The authentication portion of Outlook Web Access tends to be one of the trickiest parts to troubleshoot. When troubleshooting authentication problems, it's helpful to keep in mind that when your users use OWA, they aren't telling OWA which Exchange server their mailboxes exist on. Instead, OWA is performing an Active Directory query during the authentication process. This query tells OWA which Exchange server to connect the user to. It's quite possible that the Active Directory query could be causing the problem. The easiest way to find out is to enter the URL of the OWA site into the Web browser in a way that conveys the name of the user's mailbox. For example, if you normally enter http://server_name/exchange, try entering http://server_name/exchange/user_name instead. If this technique works, then the problem could be due to the OWA server's TCP/IP settings not referencing a DNS server that's aware of your Active Directory. The other possibility is a problem with the authentication protocol, which is what I'm about to show you how to fix. When it comes to Windows 2000 authentication, the NTLM authentication protocol is more secure than basic or anonymous authentication. However, in an OWA environment, you must use basic authentication. NTLM doesn't work if your clients are communicating with the server over HTTP or HTTPS. Likewise, anonymous authentication does work, but it would give everyone in the world access to your server. Therefore, basic authentication is your only real choice. To verify what type of authentication is being used, open the Internet Services Manager, right-click the OWA Web site, and select Properties. Select the Directory Security tab on the OWA site's property sheet, and click the Edit button found in the tab's Anonymous Access And Authentication Control section. When you do, you'll see the Authentication Methods dialog box. Verify that the Anonymous Access check box is not selected. Now, take a look at the Authenticated Access section and verify that only the Basic Authentication check box is selected. As you look at the various check boxes, you'll notice an Edit button just to the right of the Basic check box. Click the Edit button and verify that the correct authentication domain is selected. At this point, close all of the open windows by clicking OK in each. You've now specified that the OWA Web site will use basic authentication exclusively, and that a specific domain will perform the authentication. The final step in the process is to verify that the OWA server can communicate with the domain that you've specified. You can start out by attempting to ping domain controllers in the specified domain from the OWA server. If the pings are successful, the next step is to verify that the OWA server is configured to use the same DNS server as all of the domain controllers. Unless all of the servers use a common DNS server (or linked DNS servers), the OWA server may have trouble accessing Active Directory information from the domain controller. If you're still having trouble
OWA is a handy Web application, but it doesn't always work the way it's supposed to. If you're still having problems, Microsoft has an excellent document on OWA troubleshooting at Microsoft's Exchange Web Site.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
Talkback
hi. have a problem with a user using owa.
he can open a new mail message page but he cannot type anything as his page has a red cross in the top left hand corner.
he is the only user experiencing this problem, could it be because of his security rights?
Please advise
excellent article.
Took me straight to the heart of my problem after swapping servers around two sites.
Many thanks.