I'm hoping someone here can help me with a webmail permission issue.  I have 
an Exchange 2000 native server in a legacy Windows 2000 native Domain.  All 
Exchange users have been migrated to a new Windows 2003 native forest.  SID 
History was added to the new 2003 Active Directory accounts from the legacy 
accounts in the 2000 Domain.  Users can access their mailboxes fine using 
their new accounts but can not access webmail.  Using the legacy account 
will grant access, but using the new 2003 account does not.  I have tried 
setting the Basic Authentication Domain to the new 2003 Domain in both IIS 
and System Manager with no success.
Can anyone point me in the right direction with regards to modifying the 
permissions for webmail?

Thanks in advance.

Have you tried enabling Form Based Authentication?  What error are they 
getting when trying to login to OWA?

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2006
Microsoft Certified Partner
"news.microsoft.com"  wrote in message 
news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
> I'm hoping someone here can help me with a webmail permission issue.  I 
> have an Exchange 2000 native server in a legacy Windows 2000 native 
> Domain.  All Exchange users have been migrated to a new Windows 2003 
> native forest.  SID History was added to the new 2003 Active Directory 
> accounts from the legacy accounts in the 2000 Domain.  Users can access 
> their mailboxes fine using their new accounts but can not access webmail. 
> Using the legacy account will grant access, but using the new 2003 account 
> does not.  I have tried setting the Basic Authentication Domain to the new 
> 2003 Domain in both IIS and System Manager with no success.
> Can anyone point me in the right direction with regards to modifying the 
> permissions for webmail?
>
> Thanks in advance.
>

No error, just prompts again for logon credentials.  Users get access denied 
after three failed logon attempts.

Forms-based authentication is an Exchange 2003 feature, this is a native 
2000 server.  And there isn't an ISA Server in front of Exchange.


"John Oliver, Jr. [MVP]"  wrote in message 
news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
> Have you tried enabling Form Based Authentication?  What error are they 
> getting when trying to login to OWA?
>
> -- 
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2006
> Microsoft Certified Partner
> "news.microsoft.com"  wrote in message 
> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>> I'm hoping someone here can help me with a webmail permission issue.  I 
>> have an Exchange 2000 native server in a legacy Windows 2000 native 
>> Domain.  All Exchange users have been migrated to a new Windows 2003 
>> native forest.  SID History was added to the new 2003 Active Directory 
>> accounts from the legacy accounts in the 2000 Domain.  Users can access 
>> their mailboxes fine using their new accounts but can not access webmail. 
>> Using the legacy account will grant access, but using the new 2003 
>> account does not.  I have tried setting the Basic Authentication Domain 
>> to the new 2003 Domain in both IIS and System Manager with no success.
>> Can anyone point me in the right direction with regards to modifying the 
>> permissions for webmail?
>>
>> Thanks in advance.
>>
>
>

Sorry, missed you were still on Exchange 2000.  Have you tried username 
format of username@yourdomain for the login?  Can you check the Exchange 
Event App and Security Log for any related errors?

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2006
Microsoft Certified Partner
"Exch Admin"  wrote in message 
news:OTDAfhghGHA.1208@TK2MSFTNGP02.phx.gbl...
> No error, just prompts again for logon credentials.  Users get access 
> denied after three failed logon attempts.
>
> Forms-based authentication is an Exchange 2003 feature, this is a native 
> 2000 server.  And there isn't an ISA Server in front of Exchange.
>
>
> "John Oliver, Jr. [MVP]"  wrote in message 
> news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
>> Have you tried enabling Form Based Authentication?  What error are they 
>> getting when trying to login to OWA?
>>
>> -- 
>> John Oliver, Jr
>> MCSE, MCT, CCNA
>> Exchange MVP 2006
>> Microsoft Certified Partner
>> "news.microsoft.com"  wrote in message 
>> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>>> I'm hoping someone here can help me with a webmail permission issue.  I 
>>> have an Exchange 2000 native server in a legacy Windows 2000 native 
>>> Domain.  All Exchange users have been migrated to a new Windows 2003 
>>> native forest.  SID History was added to the new 2003 Active Directory 
>>> accounts from the legacy accounts in the 2000 Domain.  Users can access 
>>> their mailboxes fine using their new accounts but can not access 
>>> webmail. Using the legacy account will grant access, but using the new 
>>> 2003 account does not.  I have tried setting the Basic Authentication 
>>> Domain to the new 2003 Domain in both IIS and System Manager with no 
>>> success.
>>> Can anyone point me in the right direction with regards to modifying the 
>>> permissions for webmail?
>>>
>>> Thanks in advance.
>>>
>>
>>
>
>

