Exchange 2010 OWA URL and 401 unauthorized error

I have an Exchange 2010 server, we'll call EXSERV1 and the IP is 10.10.1.1.  The certificate I moved from our Exchange 2003 environment has the name mail.domain.com.  My internal and external urls are both set to https://mail.domain.com/owa.  I am not using FBA, only Basic and Integrated Authentication.

I can get to https://EXSERV1/OWA and it logs me in automatically (other than the cert warning that I have to click OK to)

I can get to https://10.10.1.1/OWA and it logs me in automatically (other than the cert warning that I have to click OK to)

Now the problem... what I want to use is https://mail.domain.com/owa, but when I go to that it prompts me for authentication, then doesn't accept them and eventually gives a 401 Unauthorized error.  Externally I'm using the same address, https://mail.domain.com/owa and that works just fine.

I can't figure out why internally I can use the server name, server ip address, but not mail.domain.com.  My internal dns for mail.domain.com does resolve to the IP of the server.  I tried taking off the requirement for SSL on the OWA directory, but that didn't make a difference.

To further complicate things, I later found that https://mail.domain.com/owa does work on Windows 7 machines with IE 8, but not Windows XP with IE 6 or 7.  I assume there is some issue with proper authentication.
jpletcher1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkhaterCommented:
are you using domain\user to try to logon ?

open EMC -> server config -> select your sever

open the OWA virtual directory and enable form based authentication

repeat the same for the ECP virtual directory

and test now
0
jpletcher1Author Commented:
I am using domain\user to login.  I need user A to be able to login to shared mailbox B by putting the URL in and having it open the OWA session for user B automatically without asking for username and password because user A does not have shared mailbox B's password.  This is why I was trying to use basic and integrated authentication instead of FBA.  
0
AkhaterCommented:
i understand this, can you just test FBA to be able to identify the source or the problem ?
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

jpletcher1Author Commented:
I had FBA enabled originally, and it worked fine logging in that way with domainname\username yes.
0
jpletcher1Author Commented:
So to clear this up a bit, when using FBA, I can use the link https://mail.domain.com.  It brings up the login page, I login.  Works fine.  Once I turn off FBA and use basic/integrated authentication, when I go to https://mail.domain.com I get prompted for credentials and then it does not accept them and gives me the 401 error.  The only way I can get OWA to work internally with basic/integrated auth is by using https://servername/owa.

Our Communicator clients also have integration errors connecting to the EWS, which the url for communicator to connect to EWS is the mail.domain.com addresses as well, so I'm sure the two are realated.
0
AkhaterCommented:
yes this is normal since integrated authentication works that way. I am just wondering if manually adding an SPN would work. give me 1 hour to think it over and I will get back to you with an action plan
0
AkhaterCommented:
would be a solution for you to disable integrated authentication and enable only basic ?
0
jpletcher1Author Commented:
The issue is that in the past users have never had to login to their mail with username and password, so they want to keep it that way.  I assume with only basic it would ask for credentials every time?
0
AkhaterCommented:
ok let's try another thing

from a dc run


SetSpn -A HOST/mail.domain.com servername

this should work
0
jpletcher1Author Commented:
Thanks, I will give this a try.  Is there a command I can run to see what this is currently set to and also a command to change back in case this were to affect things in a negative way?
0
AkhaterCommented:
setspn -l servername will give you the list of all spn currently registered
0
jpletcher1Author Commented:
Added the SPN, I see it listed now, but same issue happening.
0
AkhaterCommented:
then I have been thinking in the wrong direction, can you try to confirm if it is a IE problem or windows one ?

i.e. can you install IE8 on an XP machine and test ?
0
jpletcher1Author Commented:
I have actually opened a case with MS on this.  I did try to install IE8 on the XP machine, and that didn't change anything so it must be a difference in XP and Windows 7.  Adding a SPN for HTTP rather than HOST got us a little farther where going to https://mail.domain.com/owa worked, but still required a logon rather than using Integrated Auth and taking us right in.  We are at the point where we are doing packet captures from a Windows 7 machine to compare to the XP machine and seeing what the difference is.

Thanks for keeping up with this issue Akhater.
0
AkhaterCommented:
glad to know the SPN idea was not so dump after all :)

very curious to know the answer by the way and thanks for the update
0
jpletcher1Author Commented:
The issue turned out to be that our Exchange 2003 server had the SPN of HTTP/mail.domain.com as well as the new Exchange 2010 server, so this was causing issues.  With that change, I was able to get to OWA with https://mail.domain.com, but it still required me to authenticate rather than use integrated authentication.  So to fix this, I had to add https://mail.domain.com to the IE Intranet Site list.  Then I was FINALLY able to use https://mail.domain.com internally and not be prompted for credentials using only Basic and Integrated Authentication.

What a pain SPNs can be.  I guess this would be the case for anyone using a non-default out of the box url for OWA and who also doesn't use FBA.  I guess if their old server didn't have a SPN then they would be fine other than the IE change.  

I will award partial points for the SPN suggestion you gave Akhater.  You were on the right track.  Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AkhaterCommented:
Thank you for the updates highly appreciated!

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.