Exchange 2003 Authentication Problems

[paul]

I have quite a big problem with my M$ Exchange 2003 setup, when I create new accounts the user is unable to authenticate on the Exchange server when trying to access OWA, instead of automatically authenticating they are presented with a standard windows logon box filling this in correctly will still not allow access, you are then prevented with the following error:
HTTP/1.1 401 Unauthorized.
Trawling msexchange.org has provided little help and I have already checked the authentication settings in System manager > set to integrated windows authentication.
Anyone any ideas?

Also can anyone tell me where is the option to be able to view individuals mailboxes, have done this under 2k buit can't remember how!

[sahmeepee]

Can help you with the easy bit.. To view someone else's mailbox, just go to:

http : // yourexchangeserver/exchange/theirusername

and log in with YourDomain\SomePowerfulAccount

It's possible in System Manager to control the permissions on mailboxes (with a standard Windows ACL permissions box), but I'd read up on it first as there may well be some gotchas lurking!

For your main login problem, try sending them an email before they log in first time. Also, try checking in their account properties to make sure that their email addresses have been created the same as your working users.

[kingswood]

Hi.

In ESM, and when looking at your OWA authentication methods window, have you also checked "Basic authentication..."? OWA cannot use anonymous authentication (that's for SMTP I believe) but needs an authentication mechanism. The three it can use are:

1. Negotiate
2. NTLM
3. Basic

IE 5.0 and above uses NTLM if the desktop belongs to the same domain as the Exchange Server. Current versions AFAIK use Kerberos, otherwise they use Basic. All Basic does (hehehe) is pass the user's name and password across the wires in clear text (that's why *they* recommend you use this with SSL).

Anyway, just thought I would throw that out there. You may have already enabled Basic anyway- and if you have discard; or you may use SSL etc already...again, discard.

Hope you get it fixed soon!

Paul

[john]

We have this issue sometimes, try after making the account, sending a test message to it from a known working account and this seems to "open" the account.

[paul]

Thanks for the replies, I have already tried the old trick of sending an email to open the accounts have suffered this problem once under ex2k, this time though it seems to have no effect.
As for accessing the users email through OWA I am using my domain admin account but am receiving the same problem; HTTP/1.1 401 Unauthorized. Just about to start pulling my hair out on this 1!

[kingswood]

Hi Paul.

Are you using FBA (Forms Based Access)?

Paul too :-)

[Dos_Box]

I sometimes encounter this. Logging on with:
Domain\Username
Password

this works every time i.e:

yourschool\jbloggs
password

[paul]

@DB I have tried this it will not validate the username or password, login box will keep appearing and then fail after 4 attempts.

[DMcCoy]

does

Code:

username@domain.local

(or whatever the domain is) work?

[paul]

@DMcCoy: no affraid not

[DMcCoy]

Are you using ssl for exchange logins? You have to apply it to certain directories rather than the web root itself. I broke mine this way before reading a kb about which folders to enable ssl for (and client certificates).

Are there any exchange related errors in a fresh boot of the server? I had issues with backup exec being locked out at times and this was always fixed by a reboot (no idea why though!).

[kingswood]

This is a bit of a funny one really- if you are using FBA then you *have* to (AFAIK) use Basic as the authentication method. You can then use SSL to secure the connection so that you can't suffer man-in-the-middle attacks and HTTP stream redirects.

I think you kind of said already that you had checked ESM. Did you look at:

Protocols > HTTP > Exchange Virtual Server

The "compression" option on mine (looking at it now) is set to "none". You should check the box is ticked to enable Forms Based Authentication. You should have gotten a message when you did so that told you to enable SSL. DB was right- you need to enter credentials like this:

domain\username

But OwaLogon definitely only uses Basic Authentication and protects that plain text mess with SSL.

Other than that I'm now stumped. I had a similar problem myself that meant I couldn't authenticate; tried sending an email so that it "unlocks" the account. Didn't work. I had integrated security checked and thought that OWA would work with this. It didn't seem to like it, so I took some good advice from an MS MVP and enabled Basic Authentication for Forms Based Access. Boof. Worked.

Not saying this is your issue- but it's worth double checking to make sure (or decca-checking since you are no doubt sick of looking at it by now)!

Paul

[Lord_Edam]

To access all mailboxes, create a non-administrator account and add it to the "Exchange Services" group.

the problem with logging on to OWA - have you changed email addresses in RUS recently, or are you running two domains in the same forest/exchange organisation?

If so, you might have accidentally deleted the email address that everyone must have. in ESM -> servername -> protocols -> http->exchange virtual server, right-click the "Exchange" virtual directory. whatever's in the "mailboxes from SMTP domain" box has to exist as an email address for all users. took me ages to work out why our students couldn't logon to OWA and this was the problem - staff get @mail.domain.com, students get @student.domain.com and the SMTP domain for OWA had reset itself to @mail.domain.com so no student could log on.

The domain doesn't need to be the primary SMTP address, but it does need to at least exist for every account you want to log on through OWA.

[Ric_]

@Paul: In Exchange 2003 you have to change the permissions on the mailboxes to give you read access. By default only the user has access to the account -hence why you get unauthorized.

If OWA is completely busted - check the .NET login credentials too. Maybe blitz the OWA stuff in IIS and re-install.