Solved

OWA on exchange 2003 will work via http but not for everyone on https

Posted on 2010-08-23
27
305 Views
Last Modified: 2012-06-27
We have just added an SSL and new domain name for our OWA installation.  I have been testing with my login for a few days and it works great.  We released it to everyone else and I have end users reporting they can not log in.

I remoted to their machine and they correct they are unable to login.  I tested me login and it works fine.  So I hit the https://serverIP/exchange and they were able to login without issue.  It only seems to keep them from logging in when they are using the https:// connection.

Regards,

John
0
Comment
Question by:stuart100
  • 12
  • 10
  • 3
  • +2
27 Comments
 
LVL 17

Expert Comment

by:sgsm81
ID: 33503473
is the ssl certificate public or on your local machine ?

also have you added the site to the users' trusted site list
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33503481
first, you said https://serverip/exchange they could login
then you say only doesn't work when using https

so is it https://servername/exchange that doesn't work or https//anything/exhange

it would seem like a name resolution issue
0
 

Author Comment

by:stuart100
ID: 33503654
Sorry they are able to login via the http://serverip/exchange link but not the https://  Typo.

On their machines they are unable to login but my login works on their machine to the https:// link so I am not sure what the trusted sites will do but I will test.

Not sure the difference of the SSL.  It was purchased through Network Solutions and is attached the the default website on the exchange server.
0
 
LVL 11

Expert Comment

by:pcfreaker
ID: 33503758
Hi,
Have these computers added the OWA certificate?
Other thing, check this link, it helps to view the user's permissions, since if you can and they can't, it might be access denial
http://technet.microsoft.com/en-us/library/bb885050(EXCHG.80).aspx
If you could capture the exact error maybe we could figure out what could be keeping them for login on OWA.
Rgds.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33504318
Open IE
Go to Tools > Options > Advanced
Scroll down to check if all TLS and SSL check boxes are checked.

thanks
0
 

Author Comment

by:stuart100
ID: 33505400
TLS and SSL 3 were checked.  I checked 2 and no luck.

Here sit he error.

You are not authorized to view this page
You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.
--------------------------------------------------------------------------------

Please try the following:

Contact the Web site administrator if you believe you should be able to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.
Internet Information Services (IIS)

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Access Control, and About Custom Error Messages.
0
 

Author Comment

by:stuart100
ID: 33505552
Ok here is an interesting change/test.  If I add the OWA link to my local intranet trusted sites and change Exchange to Forms Based Authentication I get the Out Webmail form I want and IE stops just popping up the login prompt on my machine.  Then all log ins work on my machine but I can't have everyone add that site to the local intranet page. Also when I tested outside of our building on another machine doing all of that it still did not bring up the Outlook OWA form log in page IE would still throw up the IE log in prompt.

John
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33505569
John

from your computer can you check this

www.canyouseeme.org
Test for ports 25 80 443
See if they are open ?

Login to your firewall and check if the following ports are forwarded to internal lan IP of exchange server.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33506755
forms based authentication gives you the pretty gui login interface
when you disable fba you get the generic login prompt box

the exchange vdir should have windows and basic authentication enabled
0
 

Author Comment

by:stuart100
ID: 33510051
sunnyc7 from the mail server all three of those ports can be reached.

Endital1097: well we want the pretty gui so I left that setting alone I did add the Basic Authentication and I will test again.
0
 

Author Comment

by:stuart100
ID: 33510076
Well now it prompts me for a login and once I put mine in it lets me to the gui page to log in again.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33510103
are you you browsing to https://server or https://server/exchange
it sounds like you are going to the first which has basic authentication enabled and once you get to that page you are redirected to the /exchange vdir
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33510141
check if your default domain is set to \
like this
http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html

start > run > inetmgr
Expand Websites > default Websites > exchange
Right click properties
Directory security
Authentication And Access Control > EDIT

Check if it default domain is set to \
If not change it there.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:stuart100
ID: 33510186
endital1097: Interesting you should ask that question. We wanted to redirect all traffic that comes into https://server to the /exchange virtual directory. So we did the following.

http://support.microsoft.com/kb/555053

We did everything down to step 5 that helps give a nice error message to the port 80 folks.

Sunnyc7:  My domain is set to \ should that read domainname\?

0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33510262
in that case, you want the following for the default web site
home directory tab - a redirection to a url = /exchange
directory security tab - enable anonymous access only, do not require a secure channel

for the exchange virtual directory
directory security tab - basic authentication, default domain either "\" or "DOMAIN"
custom errors tab - 404;4 to URL /CustomErrors/owahttps.asp
0
 

Author Comment

by:stuart100
ID: 33510320
Endital1097: when I make those changes none of the links work http or https i just get the page can not be displayed.
0
 

Author Comment

by:stuart100
ID: 33510332
Things go back to "normal" when i go to my default webpage and tell it not to redirect to /exchange.
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 500 total points
ID: 33510348
not even an http error code?

that configuration redirects all traffic to your server to the exchange vdir
the customerror configuration ensures the traffic is https

make sure on the documents page you add the owahttps.asp (or whatever you named it) and move it to the top
0
 

Author Comment

by:stuart100
ID: 33510371
I have been checking the other machines and it looks like they are working as long as I type https://domainname/exchange.  So the only thing I think we need to get working is that redirect to the exchange directory.

I still need to check a few other machines.

John
0
 

Author Comment

by:stuart100
ID: 33510386
well when I went into the custom error tab there was not a 404;4 on the exchange virtual directory.

John
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33510399
sorry; 404;3
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 500 total points
ID: 33510415
sorry 403.4

sick an i can't type today, going to have to go home
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 500 total points
ID: 33510441
let me try the exchange vdir again first:
Directory Security tab - Basic authentication with default domain set to either "\" or "DOMAIN" and edit secure communications to require SSL
Custom Errors tab - 403;4 with URL message type and the URL string "/CustomErrors/owahttps.asp"
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 500 total points
ID: 33510467
Default web site"
Home directory tab - A redirection to a URL "/exchange", with A directory below URL and A permanent redirection enabled, and the Application pool set to ExchangeApplicationPool
Directory security tab - Enable anonymous and edit secure communications to not require SSL
Custom errors tab - 403;4 (same as Exchange vdir)
0
 

Author Comment

by:stuart100
ID: 33510811
That worked but what does the A permanent redirection enabled do to it?  I did not select that because permanent was such a strong word... kind of like "Until death do you part"

John

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33510848
it sends an http code 302 so that the client does not attempt to go to the original url again
0
 

Author Comment

by:stuart100
ID: 33512443
Thanks everyone it works great for everyone now...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now