Exchange 2003 OWA 401 Error: Access is Denied from Internet Explorer

Status
Not open for further replies.
I

in2jars

Hi all,

In a test lab I just installed an Exchange 2003 server. I have a mydomain.local, but I modified the default Recipient Update Policy to create mydomain.com (for future purposes, this box is not connected to the internet yet. All testing is being done internally).

The only other modification I have made is enabling SSL on the /Exchange virtual directory for secure OWA access.

I created a user account john.doe (primary email address john.doe@mydomain.com, secondary email address john.doe@mydomain.local).

Logged into a Windows XP SP2 client laptop and tried to pull up OWA in IE 6 using the url: https://myexchange.mydomain.local/exchange

I get the popup box asking for username and password and originally tried entering the username as john.doe. This didn't work and I was asked to re-enter my credentials until finally I am taken to an Error: Access is Denied page.

If I use john.doe@mydomain.local OWA starts to load (I can see the left navigation pane with the Inbox and other folders and buttons), but then I get the popup again asking for username and password and no matter what combination I try nothing works. Eventually I am left at a blank Inbox with the message: " The folder can't be displayed. You don't have permission to perform this action."

This is Exchange 2003 Standard running SP2 on Windows 2003 Standard SP2. I did not change any other security settings other than SSL, but did check the /Exchange and /Public virtual directories and ensure Basic Authentication and Windows Integrated Authentication are enabled.

I have also checked IE6 settings and confirmed Integrated Windows Authentication is enabled.

I have also tried accessing OWA via: https://myexchange.mydomain.local/exchange/john.doe

Furthermore, I have tried logging in from the same client using Firefox and it WORKED correctly using username: john.doe and my password.

Any ideas?

Thanks!
 
I

in2jars

Well, just fooling around and tried enabling " Automatically logon with current username and password" in the Custom security settings for the Internet zone in Internet Explorer and when I browse to the OWA website now, it automatically logs me in fine. Why wouldn't it work when I enter my credentials manually?
 
I

in2jars

Well, with Integrated and Basic Authentication enabled (the defaults) and attempting to access OWA from my client with Internet Explorer showing I am connecting to the " Internet Zone" here is a sample of my IIS log trying to log in with username: john.doe and the correct password:

<!-- BODY,DIV,TABLE,THEAD,TBODY,TFOOT,TR,TH,TD,P { font-family:" Arial" ; font-size:x-small } --> cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status GET /exchange - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 GET /exchange - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 GET /exchange - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1

2148074252


Here is the log info trying to login with john.doe@mydomain.local. Again, using this method I am taken to a partially loaded OWA where I can see the Nav Pane on the left, but I am constantly reprompted for my username and password and eventually I will be told the folder can not be displayed because I do not have permission.

<!-- BODY,DIV,TABLE,THEAD,TBODY,TFOOT,TR,TH,TD,P { font-family:" Arial" ; font-size:x-small } --> cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status GET /exchange - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 GET /exchange - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 GET /exchange - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 302 0 0 GET /exchange/ - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 GET /exchange/ - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 GET /exchange/ - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 GET /exchange/john.doe/ Cmd=navbar 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 GET /exchange/john.doe/Inbox/ Cmd=contents 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 GET /exchange/john.doe/Inbox/ Cmd=contents 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 GET /exchange/john.doe/ Cmd=navbar 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 GET /exchange/john.doe/Inbox/ Cmd=contents 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 GET /exchange/john.doe/ Cmd=navbar 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 GET /exchweb/6.5.7638.1/controls/tf_Messages.xsl - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 SEARCH /exchange/john.doe/Inbox/ - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 0 SEARCH /exchange/john.doe/Inbox/ - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 2148074241 SUBSCRIBE /exchange/john.doe/Calendar - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 SUBSCRIBE /exchange/john.doe/Inbox - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 SUBSCRIBE /exchange/john.doe/Calendar - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 SUBSCRIBE /exchange/john.doe/Inbox - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 SUBSCRIBE /exchange/john.doe/Tasks - 443 - 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 2148074254 SUBSCRIBE /exchange/john.doe/Tasks - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0 SEARCH /exchange/john.doe/Calendar - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 207 0 0 SEARCH /exchange/john.doe/Tasks - 443 MYDOMAIN\john.doe 10.1.1.20 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 207 0 0
 
N

Novak Wu

Hi,

First, I would like to confirm whether the error message persists when trying to browser Exchange virtual directory on the Exchange Server.

Based on the error message and IIS log file, it can occur if the user credential is invalid when disabling " Automatically logon with current username and password" in Internet Explorer Properties. After enabling " Automatically logon with current username and password" option, the credential will be converted and resolve to the domain automatically but the manually type is not.

At this stage, I suggest you type the domain name together with the user name by using the following format:

<domain name>\username

If the issue persists, please modify relevant settings via following article:

Troubleshooting Outlook Web Access logon failures in Exchange 2000 and in Exchange 2003

Hope this helps.

Novak Wu
 
L

Lee Derbyshire [MVP]

Since it sounds like the problem is solved anyway, I wouldn't want to change anything now, but it is worth remembering that if Integrated Authentication is being used, it will always want the domain\username combination. If Basic auth is being used, then you can supply either username or domain\username, but if you supply just username, it will fail if the default auth domain is not correctly configured. Since both are enabled by default on /Exchange, it's possible that there are times when one or the other hasn't been working properly. But from the iis log entries above, it looks like it does actually work eventually. It's not unusual to see a 401 (access denied) before each OK (200 or 207), but it's quite unusual to see several 401's before giving a 200. The server will say '401, go away, or send me some credentials!', so the browser sends the request again, with some credentials. So, you often get 401 followed by a 200. But repeated 401s usually indicate repeated incorrect password attempts. I assume that didn't happen here? Wherever you see an account name, it indicates a successful logon. If you see a -, it means either no credentials or incorrect credentials were supplied. Incorrect credential names aren't recorded. It's harder to guess in this case, because the request times aren't shown. If they are very close together (within the same second), then the browser has been doing all the negotiating by itself (after the first logon attempt, of course). If the requests are separated by seconds, then it usually means that the user had to type the credentials again.
www.owa-pda.com
 
Status
Not open for further replies.
Top