|
|
|
date: Wed, 2 Jul 2008 08:03:41 -0500,
group: microsoft.public.exchange.connectivity
back
Re: OWA problem for one user
The steps I have had to take is to make sure security on the browser is not
too high so I put the OWA domain in the Trusted Sites list both HTTP and
HTTPS so unchecking ONLY HTTPS is required for non-HTTPS entries. I also
install the private certificate. In IE7, the cert will show an error and be
shown in red. You do have to accept the ActiveX control and turn off popups
for this location.
If a user could do this in the past, and cannot now, then this generally
points to a new wks, with a browser that has not previously connected. The
only recent issue I have had with the IE browser is IE7 upgrade solved an
issue because something as stuck in IE6. Normally that's not a fix but it
was in this case but not related to OWA.
--
Roland Hall
"Neko-" wrote in message
news:36181ba0-679e-4ceb-9b82-24ff5507e15e@m44g2000hsc.googlegroups.com...
Having an issue with one specific user having access problems to OWA.
Using an Exchange 2003 (on Windows 2003) configuration in a frontend/
backend configuration. Said user has been able to use the client
previously, but suddenly is unable to. Logging in through the Outlook
application on the desktop itself works without any problems.
* Verified permissions in ADUC, switched them off, applied, and
switched them back on, and applied. No change in behaviour.
* Added the domain before the username (i.e. domain\user) as a
loginname. No change in behaviour.
* Reset the password of the user to his own password. No change in
behaviour. (Caps arent being used either).
* Restarted the frontend server. No change in behaviour.
Logging in as a different user works fine (with or without the domain
added), its just one user having problems. I have found no records
of problems in the security eventlogs of the server, not on the front-
end OWA server, nor the backend Exchange server, nor the backend
Domain Controllers. No master/child domain configuration is active,
its all one domain. Issue is not limited to one computer (issue
occurs on multiple computers) and is not limited to IE7 being used,
since FireFox 3 exhibits the same behaviour: User1 can log in, and
user2 gets a notice. I therefore rule out cookies, certificates, SSL
and possible caching problems.
The user can login multiple times but appearantly isnt authenticated.
Normally an account should lock after a few wrong passwords. In the
users case this does not happen. The screen drops back to the
loginscreen almost immidiatly. The error itself (translated from
dutch): You cannot be logged in by Outlook Web Access. Check if domain
\username and the password are correct, and try again.
Looked at
http://forums.whirlpool.net.au/forum-replies-archive.cfm/553775.html,
http://searchexchange.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid43_gci1191152,00.html.
Ran through the W3SVC1 log, located this:
2008-06-25 06:51:41 W3SVC1 10.0.0.1 POST /exchweb/bin/auth/owaauth.dll
- 443 - 192.168.0.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT
+5.1;+Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET
+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322;+.NET+CLR
+3.0.04506.648) 302 0 0
2008-06-25 06:51:41 W3SVC1 10.0.0.1 GET /exchange/ - 443 user1
192.168.0.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Mozilla/
4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET+CLR
+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322;+.NET+CLR
+3.0.04506.648) 401 1 1329
2008-06-25 06:51:41 W3SVC1 10.0.0.1 GET /exchweb/bin/auth/owalogon.asp
url=https://webmail.domain.nl/exchange/&reason=2 443 - 192.168.0.2
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET+CLR+2.0.50727;+.NET
+CLR+3.0.04506.30;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.648) 200 0 0
2008-06-25 06:52:02 W3SVC1 10.0.0.1 POST /exchweb/bin/auth/owaauth.dll
- 443 - 192.168.0.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT
+5.1;+Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET
+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322;+.NET+CLR
+3.0.04506.648) 302 0 0
2008-06-25 06:52:02 W3SVC1 10.0.0.1 GET /exchange/ - 443 user2
192.168.0.2 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Mozilla/
4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)+;+.NET+CLR
+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+1.1.4322;+.NET+CLR
+3.0.04506.648) 200 0 0
The reason=2 seems to be the cause of the issue. Found the
following:
if the credentials are not correct, OWA will redirect back to exchweb/
bin/auth/owalogon.asp&reason=2, it will then display the message "You
could not be logged on to OWA".
So it seems that for this one user, the OWA server doesnt
authenticate, even if it does do this for a different user. Even if
the password has been reset, and is proven (through using the desktop
application of Outlook) to be correct.
Unfortunatly no recommended solutions. Im almost considering possibly
removing the user completely, recreating him after a sync-period, and
reattaching the Exchange mailbox to his account. Either that, or
export the mailbox, remove the user, purge everything, and then
recreate the account and re-import the e-mail.
Anyone have any thoughts on this matter?
date: Wed, 2 Jul 2008 08:03:41 -0500
author: Roland Hall nobody@nowhere
Re: OWA problem for one user
"Neko-" wrote in message
news:8c8a24ab-bffe-4694-ba1e-d88b16b9978a@t54g2000hsg.googlegroups.com...
