Link to home
Create AccountLog in
Avatar of ThierrySwissMade
ThierrySwissMadeFlag for Switzerland

asked on

OWA Problem after upgrading Active Directory


I have a problem sinc I migrated my AD from 2000 to 2008R2 last week. I cannot log on to Outlook web access without entering the domain before the login, to log I have to enter the following credentials : domain\username

This problem only appears with Windows clients using Internet Explorer, no problem with mobile devices, macs, or pc using Firefox.

This was my old configuration :

2 x Windows 2000 Server (SP4) Domain Controller, one with Exchange 2003 on it.

This is my actual configuration :

2x Windows 2008 R2 Server Domain Controller
1x windows 2000 Server (SP4) with Exchange 2003 (the one that was DC before migration)

Does anyone has an idea ? maybe it's around Internet Information Services configuration, but I'm not use to it and didn't change anything there.
Thank you very much for your help.
Avatar of zippybungle2003
Flag of United Kingdom of Great Britain and Northern Ireland image

In IIS is intergrated authentication tick on the owa virtual directory
Avatar of ThierrySwissMade


Yes, it is. User generated image
open Exchange management console.

go to server management.

go to client access server role under server configuration

in the right pane click on the owa virtual directory, properties.

then configure the authentication and default domain
Sorry, but I don't find what you're talking about. I have only Exchange System Manager (no management console) User generated image
Sorry, i was in exchange 2007 /2010 mode, ill find out where the same setting is for you,
Great, thank you!
If I remember right! in IIS und owa  or exchange, you will need to enable forms based authentication

Once done under intergrated authentication where you have already set in the screen shiot ablove you can then enter the default domain.

Sorry its been a while, like i said iwas in 2007/2010 mode!!
Yes, I had find that going to form based authentication it would work. But I wanted to unterstand why it used to work and now it's not!
Thank you, I'll read theses articles.

1) Default Website : Annonymous & Integrated     NO SSL
2) Exadmin : Integrated                                    NO SSL
3) Exchweb : Annonymous                              NO SSL
4) Exchange: Basic                                        SSL Optional
5) RPC     : Basic                                        SSL Required
6) OMA     : Basic                                       SSL Optional
7) Public  : Basic+Integrated                         SSL Optional
8) exchange-oma : Basic & Integrated             NO SSL
9) Microsoft-Server-ActiveSync : Basic           SSL Optional

After that need to restart IIS service and check it.
That's the solution SatyaPathak!
the difference was on the Exchange!
Thank you very much!
Hum hum.... this solution was good for OWA... but I lost active sync now :-( although the configuration was only different on Exchange part of IIS.
Thank you Alan!
As he said, it works if I change the authentication settings, but I loose activesync functionality.
So I revert back to the original settings, this way I have to enter domain\username to log to OWA and ActiveSync works.
The ideal model is that there be a FE and a BE Exchange,...with OWA on one,...and ActiveSync on the other.  I only run a single Exchange box,...and gave up on Activesync a long time ago.  There was a workaround to use them on the same box but to me it was too complex an "ugly" and I choose not to go there.  I doubt I could even find that information now if I changed my mind.
Avatar of Hypercat (Deb)
Check the settings for your Microsoft-Server-Activesync virtual directory - should be set to Basic authentication with SSL turned on.
Activesync is fine - it is OWA that is the issues and the need to login without using Domain\ - just username.
I would recommend an Exchange to have Integ. auth to get the EAS working fine

If you are running an single server with FBA, please refer the KB
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
@alanhardisty - as I read the posts, it looks like his OWA problem is resolved but now he is having a problem with Activesync. I was posting in response to the request for help with that issue.
No - the problem is that OWA requires Domain\Username to sign on with since AD was upgraded to incorporate Windows 2008 R2 server and ThierrySwissMade would just like to logon as Username only (if possible).

Activesync is working happily - now that the correct IIS permissions have been put back after SatyaPathak's IIS permissions comment was followed (that was the accepted solution for this comment only I re-opened the question because that was not a fix that could remain in place unfortunately).

Sorry if the thread is a little confusing now.

FBA requires Basic,...Basic requires domain\username when comming in from outside,...the OWA web interface even instructs the user to format it that way. So it is supposed to be "domain\username" with FBA

When comming from the LAN side then FBA is not used and Intergrated Auth can be used,...however IE may require that the FQDN be added to the Intranet Zone in order to use Integrated Auth.

