Solved

After Administrator Password Change Cannot Authenticate OWA Outside

Posted on 2014-09-03
8
811 Views
Last Modified: 2014-09-04
Good morning everyone,

We recently had to change our Administrator password on the domain as well as the local servers. Shortly after doing this, we noticed that users could not authenticate through OWA from the outside. Inside the network, everything authenticates correctly. I realize that this is a brief description, and i apologize, however nothing else was changed. The password change has effected nothing else, other than the authentication through OWA from the outside.

On a side note, if the old admin password is reentered, everything goes back to working correctly. Thanks in advance for any responses/help!

Exchange 2010 on Windows Server 2008 R2 Enterprise SP1, IIS7


-Andy & Kathy
0
Comment
Question by:JDL_Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 13

Expert Comment

by:George Sas
ID: 40301169
Try to use this tool and see if you have any services /scheduled tasks runing as the Domain Administrator.

http://www.cjwdev.co.uk/Software/ServiceCredMan/Info.html

Your problem is most surely there.
0
 

Author Comment

by:JDL_Tech
ID: 40301677
Hey Geo,

Thanks for the reply. We have gone through all services, as well as ran a script that searches all tasks and services on the network that are tied to the admin user. None are related to Exchange or any other server that would affect our authentication.
0
 
LVL 13

Accepted Solution

by:
George Sas earned 500 total points
ID: 40301818
OK. What error you get when you try to authenticate ?

Please take look on the IIS server at the application pools and see if any of them runs as the admin.

Also look on the security events on the servers right after you try to log in and see what failed auth you have there.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:JDL_Tech
ID: 40302097
Hey Geo,

When trying to authenticate, we are getting a Failed to Authenticate from phones, and then just a generic Bad Username or Password for regular OWA site.

No application pools in IIS are set to run as admin.

Here is the error we're receiving within the events:

An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            *****
      Account Domain:            *****
      Logon ID:            0x3e7

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            *****
      Account Domain:              *****

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x2c48
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      *****
      Source Network Address:      *****
      Source Port:            13447

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 40302163
How is your exchange configured ?
One server with all roles ? Separate ?
Firewall in the front ?

Try to add an entry on your internal DNS to point to the internal IP address of the cas server so you access the EXTERNAL url of owa as internal URL. See what happens.

As far as I can see it is the IIS that sends the request in with bad username / pass.
Can you log into owa with domain admin ?

Try to reset OWA directory :
http://technet.microsoft.com/en-us/library/ff629372%28v=exchg.141%29.aspx
0
 

Author Comment

by:JDL_Tech
ID: 40303641
Hey Geo,

So, I have no reason as to why it is now working, but it is now working. Yesterday i changed the password back so it would work over night and then this morning changed it back to the new password again. It is now working, and nothing was done differently than the past 2 days. I appreciate the all your responses!
0
 
LVL 13

Expert Comment

by:George Sas
ID: 40303837
Ah, maybe it was a replication problem :)
If you have multiple DC's and the Exchange server tried to get the credential on the server that did not got the replication yet.
Glad you got it working.
0
 

Author Comment

by:JDL_Tech
ID: 40303842
We were thinking the same thing. Next on the list i suppose! Thanks again.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question