> I've gotten creative, and just decided to remove the entire mailbox an
> all it's settings. Made a PST file backup, then removed the Exchange
> mailbox from the ADUC. Ran the cleanup agent in Exchange, purged the
> mailbox to completely remove it, and then waited 15 minutes. Recreated
> the mailbox, configured it, then let it sync during 15 minutes. Went
> to the users PC, started up Outllook 2002 and set things straight,
> reimported the mail, and found that the mailbox got filled properly.
> So the user has a recreated mailbox now, with his own data contained
> therein.
>
> Unfortunatly for OWA this does not change anything. User is still
> unable to login. As a test, I removed the access rights to OWA on both
> his account and mine. Waited 15 minutes for that change to sync
> through, then tried it. On the working account the error 403 appears,
> showing me that the page was not able to display. For the problem user
> this changes nothing. So the error occurs before the actual
> verification of the Exchange Features configured for the user.
>
> About the only thing I can imagine I could try now that excludes
> anything that affects multiple users (that being re-applying the
> Service Pack for Exchange to the FrontEnd), is to remove the entire
> user account, purge all profile settings, purge the mailbox, and
> essentially wipe the slate clean, then re-create the user. This would
> however entail quite a bit of work to get the whole profile filled
> again, during which time the user has no means of being productive.
> Not something I'd look forward to doing actually.
>
> The suggestion on using the backend-server for OWA access kinda
> slipped past my sight up to now. Fact is, the backend-server doesn't
> actually run the OWA properly. I've provided it to be the same as for
> the FrontEnd server, but for some reason it dumps me to a white
> screen, depicting inbox and the like on the left, the textbar with the
> 'New email' at the top, commenting that it's loading the file list.
> There are no graphics on the screen, and the pictures are reffered to
> as being 'unavailable' (with the nice red X in 'm).
>
> If anyone else has further suggestions on what we could try, I look
> forward to hearing them.
If the BE OWA doesn't work 100% correctly, then that's not really an issue
if as long as it continues to work through the FE. The FE proxies your OWA
requests into the OWA directory on the BE, but the supporting .js files
still come from the FE, and you may find that the problems on the BE are
related to the security settings for the zone that IE puts the BE in,
compared to the FE.
What is more interesting is how the BE behaves when the affected user tries
to use it. Do they still have the same problem that they get from the FE,
or do they see the same results as when someone else logs in.
date: Sat, 5 Jul 2008 15:20:55 +0100
author: Lee Derbyshire [MVP] email a@t leederbyshire d.0.t c.0.m
Re: OWA problem for one user
It would have been interesting to see if the affected user could actually
log into the BE server, though. Since the FE proxies OWA requests to the BE
server, if the user is denied access to the BE by something, then it may
look as though the problem is coming from the FE, since IIS on the FE
impersonates the logged-on user when directing the proxied requests to the
BE.
"Neko-" wrote in message
news:fd71606a-23a4-4cb3-9343-96cc26500317@2g2000hsn.googlegroups.com...
> As stated, the BE doesn't actually succeed in starting the OWA. As to
> accessing directly, works for all users using Outlook on their
> clients.
>
> While the cause of the BE malfunction eludes me at the moment, I agree
> that as long as it works for the majority of users on the FE there's
> not really a problem in using it. A test on the BE would be a good
> test if it worked to see if the communication between the FE and BE
> was to blame (I doubt it, since that would cause problems to ALL users
> on the FE, and it's only 1 user having issues to my knowledge).
>
> Like I said, about the only thing I can imagine is to remove and re-
> create the whole user account by now. But since I have a vacation
> coming up, I'm seriously considering postponing this till after said
> vacation to prevent issues arising during my vacation.
date: Mon, 7 Jul 2008 15:12:05 +0100
author: Lee Derbyshire [MVP] email a@t leederbyshire d.0.t c.0.m
Re: OWA problem for one user
I don't know the root cause of this issue, but re-creating the user account
and re-attaching it to the mailbox resolved the issue for the problem user.
How and why it broke for only certain users is still a mystery.
"Neko-" wrote:
> Thanks for the input.
>
> The security on the browser cannot be an issue. Cause of this is that
> it does work under my account on my machine, but logging in as the
> problem user on my machine fails. As such the security settings on
> both the frontend server and the local workstation have been tested
> and found to be appropriate for the communication to work.
>
> The certificate is automatically installed with Active Directory, and
> is working fine, since no notifications or said 'red' displays are
> popping up. Since I can login under my own account, the certificate is
> working, is valid, and is installed properly.
>
> The user does not have a new workstation, moreso since it works with
> one account on my workstation, but does not with his account. My
> workstation is proven to be ready on a local scale to handle OWA. Also
> logging in on his workstation with my account shows us a working OWA
> with no problems, while again logging in under his account provides
> problems.
>
> Based on that I'm seriously considering the local client NOT to be a
> problem, but a more centrally related problem. Since it however isn't
> a uniform problem (that meaning more people have issues with it, and
> just one person being affected) it's near to impossible to track the
> problem down more then we've already done in this thread. That is...
> unless I've missed something, or someone reading this gets hit with
> inspiration and tosses up an interesting thing to check.
>
date: Tue, 2 Sep 2008 08:43:10 -0700
author: JoeR
|
|