Using the UPN has the same affect.  Nothing in the logs except the logon 
attempt is recorded.
Three invalid attempts gives the HTTP/1.1 401 Unauthorized error in Internet 
Explorer.
If I use the full mailbox path, https://servername/exchange/mailbox 
Integrated Authentication allows access.  But using the shorter path prompts 
for credentials and doesn't allow the 2003 account access.
I forgot to mention also that the two Domains are in seperate Forests, there 
is a two way trust between them, and SID Filtering is disabled.


"John Oliver, Jr. [MVP]"  wrote in message 
news:OeK9QIlhGHA.1508@TK2MSFTNGP04.phx.gbl...
> Sorry, missed you were still on Exchange 2000.  Have you tried username 
> format of username@yourdomain for the login?  Can you check the Exchange 
> Event App and Security Log for any related errors?
>
> -- 
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2006
> Microsoft Certified Partner
> "Exch Admin"  wrote in message 
> news:OTDAfhghGHA.1208@TK2MSFTNGP02.phx.gbl...
>> No error, just prompts again for logon credentials.  Users get access 
>> denied after three failed logon attempts.
>>
>> Forms-based authentication is an Exchange 2003 feature, this is a native 
>> 2000 server.  And there isn't an ISA Server in front of Exchange.
>>
>>
>> "John Oliver, Jr. [MVP]"  wrote in message 
>> news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
>>> Have you tried enabling Form Based Authentication?  What error are they 
>>> getting when trying to login to OWA?
>>>
>>> -- 
>>> John Oliver, Jr
>>> MCSE, MCT, CCNA
>>> Exchange MVP 2006
>>> Microsoft Certified Partner
>>> "news.microsoft.com"  wrote in message 
>>> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>>>> I'm hoping someone here can help me with a webmail permission issue.  I 
>>>> have an Exchange 2000 native server in a legacy Windows 2000 native 
>>>> Domain.  All Exchange users have been migrated to a new Windows 2003 
>>>> native forest.  SID History was added to the new 2003 Active Directory 
>>>> accounts from the legacy accounts in the 2000 Domain.  Users can access 
>>>> their mailboxes fine using their new accounts but can not access 
>>>> webmail. Using the legacy account will grant access, but using the new 
>>>> 2003 account does not.  I have tried setting the Basic Authentication 
>>>> Domain to the new 2003 Domain in both IIS and System Manager with no 
>>>> success.
>>>> Can anyone point me in the right direction with regards to modifying 
>>>> the permissions for webmail?
>>>>
>>>> Thanks in advance.
>>>>
>>>
>>>
>>
>>
>
>

Here is great article securing OWA 2003 in detail, please read and post 
back.

http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2006
Microsoft Certified Partner

