Solved

OWA Problem after upgrading Active Directory

Posted on 2011-02-16
38
868 Views
Last Modified: 2012-05-11
Hello,

I have a problem sinc I migrated my AD from 2000 to 2008R2 last week. I cannot log on to Outlook web access without entering the domain before the login, to log I have to enter the following credentials : domain\username

This problem only appears with Windows clients using Internet Explorer, no problem with mobile devices, macs, or pc using Firefox.

This was my old configuration :

2 x Windows 2000 Server (SP4) Domain Controller, one with Exchange 2003 on it.

This is my actual configuration :

2x Windows 2008 R2 Server Domain Controller
1x windows 2000 Server (SP4) with Exchange 2003 (the one that was DC before migration)

Does anyone has an idea ? maybe it's around Internet Information Services configuration, but I'm not use to it and didn't change anything there.
Thank you very much for your help.
0
Comment
Question by:ThierrySwissMade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 4
  • +4
38 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907398
In IIS is intergrated authentication tick on the owa virtual directory
0
 

Author Comment

by:ThierrySwissMade
ID: 34907452
Yes, it is. Integrated Windows Authentication
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907499
open Exchange management console.

go to server management.

go to client access server role under server configuration

in the right pane click on the owa virtual directory, properties.

then configure the authentication and default domain
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:ThierrySwissMade
ID: 34907541
Sorry, but I don't find what you're talking about. I have only Exchange System Manager (no management console) Exchange Manager
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907556
Sorry, i was in exchange 2007 /2010 mode, ill find out where the same setting is for you,
0
 

Author Comment

by:ThierrySwissMade
ID: 34907572
Great, thank you!
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34907633
If I remember right! in IIS und owa  or exchange, you will need to enable forms based authentication

http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm


Once done under intergrated authentication where you have already set in the screen shiot ablove you can then enter the default domain.

Sorry its been a while, like i said iwas in 2007/2010 mode!!
0
 

Author Comment

by:ThierrySwissMade
ID: 34907674
Yes, I had find that going to form based authentication it would work. But I wanted to unterstand why it used to work and now it's not!
Thank you, I'll read theses articles.
0
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 34910359

1) Default Website : Annonymous & Integrated     NO SSL
2) Exadmin : Integrated                                    NO SSL
3) Exchweb : Annonymous                              NO SSL
4) Exchange: Basic                                        SSL Optional
5) RPC     : Basic                                        SSL Required
6) OMA     : Basic                                       SSL Optional
7) Public  : Basic+Integrated                         SSL Optional
8) exchange-oma : Basic & Integrated             NO SSL
9) Microsoft-Server-ActiveSync : Basic           SSL Optional

After that need to restart IIS service and check it.
0
 

Author Closing Comment

by:ThierrySwissMade
ID: 34911477
That's the solution SatyaPathak!
the difference was on the Exchange!
Thank you very much!
0
 

Author Comment

by:ThierrySwissMade
ID: 34911567
Hum hum.... this solution was good for OWA... but I lost active sync now :-( although the configuration was only different on Exchange part of IIS.
0
 

Author Comment

by:ThierrySwissMade
ID: 34917043
Thank you Alan!
As he said, it works if I change the authentication settings, but I loose activesync functionality.
So I revert back to the original settings, this way I have to enter domain\username to log to OWA and ActiveSync works.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918237
The ideal model is that there be a FE and a BE Exchange,...with OWA on one,...and ActiveSync on the other.  I only run a single Exchange box,...and gave up on Activesync a long time ago.  There was a workaround to use them on the same box but to me it was too complex an "ugly" and I choose not to go there.  I doubt I could even find that information now if I changed my mind.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918476
Check the settings for your Microsoft-Server-Activesync virtual directory - should be set to Basic authentication with SSL turned on.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34918543
Activesync is fine - it is OWA that is the issues and the need to login without using Domain\ - just username.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 34918565
I would recommend an Exchange V.directory to have Integ. auth to get the EAS working fine

If you are running an single server with FBA, please refer the KB
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
http://support.microsoft.com/kb/817379
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918595
@alanhardisty - as I read the posts, it looks like his OWA problem is resolved but now he is having a problem with Activesync. I was posting in response to the request for help with that issue.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34918705
No - the problem is that OWA requires Domain\Username to sign on with since AD was upgraded to incorporate Windows 2008 R2 server and ThierrySwissMade would just like to logon as Username only (if possible).

Activesync is working happily - now that the correct IIS permissions have been put back after SatyaPathak's IIS permissions comment was followed (that was the accepted solution for this comment only I re-opened the question because that was not a fix that could remain in place unfortunately).

Sorry if the thread is a little confusing now.

Alan
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918741
FBA requires Basic,...Basic requires domain\username when comming in from outside,...the OWA web interface even instructs the user to format it that way. So it is supposed to be "domain\username" with FBA

When comming from the LAN side then FBA is not used and Intergrated Auth can be used,...however IE may require that the FQDN be added to the Intranet Zone in order to use Integrated Auth.