This then means that IIS on the Exchange box has to allow both Basic and Integrated at the same time.  If ISA Server is used between Exchange and the Internet then FBA would be enabled on the ISA Publishing Rule,..but not on the Exchnage box itself. After ISA pre-authenticates the user with FBA it relays the authentication to the Exchange via Basic-over-SSL
My comments are more focused with 2003.  I have to go with Alan if 2008R2 has changed things in ways I didn't expect.
Sorry - probably my fault - I missed the little grey post between the two big orange posts!
For "username" as apposed to "domain\username", least in the 2003 world, would go into the properties of the Site (Default Website in this case),...go to the Authentication Properties,...go into the Basic Authentication Details and explicitily enter the AD Domain rather than leave it as the default where it is suppoed to implicitly "assume" the Domain.   This however still may not work, my experience it often does not although I cannot explain why.

It is clear that MS intended for it to be formated as "domain\username" and even shows it that way as an example in the FBA authentication page, it could be very like that you just simply will not be able to outsmart-the-system and will have to use it as "domain\username"
Thank you all for you comments.
I never uses Fba because this server was my DC and I did not want to have it accessible from the web. So I installed a reverse proxy with SSL to have https between the proxy and the mail server... But now this is not a DC I could turn on FBA and disable the reverse proxy. Do you think turning on FBA would help me?
Help you?  In this particular context,..No.
So there is no real solution, that's just something that "could" happen in my configuration and I have to deal with it or migrate to another Exchange and/or Windows version.
thank you all...

If someone else has an idea. Let me know!
You're asking for things to not be what they are.   You are wanting OWA to not require "domain/username" when using FBA,...yet FBA and its interdependence on Basic Authentication means you must use "domain\username" because Basic Authentication is a "2-field" authentication which has no Field for the Domain Name,...hence the "domain\username" format.  Tthe FBA login screen even explicitly shows in an example that it is supposed to be the "domain\username" format.

I listed the steps to modify IIS to "assume" the correct Domain Name by explicitly entering the Domain Name in the Properties of the Default Website so that it authenticates to the correct Domain when it receives the Basic Auth without the Domain Name included.  Whether that is dependable or undependable is not within my control.

We've given you pretty much everything there is to know on the subject when you combine all of us together.
One thing people forget,...FBA is not an authentication mechanism,...FBA is nothing more than a "presentation" method for the user to present the credentials.  They use an HTML Form to present the credential rather than some other type of popup dialog box,...hence the name Forms Based Authentication  The actual Authentication Mechanism used is Basic Authentication.  That is why it only has two fields (name and password). That is also why SSL needs to be used so that the "clear text" transport of credentials used by Basic Authentication is protected by the SSL Tunneling.

The two-field format means that the Service controlling access to the resource (IIS in the case of OWA) must independently "assume" the correct Domain to compare the credentials to,...or the user must explicitly state the Domain by prefixing it with the username.  That is just simply the way it works
There is one other place to explicitly state the Domain Name.  This one is used by Basic Auth when the ISA is pre-authenticating the user rather than just passing it to IIS on the Exhcnage and letting it happen there.

Open the Properties of the OWN Publishing Rule
Go into the Listener Properties
Select the Authentication Tab
Select the "Advanced" Button at the bottom
Select the Browse Button at the bottom to browse to and fill in the Domain Name or just manually enter the Netbios Name of the Domain.

Note that since the Domain the ISA is a member of is already the default assumed Domain anyway,...this may not get you what you want anyway,...but you can give it a shot.

Sorry, I didn't think of this one in the earlier posts.
Open the Properties of the OWN Publishing Rule

OWA,...not OWN

Experts Exchange folks,...we need and edit abiltiy to go back and correct typos in post instead of making threads longer and longer and longer by having to post corrections to previous posts with new posts.   The other two Forums Sites I use has this.
Thank you pwindell, I'm sorry but I don't find any "Publishing Rule", where should I find this ?
Don't forget I'm on an old Windows 2000 Server... maybe it's different?
Thank you for your help!
Dude,...that is like sitting in your car and saying that you cannot find the front seat.
It's there.  You're making OWA available to Internet,...and it has been working (to a point),'s there.
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(
Avatar of ThierrySwissMade
Flag of Switzerland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Sure, but for someone who's been driving for years without knowing what a seat is, how does hes knows he's on it ? :-)

where do I find this ? on IIS ? Exchange System Manager ?
Sorry :-(

sorry,..I've been away fromt he thread and kinda lost track of things. To access OWA from outside you have to have the Firewall configured to publish OWA to the outside world.  I somehow had it in my head that you were using MS ISA Server as the Firewall, pre-authenticates the user with FBA beforer passing the user back to the "real" OWA.  But it looks like that is not what you are doing, the "publisihing rule" would be on the Firewall you are using,...but it probably doesn't do anything more than Reverse-NAT, not really relevant.

Anyway, I've been away from this thread too long and it has gotten so long that I am not going to be able to get back into it and deal with it at this point.
I understand pwindell no problem, thank you for spending some times on this ;-)
This solution does not solve my problem, but there is no real solution.