"Exch Admin"  wrote in message 
news:%23nDUWYnhGHA.1272@TK2MSFTNGP03.phx.gbl...
> Using the UPN has the same affect.  Nothing in the logs except the logon 
> attempt is recorded.
> Three invalid attempts gives the HTTP/1.1 401 Unauthorized error in 
> Internet Explorer.
> If I use the full mailbox path, https://servername/exchange/mailbox 
> Integrated Authentication allows access.  But using the shorter path 
> prompts for credentials and doesn't allow the 2003 account access.
> I forgot to mention also that the two Domains are in seperate Forests, 
> there is a two way trust between them, and SID Filtering is disabled.
>
>
> "John Oliver, Jr. [MVP]"  wrote in message 
> news:OeK9QIlhGHA.1508@TK2MSFTNGP04.phx.gbl...
>> Sorry, missed you were still on Exchange 2000.  Have you tried username 
>> format of username@yourdomain for the login?  Can you check the Exchange 
>> Event App and Security Log for any related errors?
>>
>> -- 
>> John Oliver, Jr
>> MCSE, MCT, CCNA
>> Exchange MVP 2006
>> Microsoft Certified Partner
>> "Exch Admin"  wrote in message 
>> news:OTDAfhghGHA.1208@TK2MSFTNGP02.phx.gbl...
>>> No error, just prompts again for logon credentials.  Users get access 
>>> denied after three failed logon attempts.
>>>
>>> Forms-based authentication is an Exchange 2003 feature, this is a native 
>>> 2000 server.  And there isn't an ISA Server in front of Exchange.
>>>
>>>
>>> "John Oliver, Jr. [MVP]"  wrote in message 
>>> news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
>>>> Have you tried enabling Form Based Authentication?  What error are they 
>>>> getting when trying to login to OWA?
>>>>
>>>> -- 
>>>> John Oliver, Jr
>>>> MCSE, MCT, CCNA
>>>> Exchange MVP 2006
>>>> Microsoft Certified Partner
>>>> "news.microsoft.com"  wrote in message 
>>>> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>>>>> I'm hoping someone here can help me with a webmail permission issue. 
>>>>> I have an Exchange 2000 native server in a legacy Windows 2000 native 
>>>>> Domain.  All Exchange users have been migrated to a new Windows 2003 
>>>>> native forest.  SID History was added to the new 2003 Active Directory 
>>>>> accounts from the legacy accounts in the 2000 Domain.  Users can 
>>>>> access their mailboxes fine using their new accounts but can not 
>>>>> access webmail. Using the legacy account will grant access, but using 
>>>>> the new 2003 account does not.  I have tried setting the Basic 
>>>>> Authentication Domain to the new 2003 Domain in both IIS and System 
>>>>> Manager with no success.
>>>>> Can anyone point me in the right direction with regards to modifying 
>>>>> the permissions for webmail?
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Thank you for the reply.  Although the general priciples are the same, we 
are still talking about Exchange 2000 OWA not 2003.  Nothing in the document 
discusses cross-forest authentication issues and I'm starting to think that 
this just isn't possible.

I will keep searching and post the results if I get it figured out.

