Solved

OWA Problem after upgrading Active Directory

Posted on 2011-02-16
38
857 Views
Last Modified: 2012-05-11
Hello,

I have a problem sinc I migrated my AD from 2000 to 2008R2 last week. I cannot log on to Outlook web access without entering the domain before the login, to log I have to enter the following credentials : domain\username

This problem only appears with Windows clients using Internet Explorer, no problem with mobile devices, macs, or pc using Firefox.

This was my old configuration :

2 x Windows 2000 Server (SP4) Domain Controller, one with Exchange 2003 on it.

This is my actual configuration :

2x Windows 2008 R2 Server Domain Controller
1x windows 2000 Server (SP4) with Exchange 2003 (the one that was DC before migration)

Does anyone has an idea ? maybe it's around Internet Information Services configuration, but I'm not use to it and didn't change anything there.
Thank you very much for your help.
0
Comment
Question by:ThierrySwissMade
  • 14
  • 11
  • 4
  • +4
38 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907398
In IIS is intergrated authentication tick on the owa virtual directory
0
 

Author Comment

by:ThierrySwissMade
ID: 34907452
Yes, it is. Integrated Windows Authentication
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907499
open Exchange management console.

go to server management.

go to client access server role under server configuration

in the right pane click on the owa virtual directory, properties.

then configure the authentication and default domain
0
 

Author Comment

by:ThierrySwissMade
ID: 34907541
Sorry, but I don't find what you're talking about. I have only Exchange System Manager (no management console) Exchange Manager
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907556
Sorry, i was in exchange 2007 /2010 mode, ill find out where the same setting is for you,
0
 

Author Comment

by:ThierrySwissMade
ID: 34907572
Great, thank you!
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907633
If I remember right! in IIS und owa  or exchange, you will need to enable forms based authentication

http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm


Once done under intergrated authentication where you have already set in the screen shiot ablove you can then enter the default domain.

Sorry its been a while, like i said iwas in 2007/2010 mode!!
0
 

Author Comment

by:ThierrySwissMade
ID: 34907674
Yes, I had find that going to form based authentication it would work. But I wanted to unterstand why it used to work and now it's not!
Thank you, I'll read theses articles.
0
 
LVL 20

Expert Comment

by:SatyaPathak
ID: 34910359

1) Default Website : Annonymous & Integrated     NO SSL
2) Exadmin : Integrated                                    NO SSL
3) Exchweb : Annonymous                              NO SSL
4) Exchange: Basic                                        SSL Optional
5) RPC     : Basic                                        SSL Required
6) OMA     : Basic                                       SSL Optional
7) Public  : Basic+Integrated                         SSL Optional
8) exchange-oma : Basic & Integrated             NO SSL
9) Microsoft-Server-ActiveSync : Basic           SSL Optional

After that need to restart IIS service and check it.
0
 

Author Closing Comment

by:ThierrySwissMade
ID: 34911477
That's the solution SatyaPathak!
the difference was on the Exchange!
Thank you very much!
0
 

Author Comment

by:ThierrySwissMade
ID: 34911567
Hum hum.... this solution was good for OWA... but I lost active sync now :-( although the configuration was only different on Exchange part of IIS.
0
 

Author Comment

by:ThierrySwissMade
ID: 34917043
Thank you Alan!
As he said, it works if I change the authentication settings, but I loose activesync functionality.
So I revert back to the original settings, this way I have to enter domain\username to log to OWA and ActiveSync works.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918237
The ideal model is that there be a FE and a BE Exchange,...with OWA on one,...and ActiveSync on the other.  I only run a single Exchange box,...and gave up on Activesync a long time ago.  There was a workaround to use them on the same box but to me it was too complex an "ugly" and I choose not to go there.  I doubt I could even find that information now if I changed my mind.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918476
Check the settings for your Microsoft-Server-Activesync virtual directory - should be set to Basic authentication with SSL turned on.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34918543
Activesync is fine - it is OWA that is the issues and the need to login without using Domain\ - just username.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34918565
I would recommend an Exchange V.directory to have Integ. auth to get the EAS working fine

If you are running an single server with FBA, please refer the KB
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
http://support.microsoft.com/kb/817379
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918595
@alanhardisty - as I read the posts, it looks like his OWA problem is resolved but now he is having a problem with Activesync. I was posting in response to the request for help with that issue.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34918705
No - the problem is that OWA requires Domain\Username to sign on with since AD was upgraded to incorporate Windows 2008 R2 server and ThierrySwissMade would just like to logon as Username only (if possible).

Activesync is working happily - now that the correct IIS permissions have been put back after SatyaPathak's IIS permissions comment was followed (that was the accepted solution for this comment only I re-opened the question because that was not a fix that could remain in place unfortunately).

Sorry if the thread is a little confusing now.

Alan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Expert Comment

by:pwindell
ID: 34918741
FBA requires Basic,...Basic requires domain\username when comming in from outside,...the OWA web interface even instructs the user to format it that way. So it is supposed to be "domain\username" with FBA

When comming from the LAN side then FBA is not used and Intergrated Auth can be used,...however IE may require that the FQDN be added to the Intranet Zone in order to use Integrated Auth.

