?
Solved

Exchange 2010 OWA URL and 401 unauthorized error

Posted on 2010-04-08
17
Medium Priority
?
4,926 Views
Last Modified: 2012-05-09
I have an Exchange 2010 server, we'll call EXSERV1 and the IP is 10.10.1.1.  The certificate I moved from our Exchange 2003 environment has the name mail.domain.com.  My internal and external urls are both set to https://mail.domain.com/owa.  I am not using FBA, only Basic and Integrated Authentication.

I can get to https://EXSERV1/OWA and it logs me in automatically (other than the cert warning that I have to click OK to)

I can get to https://10.10.1.1/OWA and it logs me in automatically (other than the cert warning that I have to click OK to)

Now the problem... what I want to use is https://mail.domain.com/owa, but when I go to that it prompts me for authentication, then doesn't accept them and eventually gives a 401 Unauthorized error.  Externally I'm using the same address, https://mail.domain.com/owa and that works just fine.

I can't figure out why internally I can use the server name, server ip address, but not mail.domain.com.  My internal dns for mail.domain.com does resolve to the IP of the server.  I tried taking off the requirement for SSL on the OWA directory, but that didn't make a difference.

To further complicate things, I later found that https://mail.domain.com/owa does work on Windows 7 machines with IE 8, but not Windows XP with IE 6 or 7.  I assume there is some issue with proper authentication.
0
Comment
Question by:jpletcher1
  • 9
  • 8
17 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 30173179
are you using domain\user to try to logon ?

open EMC -> server config -> select your sever

open the OWA virtual directory and enable form based authentication

repeat the same for the ECP virtual directory

and test now
0
 

Author Comment

by:jpletcher1
ID: 30201629
I am using domain\user to login.  I need user A to be able to login to shared mailbox B by putting the URL in and having it open the OWA session for user B automatically without asking for username and password because user A does not have shared mailbox B's password.  This is why I was trying to use basic and integrated authentication instead of FBA.  
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30211727
i understand this, can you just test FBA to be able to identify the source or the problem ?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:jpletcher1
ID: 30473041
I had FBA enabled originally, and it worked fine logging in that way with domainname\username yes.
0
 

Author Comment

by:jpletcher1
ID: 30523214
So to clear this up a bit, when using FBA, I can use the link https://mail.domain.com.  It brings up the login page, I login.  Works fine.  Once I turn off FBA and use basic/integrated authentication, when I go to https://mail.domain.com I get prompted for credentials and then it does not accept them and gives me the 401 error.  The only way I can get OWA to work internally with basic/integrated auth is by using https://servername/owa.

Our Communicator clients also have integration errors connecting to the EWS, which the url for communicator to connect to EWS is the mail.domain.com addresses as well, so I'm sure the two are realated.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30524442
yes this is normal since integrated authentication works that way. I am just wondering if manually adding an SPN would work. give me 1 hour to think it over and I will get back to you with an action plan
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30527555
would be a solution for you to disable integrated authentication and enable only basic ?
0
 

Author Comment

by:jpletcher1
ID: 30528024
The issue is that in the past users have never had to login to their mail with username and password, so they want to keep it that way.  I assume with only basic it would ask for credentials every time?
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 1000 total points
ID: 30529376
ok let's try another thing

from a dc run


SetSpn -A HOST/mail.domain.com servername

this should work
0
 

Author Comment

by:jpletcher1
ID: 30534855
Thanks, I will give this a try.  Is there a command I can run to see what this is currently set to and also a command to change back in case this were to affect things in a negative way?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30535200
setspn -l servername will give you the list of all spn currently registered
0
 

Author Comment

by:jpletcher1
ID: 30536431
Added the SPN, I see it listed now, but same issue happening.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30625940
then I have been thinking in the wrong direction, can you try to confirm if it is a IE problem or windows one ?

i.e. can you install IE8 on an XP machine and test ?
0
 

Author Comment

by:jpletcher1
ID: 30626203
I have actually opened a case with MS on this.  I did try to install IE8 on the XP machine, and that didn't change anything so it must be a difference in XP and Windows 7.  Adding a SPN for HTTP rather than HOST got us a little farther where going to https://mail.domain.com/owa worked, but still required a logon rather than using Integrated Auth and taking us right in.  We are at the point where we are doing packet captures from a Windows 7 machine to compare to the XP machine and seeing what the difference is.

Thanks for keeping up with this issue Akhater.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30626408
glad to know the SPN idea was not so dump after all :)

very curious to know the answer by the way and thanks for the update
0
 

Accepted Solution

by:
jpletcher1 earned 0 total points
ID: 30833466
The issue turned out to be that our Exchange 2003 server had the SPN of HTTP/mail.domain.com as well as the new Exchange 2010 server, so this was causing issues.  With that change, I was able to get to OWA with https://mail.domain.com, but it still required me to authenticate rather than use integrated authentication.  So to fix this, I had to add https://mail.domain.com to the IE Intranet Site list.  Then I was FINALLY able to use https://mail.domain.com internally and not be prompted for credentials using only Basic and Integrated Authentication.

What a pain SPNs can be.  I guess this would be the case for anyone using a non-default out of the box url for OWA and who also doesn't use FBA.  I guess if their old server didn't have a SPN then they would be fine other than the IE change.  

I will award partial points for the SPN suggestion you gave Akhater.  You were on the right track.  Thanks
0
 
LVL 49

Expert Comment

by:Akhater
ID: 30837216
Thank you for the updates highly appreciated!

0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes Top 9 Exchange troubleshooting utilities that every Exchange Administrator should know. Most of the utilities are available free of cost. List of tools that I am going to explain in this article are:   Microsoft Remote Con…
Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month6 days, 20 hours left to enroll

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question