we try to login to webmail (OWA)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943667
sorry my mistake!
I thought that was an OWA document.

Check the IIS Permissions and the filesystem folder permissions, this is what normally causes what you are seeing (document I meant to link to earlier): http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
0
 

Author Comment

by:Rosspope
ID: 25943901
I reset the metabase.xml file already in my link above.  I used method 3.
I also checked the security in IIS.


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943913
It's definately a permission issue, download the Exchange Best Practice analyzer and see what that brings back, post the results.
0
 

Author Comment

by:Rosspope
ID: 25943980
Server: MAIL  
 
  'SystemPages' set too high Server: MAIL
 The 'SystemPages' value is set too high on server mail.moosecree.com and may cause instability. Current value: 798720.
  Tell me more about this issue and how to resolve it.  
 
  'HeapDeCommitFreeBlockThreshold' not set Server: MAIL
 Server mail.moosecree.com has 1 GB or more of memory, accommodates 111 mailboxes, and the 'HeapDeCommitFreeBlockThreshold' parameter has not been set to 262144. Virtual memory may become quickly fragmented and system instability may occur.
  Tell me more about this issue and how to resolve it.  
 
  Paging file larger than Physical Memory Server: MAIL
 The space for the paging file (4092) is larger than the physical memory (3582). This may affect the system performance. It is recommended to have paging file size equal to the physical memory.
  Tell me more about this issue and how to resolve it.  
 
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944073
If you have confirmed the IIS permissions then it must ne file system permissions, can you try this solution?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23246543.html
0
 

Author Comment

by:Rosspope
ID: 25944135
I created a new test user and I can login fine with that user.  

For the users that can no longer login.  In their user properties --> Exchange Features are set to "Enabled" for Outlook Web Access.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944201
Can you try disabling web access for one user then re-enabling it?
0
 

Author Comment

by:Rosspope
ID: 25944210
Demazter --> I looked at the article that you sent.  Basically they want me to set the permissions on davex.dll to allow authenticated users to modify and write.

All of my other Exchange server do not need this in order to work correctly.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944229
Also try in active directory users and computer under view select advanced features.

Then fund a user that's not working, right click select properties, security tab, click advanced and check the box to allow inheritance click apply.

Test that user again
0
 

Author Comment

by:Rosspope
ID: 25944231
Just tried to disable it and re-enable.  No luck
0
 

Author Comment

by:Rosspope
ID: 25944253
Allow inheritance already enabled.
0
 

Author Comment

by:Rosspope
ID: 25944324
Ok I am able to login as other users.  There is only the one account that I can't login with.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944375
Can you compare the permissions in the security tab with the new user you have just created?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944389
What's special about that user?
Is it a member of the same groups as the other users?

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944400
Have you restricted the computers that user can logon to?
If so have you included the exchange server?
0
 

Author Comment

by:Rosspope
ID: 25944402
Security tab in AD user properties are the same
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944412
Also if you move the mailbox to a different server can you access it?
0
 

Author Comment

by:Rosspope
ID: 25944418
Single server environment.
0
 

Author Comment

by:Rosspope
ID: 25944451
Not sure if this helps you...  Found in my logs.

2009-12-01 13:31:55 W3SVC1 192.168.1.7 POST /exchweb/bin/auth/owaauth.dll - 443 - 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 302 0 0

2009-12-01 13:31:55 W3SVC1 192.168.1.7 GET /exchange - 443 JKapashesit 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 302 0 0

2009-12-01 13:31:55 W3SVC1 192.168.1.7 GET /exchange/ - 443 JKapashesit 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 403 0 0
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944740
Sorry I thought you said you had additional server.

If it just the one mailbox I would suggest deleting the user and creating a new one then re-attatching the mailbox.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944775
See section "To Reconnect a Deleted Mailbox to a New User Object" in this document: http://support.microsoft.com/kb/274343

if you right click on the user and select exchange tasks and delete mailbox.

You can then re-atatch it to see if that fixes it
0
 

Author Comment

by:Rosspope
ID: 25945109
Will try that tonight.  

Based on this post they needed to delete the entire user to get it working again.  Oh and you also need to kick the server.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23282171.html
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25945151
As I suggested, I just added trying to reconnect without deleting the user as a possibility

I think the "kick" was Tongue in cheek!
0
 

Author Comment

by:Rosspope
ID: 25945265
that was very obvious...  Although it would be nice if a simple kick could fix things.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25945275
Indeed! I often wish that! But luckily for us that make a living out of I.T it's not that simple! :-)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 25954079
The only time I ever hear of a 403.0 status returned (that is what the last log entry shows) is where there is a BE server involved, and the BE server with the mailbox on has SSL required on its Exchange Virtual Directory in IIS Manager.
0
 

Author Comment

by:Rosspope
ID: 25956584
No BE server in this environment.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 1500 total points
ID: 25956869
How did the reconnect go?
0
 

Author Comment

by:Rosspope
ID: 25956932
Well the user is configured to access it through Outlook right now.  So I wanted to run it by her before I start trashing stuff to make sure it was worth it for her.  She might not even use OWA anymore.  I didn't hear back from the her yet so I didn't do it.
0
 

Author Closing Comment

by:Rosspope
ID: 31660445
I did not delete the user and recreate it again.  Wasn't worth it for me.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question