This then means that IIS on the Exchange box has to allow both Basic and Integrated at the same time.  If ISA Server is used between Exchange and the Internet then FBA would be enabled on the ISA Publishing Rule,..but not on the Exchnage box itself. After ISA pre-authenticates the user with FBA it relays the authentication to the Exchange via Basic-over-SSL
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918816
My comments are more focused with 2003.  I have to go with Alan if 2008R2 has changed things in ways I didn't expect.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918901
Sorry - probably my fault - I missed the little grey post between the two big orange posts!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918906
For "username" as apposed to "domain\username",...at least in the 2003 world,...you would go into the properties of the Site (Default Website in this case),...go to the Authentication Properties,...go into the Basic Authentication Details and explicitily enter the AD Domain rather than leave it as the default where it is suppoed to implicitly "assume" the Domain.   This however still may not work,...in my experience it often does not although I cannot explain why.

It is clear that MS intended for it to be formated as "domain\username" and even shows it that way as an example in the FBA authentication page,...so it could be very like that you just simply will not be able to outsmart-the-system and will have to use it as "domain\username"
0
 

Author Comment

by:ThierrySwissMade
ID: 34919195
Thank you all for you comments.
I never uses Fba because this server was my DC and I did not want to have it accessible from the web. So I installed a reverse proxy with SSL to have https between the proxy and the mail server... But now this is not a DC I could turn on FBA and disable the reverse proxy. Do you think turning on FBA would help me?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34919322
Help you?  In this particular context,..No.
0
 

Author Comment

by:ThierrySwissMade
ID: 34926446
So there is no real solution, that's just something that "could" happen in my configuration and I have to deal with it or migrate to another Exchange and/or Windows version.
thank you all...

If someone else has an idea. Let me know!
Thierry
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927403
You're asking for things to not be what they are.   You are wanting OWA to not require "domain/username" when using FBA,...yet FBA and its interdependence on Basic Authentication means you must use "domain\username" because Basic Authentication is a "2-field" authentication which has no Field for the Domain Name,...hence the "domain\username" format.  Tthe FBA login screen even explicitly shows in an example that it is supposed to be the "domain\username" format.

I listed the steps to modify IIS to "assume" the correct Domain Name by explicitly entering the Domain Name in the Properties of the Default Website so that it authenticates to the correct Domain when it receives the Basic Auth without the Domain Name included.  Whether that is dependable or undependable is not within my control.

We've given you pretty much everything there is to know on the subject when you combine all of us together.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927506
One thing people forget,...FBA is not an authentication mechanism,...FBA is nothing more than a "presentation" method for the user to present the credentials.  They use an HTML Form to present the credential rather than some other type of popup dialog box,...hence the name Forms Based Authentication  The actual Authentication Mechanism used is Basic Authentication.  That is why it only has two fields (name and password). That is also why SSL needs to be used so that the "clear text" transport of credentials used by Basic Authentication is protected by the SSL Tunneling.

The two-field format means that the Service controlling access to the resource (IIS in the case of OWA) must independently "assume" the correct Domain to compare the credentials to,...or the user must explicitly state the Domain by prefixing it with the username.  That is just simply the way it works
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927628
There is one other place to explicitly state the Domain Name.  This one is used by Basic Auth when the ISA is pre-authenticating the user rather than just passing it to IIS on the Exhcnage and letting it happen there.

Open the Properties of the OWN Publishing Rule
Go into the Listener Properties
Select the Authentication Tab
Select the "Advanced" Button at the bottom
Select the Browse Button at the bottom to browse to and fill in the Domain Name or just manually enter the Netbios Name of the Domain.

Note that since the Domain the ISA is a member of is already the default assumed Domain anyway,...this may not get you what you want anyway,...but you can give it a shot.

Sorry, I didn't think of this one in the earlier posts.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927661
Open the Properties of the OWN Publishing Rule

OWA,...not OWN

Experts Exchange folks,...we need and edit abiltiy to go back and correct typos in post instead of making threads longer and longer and longer by having to post corrections to previous posts with new posts.   The other two Forums Sites I use has this.
0
 

Author Comment

by:ThierrySwissMade
ID: 34940885
Thank you pwindell, I'm sorry but I don't find any "Publishing Rule", where should I find this ?
Don't forget I'm on an old Windows 2000 Server... maybe it's different?
Thank you for your help!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34943611
Dude,...that is like sitting in your car and saying that you cannot find the front seat.
It's there.  You're making OWA available to Internet,...and it has been working (to a point),...it's there.
0
 

Author Comment

by:ThierrySwissMade
ID: 34943752
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(
0
 

Accepted Solution

by:
ThierrySwissMade earned 0 total points
ID: 35141765
So I guess the only way to solve this problem is to migrate my exchange server 2003 on a new windows 2008 server.
Thank you all for your help
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35141938
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(

sorry,..I've been away fromt he thread and kinda lost track of things. To access OWA from outside you have to have the Firewall configured to publish OWA to the outside world.  I somehow had it in my head that you were using MS ISA Server as the Firewall,...it pre-authenticates the user with FBA beforer passing the user back to the "real" OWA.  But it looks like that is not what you are doing,....so the "publisihing rule" would be on the Firewall you are using,...but it probably doesn't do anything more than Reverse-NAT,...so not really relevant.

Anyway, I've been away from this thread too long and it has gotten so long that I am not going to be able to get back into it and deal with it at this point.
0
 

Author Comment

by:ThierrySwissMade
ID: 35141956
I understand pwindell no problem, thank you for spending some times on this ;-)
0
 

Author Closing Comment

by:ThierrySwissMade
ID: 35174618
This solution does not solve my problem, but there is no real solution.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now