• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

OWA on exchange 2003 will work via http but not for everyone on https

We have just added an SSL and new domain name for our OWA installation.  I have been testing with my login for a few days and it works great.  We released it to everyone else and I have end users reporting they can not log in.

I remoted to their machine and they correct they are unable to login.  I tested me login and it works fine.  So I hit the https://serverIP/exchange and they were able to login without issue.  It only seems to keep them from logging in when they are using the https:// connection.

Regards,

John
0
stuart100
Asked:
stuart100
  • 12
  • 10
  • 3
  • +2
5 Solutions
 
SteveIT ManagerCommented:
is the ssl certificate public or on your local machine ?

also have you added the site to the users' trusted site list
0
 
endital1097Commented:
first, you said https://serverip/exchange they could login
then you say only doesn't work when using https

so is it https://servername/exchange that doesn't work or https//anything/exhange

it would seem like a name resolution issue
0
 
stuart100Author Commented:
Sorry they are able to login via the http://serverip/exchange link but not the https://  Typo.

On their machines they are unable to login but my login works on their machine to the https:// link so I am not sure what the trusted sites will do but I will test.

Not sure the difference of the SSL.  It was purchased through Network Solutions and is attached the the default website on the exchange server.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
pcfreakerCommented:
Hi,
Have these computers added the OWA certificate?
Other thing, check this link, it helps to view the user's permissions, since if you can and they can't, it might be access denial
http://technet.microsoft.com/en-us/library/bb885050(EXCHG.80).aspx
If you could capture the exact error maybe we could figure out what could be keeping them for login on OWA.
Rgds.
0
 
sunnyc7Commented:
Open IE
Go to Tools > Options > Advanced
Scroll down to check if all TLS and SSL check boxes are checked.

thanks
0
 
stuart100Author Commented:
TLS and SSL 3 were checked.  I checked 2 and no luck.

Here sit he error.

You are not authorized to view this page
You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.
--------------------------------------------------------------------------------

Please try the following:

Contact the Web site administrator if you believe you should be able to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.
Internet Information Services (IIS)

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Access Control, and About Custom Error Messages.
0
 
stuart100Author Commented:
Ok here is an interesting change/test.  If I add the OWA link to my local intranet trusted sites and change Exchange to Forms Based Authentication I get the Out Webmail form I want and IE stops just popping up the login prompt on my machine.  Then all log ins work on my machine but I can't have everyone add that site to the local intranet page. Also when I tested outside of our building on another machine doing all of that it still did not bring up the Outlook OWA form log in page IE would still throw up the IE log in prompt.

John
0
 
sunnyc7Commented:
John

from your computer can you check this

www.canyouseeme.org
Test for ports 25 80 443
See if they are open ?

Login to your firewall and check if the following ports are forwarded to internal lan IP of exchange server.
0
 
endital1097Commented:
forms based authentication gives you the pretty gui login interface
when you disable fba you get the generic login prompt box

the exchange vdir should have windows and basic authentication enabled
0
 
stuart100Author Commented:
sunnyc7 from the mail server all three of those ports can be reached.

Endital1097: well we want the pretty gui so I left that setting alone I did add the Basic Authentication and I will test again.
0
 
stuart100Author Commented:
Well now it prompts me for a login and once I put mine in it lets me to the gui page to log in again.
0
 
endital1097Commented:
are you you browsing to https://server or https://server/exchange
it sounds like you are going to the first which has basic authentication enabled and once you get to that page you are redirected to the /exchange vdir
0
 
sunnyc7Commented:
check if your default domain is set to \
like this
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

start > run > inetmgr
Expand Websites > default Websites > exchange
Right click properties
Directory security
Authentication And Access Control > EDIT

Check if it default domain is set to \
If not change it there.
0
 
stuart100Author Commented:
endital1097: Interesting you should ask that question. We wanted to redirect all traffic that comes into https://server to the /exchange virtual directory. So we did the following.

http://support.microsoft.com/kb/555053

We did everything down to step 5 that helps give a nice error message to the port 80 folks.

Sunnyc7:  My domain is set to \ should that read domainname\?

0
 
endital1097Commented:
in that case, you want the following for the default web site
home directory tab - a redirection to a url = /exchange
directory security tab - enable anonymous access only, do not require a secure channel

for the exchange virtual directory
directory security tab - basic authentication, default domain either "\" or "DOMAIN"
custom errors tab - 404;4 to URL /CustomErrors/owahttps.asp
0
 
stuart100Author Commented:
Endital1097: when I make those changes none of the links work http or https i just get the page can not be displayed.
0
 
stuart100Author Commented:
Things go back to "normal" when i go to my default webpage and tell it not to redirect to /exchange.
0
 
endital1097Commented:
not even an http error code?

that configuration redirects all traffic to your server to the exchange vdir
the customerror configuration ensures the traffic is https

make sure on the documents page you add the owahttps.asp (or whatever you named it) and move it to the top
0
 
stuart100Author Commented:
I have been checking the other machines and it looks like they are working as long as I type https://domainname/exchange.  So the only thing I think we need to get working is that redirect to the exchange directory.

I still need to check a few other machines.

John
0
 
stuart100Author Commented:
well when I went into the custom error tab there was not a 404;4 on the exchange virtual directory.

John
0
 
endital1097Commented:
sorry; 404;3
0
 
endital1097Commented:
sorry 403.4

sick an i can't type today, going to have to go home
0
 
endital1097Commented:
let me try the exchange vdir again first:
Directory Security tab - Basic authentication with default domain set to either "\" or "DOMAIN" and edit secure communications to require SSL
Custom Errors tab - 403;4 with URL message type and the URL string "/CustomErrors/owahttps.asp"
0
 
endital1097Commented:
Default web site"
Home directory tab - A redirection to a URL "/exchange", with A directory below URL and A permanent redirection enabled, and the Application pool set to ExchangeApplicationPool
Directory security tab - Enable anonymous and edit secure communications to not require SSL
Custom errors tab - 403;4 (same as Exchange vdir)
0
 
stuart100Author Commented:
That worked but what does the A permanent redirection enabled do to it?  I did not select that because permanent was such a strong word... kind of like "Until death do you part"

John

0
 
endital1097Commented:
it sends an http code 302 so that the client does not attempt to go to the original url again
0
 
stuart100Author Commented:
Thanks everyone it works great for everyone now...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 12
  • 10
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now