Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

OWA HTTP/1.1 403 Forbidden in Exchange 2003

Posted on 2009-12-01
35
Medium Priority
?
3,361 Views
Last Modified: 2012-06-22
We are using Exchange 2003.  OWA was working fine last week and for the previous 6 months.  Today OWA doesn't work.  When we try to login as any user except for Administrator we get HTTP/1.1 403 Forbidden.

I tried the following already.
- http://support.microsoft.com/kb/883380
- Checked form based authentication
- Allow ASP to run.
- Checked all the security in IIS
- Installed latest Windows Updates
- Tried with Firefox and Internet Explorer.
0
Comment
Question by:Rosspope
  • 17
  • 16
35 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943188
Have you restarted IIS when you have made all the changes?
0
 

Author Comment

by:Rosspope
ID: 25943196
yes
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943420
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Rosspope
ID: 25943640
Demazter -->  We are not getting the OWA 2003 Error Message when trying to access FreeDocs.  We are getting it when we try to login to webmail (OWA)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943667
sorry my mistake!
I thought that was an OWA document.

Check the IIS Permissions and the filesystem folder permissions, this is what normally causes what you are seeing (document I meant to link to earlier): http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
0
 

Author Comment

by:Rosspope
ID: 25943901
I reset the metabase.xml file already in my link above.  I used method 3.
I also checked the security in IIS.


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25943913
It's definately a permission issue, download the Exchange Best Practice analyzer and see what that brings back, post the results.
0
 

Author Comment

by:Rosspope
ID: 25943980
Server: MAIL  
 
  'SystemPages' set too high Server: MAIL
 The 'SystemPages' value is set too high on server mail.moosecree.com and may cause instability. Current value: 798720.
  Tell me more about this issue and how to resolve it.  
 
  'HeapDeCommitFreeBlockThreshold' not set Server: MAIL
 Server mail.moosecree.com has 1 GB or more of memory, accommodates 111 mailboxes, and the 'HeapDeCommitFreeBlockThreshold' parameter has not been set to 262144. Virtual memory may become quickly fragmented and system instability may occur.
  Tell me more about this issue and how to resolve it.  
 
  Paging file larger than Physical Memory Server: MAIL
 The space for the paging file (4092) is larger than the physical memory (3582). This may affect the system performance. It is recommended to have paging file size equal to the physical memory.
  Tell me more about this issue and how to resolve it.  
 
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944073
If you have confirmed the IIS permissions then it must ne file system permissions, can you try this solution?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23246543.html
0
 

Author Comment

by:Rosspope
ID: 25944135
I created a new test user and I can login fine with that user.  

For the users that can no longer login.  In their user properties --> Exchange Features are set to "Enabled" for Outlook Web Access.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944201
Can you try disabling web access for one user then re-enabling it?
0
 

Author Comment

by:Rosspope
ID: 25944210
Demazter --> I looked at the article that you sent.  Basically they want me to set the permissions on davex.dll to allow authenticated users to modify and write.

All of my other Exchange server do not need this in order to work correctly.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944229
Also try in active directory users and computer under view select advanced features.

Then fund a user that's not working, right click select properties, security tab, click advanced and check the box to allow inheritance click apply.

Test that user again
0
 

Author Comment

by:Rosspope
ID: 25944231
Just tried to disable it and re-enable.  No luck
0
 

Author Comment

by:Rosspope
ID: 25944253
Allow inheritance already enabled.
0
 

Author Comment

by:Rosspope
ID: 25944324
Ok I am able to login as other users.  There is only the one account that I can't login with.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944375
Can you compare the permissions in the security tab with the new user you have just created?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944389
What's special about that user?
Is it a member of the same groups as the other users?

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944400
Have you restricted the computers that user can logon to?
If so have you included the exchange server?
0
 

Author Comment

by:Rosspope
ID: 25944402
Security tab in AD user properties are the same
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944412
Also if you move the mailbox to a different server can you access it?
0
 

Author Comment

by:Rosspope
ID: 25944418
Single server environment.
0
 

Author Comment

by:Rosspope
ID: 25944451
Not sure if this helps you...  Found in my logs.

2009-12-01 13:31:55 W3SVC1 192.168.1.7 POST /exchweb/bin/auth/owaauth.dll - 443 - 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 302 0 0

2009-12-01 13:31:55 W3SVC1 192.168.1.7 GET /exchange - 443 JKapashesit 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 302 0 0

2009-12-01 13:31:55 W3SVC1 192.168.1.7 GET /exchange/ - 443 JKapashesit 209.226.52.149 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1.5)+Gecko/20091102+Firefox/3.5.5+(.NET+CLR+3.5.30729) 403 0 0
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944740
Sorry I thought you said you had additional server.

If it just the one mailbox I would suggest deleting the user and creating a new one then re-attatching the mailbox.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25944775
See section "To Reconnect a Deleted Mailbox to a New User Object" in this document: http://support.microsoft.com/kb/274343

if you right click on the user and select exchange tasks and delete mailbox.

You can then re-atatch it to see if that fixes it
0
 

Author Comment

by:Rosspope
ID: 25945109
Will try that tonight.  

Based on this post they needed to delete the entire user to get it working again.  Oh and you also need to kick the server.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23282171.html
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25945151
As I suggested, I just added trying to reconnect without deleting the user as a possibility

I think the "kick" was Tongue in cheek!
0
 

Author Comment

by:Rosspope
ID: 25945265
that was very obvious...  Although it would be nice if a simple kick could fix things.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 25945275
Indeed! I often wish that! But luckily for us that make a living out of I.T it's not that simple! :-)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 25954079
The only time I ever hear of a 403.0 status returned (that is what the last log entry shows) is where there is a BE server involved, and the BE server with the mailbox on has SSL required on its Exchange Virtual Directory in IIS Manager.
0
 

Author Comment

by:Rosspope
ID: 25956584
No BE server in this environment.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 1500 total points
ID: 25956869
How did the reconnect go?
0
 

Author Comment

by:Rosspope
ID: 25956932
Well the user is configured to access it through Outlook right now.  So I wanted to run it by her before I start trashing stuff to make sure it was worth it for her.  She might not even use OWA anymore.  I didn't hear back from the her yet so I didn't do it.
0
 

Author Closing Comment

by:Rosspope
ID: 31660445
I did not delete the user and recreate it again.  Wasn't worth it for me.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question