This then means that IIS on the Exchange box has to allow both Basic and Integrated at the same time.  If ISA Server is used between Exchange and the Internet then FBA would be enabled on the ISA Publishing Rule,..but not on the Exchnage box itself. After ISA pre-authenticates the user with FBA it relays the authentication to the Exchange via Basic-over-SSL
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918816
My comments are more focused with 2003.  I have to go with Alan if 2008R2 has changed things in ways I didn't expect.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 34918901
Sorry - probably my fault - I missed the little grey post between the two big orange posts!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918906
For "username" as apposed to "domain\username",...at least in the 2003 world,...you would go into the properties of the Site (Default Website in this case),...go to the Authentication Properties,...go into the Basic Authentication Details and explicitily enter the AD Domain rather than leave it as the default where it is suppoed to implicitly "assume" the Domain.   This however still may not work,...in my experience it often does not although I cannot explain why.

It is clear that MS intended for it to be formated as "domain\username" and even shows it that way as an example in the FBA authentication page,...so it could be very like that you just simply will not be able to outsmart-the-system and will have to use it as "domain\username"
0
 

Author Comment

by:ThierrySwissMade
ID: 34919195
Thank you all for you comments.
I never uses Fba because this server was my DC and I did not want to have it accessible from the web. So I installed a reverse proxy with SSL to have https between the proxy and the mail server... But now this is not a DC I could turn on FBA and disable the reverse proxy. Do you think turning on FBA would help me?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34919322
Help you?  In this particular context,..No.
0
 

Author Comment

by:ThierrySwissMade
ID: 34926446
So there is no real solution, that's just something that "could" happen in my configuration and I have to deal with it or migrate to another Exchange and/or Windows version.
thank you all...

If someone else has an idea. Let me know!
Thierry
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927403
You're asking for things to not be what they are.   You are wanting OWA to not require "domain/username" when using FBA,...yet FBA and its interdependence on Basic Authentication means you must use "domain\username" because Basic Authentication is a "2-field" authentication which has no Field for the Domain Name,...hence the "domain\username" format.  Tthe FBA login screen even explicitly shows in an example that it is supposed to be the "domain\username" format.

I listed the steps to modify IIS to "assume" the correct Domain Name by explicitly entering the Domain Name in the Properties of the Default Website so that it authenticates to the correct Domain when it receives the Basic Auth without the Domain Name included.  Whether that is dependable or undependable is not within my control.

We've given you pretty much everything there is to know on the subject when you combine all of us together.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927506
One thing people forget,...FBA is not an authentication mechanism,...FBA is nothing more than a "presentation" method for the user to present the credentials.  They use an HTML Form to present the credential rather than some other type of popup dialog box,...hence the name Forms Based Authentication  The actual Authentication Mechanism used is Basic Authentication.  That is why it only has two fields (name and password). That is also why SSL needs to be used so that the "clear text" transport of credentials used by Basic Authentication is protected by the SSL Tunneling.

The two-field format means that the Service controlling access to the resource (IIS in the case of OWA) must independently "assume" the correct Domain to compare the credentials to,...or the user must explicitly state the Domain by prefixing it with the username.  That is just simply the way it works
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927628
There is one other place to explicitly state the Domain Name.  This one is used by Basic Auth when the ISA is pre-authenticating the user rather than just passing it to IIS on the Exhcnage and letting it happen there.

Open the Properties of the OWN Publishing Rule
Go into the Listener Properties
Select the Authentication Tab
Select the "Advanced" Button at the bottom
Select the Browse Button at the bottom to browse to and fill in the Domain Name or just manually enter the Netbios Name of the Domain.

Note that since the Domain the ISA is a member of is already the default assumed Domain anyway,...this may not get you what you want anyway,...but you can give it a shot.

Sorry, I didn't think of this one in the earlier posts.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34927661
Open the Properties of the OWN Publishing Rule

OWA,...not OWN

Experts Exchange folks,...we need and edit abiltiy to go back and correct typos in post instead of making threads longer and longer and longer by having to post corrections to previous posts with new posts.   The other two Forums Sites I use has this.
0
 

Author Comment

by:ThierrySwissMade
ID: 34940885
Thank you pwindell, I'm sorry but I don't find any "Publishing Rule", where should I find this ?
Don't forget I'm on an old Windows 2000 Server... maybe it's different?
Thank you for your help!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34943611
Dude,...that is like sitting in your car and saying that you cannot find the front seat.
It's there.  You're making OWA available to Internet,...and it has been working (to a point),...it's there.
0
 

Author Comment

by:ThierrySwissMade
ID: 34943752
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(
0
 

Accepted Solution

by:
ThierrySwissMade earned 0 total points
ID: 35141765
So I guess the only way to solve this problem is to migrate my exchange server 2003 on a new windows 2008 server.
Thank you all for your help
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35141938
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(

sorry,..I've been away fromt he thread and kinda lost track of things. To access OWA from outside you have to have the Firewall configured to publish OWA to the outside world.  I somehow had it in my head that you were using MS ISA Server as the Firewall,...it pre-authenticates the user with FBA beforer passing the user back to the "real" OWA.  But it looks like that is not what you are doing,....so the "publisihing rule" would be on the Firewall you are using,...but it probably doesn't do anything more than Reverse-NAT,...so not really relevant.

Anyway, I've been away from this thread too long and it has gotten so long that I am not going to be able to get back into it and deal with it at this point.
0
 

Author Comment

by:ThierrySwissMade
ID: 35141956
I understand pwindell no problem, thank you for spending some times on this ;-)
0
 

Author Closing Comment

by:ThierrySwissMade
ID: 35174618
This solution does not solve my problem, but there is no real solution.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question