"John Oliver, Jr. [MVP]"  wrote in message 
news:uEFvlKphGHA.4864@TK2MSFTNGP03.phx.gbl...
> Here is great article securing OWA 2003 in detail, please read and post 
> back.
>
> http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
>
> -- 
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2006
> Microsoft Certified Partner
>
> "Exch Admin"  wrote in message 
> news:%23nDUWYnhGHA.1272@TK2MSFTNGP03.phx.gbl...
>> Using the UPN has the same affect.  Nothing in the logs except the logon 
>> attempt is recorded.
>> Three invalid attempts gives the HTTP/1.1 401 Unauthorized error in 
>> Internet Explorer.
>> If I use the full mailbox path, https://servername/exchange/mailbox 
>> Integrated Authentication allows access.  But using the shorter path 
>> prompts for credentials and doesn't allow the 2003 account access.
>> I forgot to mention also that the two Domains are in seperate Forests, 
>> there is a two way trust between them, and SID Filtering is disabled.
>>
>>
>> "John Oliver, Jr. [MVP]"  wrote in message 
>> news:OeK9QIlhGHA.1508@TK2MSFTNGP04.phx.gbl...
>>> Sorry, missed you were still on Exchange 2000.  Have you tried username 
>>> format of username@yourdomain for the login?  Can you check the Exchange 
>>> Event App and Security Log for any related errors?
>>>
>>> -- 
>>> John Oliver, Jr
>>> MCSE, MCT, CCNA
>>> Exchange MVP 2006
>>> Microsoft Certified Partner
>>> "Exch Admin"  wrote in message 
>>> news:OTDAfhghGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>> No error, just prompts again for logon credentials.  Users get access 
>>>> denied after three failed logon attempts.
>>>>
>>>> Forms-based authentication is an Exchange 2003 feature, this is a 
>>>> native 2000 server.  And there isn't an ISA Server in front of 
>>>> Exchange.
>>>>
>>>>
>>>> "John Oliver, Jr. [MVP]"  wrote in message 
>>>> news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
>>>>> Have you tried enabling Form Based Authentication?  What error are 
>>>>> they getting when trying to login to OWA?
>>>>>
>>>>> -- 
>>>>> John Oliver, Jr
>>>>> MCSE, MCT, CCNA
>>>>> Exchange MVP 2006
>>>>> Microsoft Certified Partner
>>>>> "news.microsoft.com"  wrote in message 
>>>>> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>>>>>> I'm hoping someone here can help me with a webmail permission issue. 
>>>>>> I have an Exchange 2000 native server in a legacy Windows 2000 native 
>>>>>> Domain.  All Exchange users have been migrated to a new Windows 2003 
>>>>>> native forest.  SID History was added to the new 2003 Active 
>>>>>> Directory accounts from the legacy accounts in the 2000 Domain. 
>>>>>> Users can access their mailboxes fine using their new accounts but 
>>>>>> can not access webmail. Using the legacy account will grant access, 
>>>>>> but using the new 2003 account does not.  I have tried setting the 
>>>>>> Basic Authentication Domain to the new 2003 Domain in both IIS and 
>>>>>> System Manager with no success.
>>>>>> Can anyone point me in the right direction with regards to modifying 
>>>>>> the permissions for webmail?
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I wish I could help more.  Why don't to you try posting again to see if 
another MVP might have a direct answer.  Bharat Suneja is very good, you 
might try contacting him directly.

Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2006
Microsoft Certified Partner
"Exch Admin"  wrote in message 
news:uI3coOqhGHA.1276@TK2MSFTNGP03.phx.gbl...
> Thank you for the reply.  Although the general priciples are the same, we 
> are still talking about Exchange 2000 OWA not 2003.  Nothing in the 
> document discusses cross-forest authentication issues and I'm starting to 
> think that this just isn't possible.
>
> I will keep searching and post the results if I get it figured out.
>
> "John Oliver, Jr. [MVP]"  wrote in message 
> news:uEFvlKphGHA.4864@TK2MSFTNGP03.phx.gbl...
>> Here is great article securing OWA 2003 in detail, please read and post 
>> back.
>>
>> http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
>>
>> -- 
>> John Oliver, Jr
>> MCSE, MCT, CCNA
>> Exchange MVP 2006
>> Microsoft Certified Partner
>>
>> "Exch Admin"  wrote in message 
>> news:%23nDUWYnhGHA.1272@TK2MSFTNGP03.phx.gbl...
>>> Using the UPN has the same affect.  Nothing in the logs except the logon 
>>> attempt is recorded.
>>> Three invalid attempts gives the HTTP/1.1 401 Unauthorized error in 
>>> Internet Explorer.
>>> If I use the full mailbox path, https://servername/exchange/mailbox 
>>> Integrated Authentication allows access.  But using the shorter path 
>>> prompts for credentials and doesn't allow the 2003 account access.
>>> I forgot to mention also that the two Domains are in seperate Forests, 
>>> there is a two way trust between them, and SID Filtering is disabled.
>>>
>>>
>>> "John Oliver, Jr. [MVP]"  wrote in message 
>>> news:OeK9QIlhGHA.1508@TK2MSFTNGP04.phx.gbl...
>>>> Sorry, missed you were still on Exchange 2000.  Have you tried username 
>>>> format of username@yourdomain for the login?  Can you check the 
>>>> Exchange Event App and Security Log for any related errors?
>>>>
>>>> -- 
>>>> John Oliver, Jr
>>>> MCSE, MCT, CCNA
>>>> Exchange MVP 2006
>>>> Microsoft Certified Partner
>>>> "Exch Admin"  wrote in message 
>>>> news:OTDAfhghGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>> No error, just prompts again for logon credentials.  Users get access 
>>>>> denied after three failed logon attempts.
>>>>>
>>>>> Forms-based authentication is an Exchange 2003 feature, this is a 
>>>>> native 2000 server.  And there isn't an ISA Server in front of 
>>>>> Exchange.
>>>>>
>>>>>
>>>>> "John Oliver, Jr. [MVP]"  wrote in message 
>>>>> news:uibG61ehGHA.412@TK2MSFTNGP05.phx.gbl...
>>>>>> Have you tried enabling Form Based Authentication?  What error are 
>>>>>> they getting when trying to login to OWA?
>>>>>>
>>>>>> -- 
>>>>>> John Oliver, Jr
>>>>>> MCSE, MCT, CCNA
>>>>>> Exchange MVP 2006
>>>>>> Microsoft Certified Partner
>>>>>> "news.microsoft.com"  wrote in message 
>>>>>> news:OGH5rmehGHA.4044@TK2MSFTNGP03.phx.gbl...
>>>>>>> I'm hoping someone here can help me with a webmail permission issue. 
>>>>>>> I have an Exchange 2000 native server in a legacy Windows 2000 
>>>>>>> native Domain.  All Exchange users have been migrated to a new 
>>>>>>> Windows 2003 native forest.  SID History was added to the new 2003 
>>>>>>> Active Directory accounts from the legacy accounts in the 2000 
>>>>>>> Domain. Users can access their mailboxes fine using their new 
>>>>>>> accounts but can not access webmail. Using the legacy account will 
>>>>>>> grant access, but using the new 2003 account does not.  I have tried 
>>>>>>> setting the Basic Authentication Domain to the new 2003 Domain in 
>>>>>>> both IIS and System Manager with no success.
>>>>>>> Can anyone point me in the right direction with regards to modifying 
>>>>>>> the permissions for webmail?
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I might have missed it along the thread somewhere (and forgive me for
that) but regarding the Accounts for the users that are in the
Exchange Forest; can that account access webmail and only the
Associated External Account has problem, or does the "actual" account
also have a problem?
Again, forgive me for a) not getting that question accross completely
clear and b) if it's already been explored.

Thanks Mark, I am stumped on this one.

-- 
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2006
Microsoft Certified Partner

"Mark Arnold [MVP]"  wrote in message 
news:25r2829l4av34v4gbacrfts2s9o7r20g6p@4ax.com...
>I might have missed it along the thread somewhere (and forgive me for
> that) but regarding the Accounts for the users that are in the
> Exchange Forest; can that account access webmail and only the
> Associated External Account has problem, or does the "actual" account
> also have a problem?
> Again, forgive me for a) not getting that question accross completely
> clear and b) if it's already been explored.

Actual account in the Exchange Forest works fine.  Connecting directly to 
the mailbox path (https://server/exchange/user) using Integrated 
Authentication and the associated account also works fine.  Normal logon 
using the associated account does not work.


"Mark Arnold [MVP]"  wrote in message 
news:25r2829l4av34v4gbacrfts2s9o7r20g6p@4ax.com...
>I might have missed it along the thread somewhere (and forgive me for
> that) but regarding the Accounts for the users that are in the
> Exchange Forest; can that account access webmail and only the
> Associated External Account has problem, or does the "actual" account
> also have a problem?
> Again, forgive me for a) not getting that question accross completely
> clear and b) if it's already been explored.