Re: OWA 403 access denied error

OK so here is the scoop on the 500 error. I did some research and came up
with an article from isaserver.org (Thanks Dr Schinder!) The 500 error
happens when the certificate that ISA uses to connect to the mail server does
not match the CN of the server. In my case the mail server was serving a
cert with the CN of "mail.mydomain.net". ISA server was looking for
"owa.mydomain.com". I changed the published server to match the certificate
and it now appears to work correctly.

Thanks for your help Phillip on the dropping the /owa suffix. I'll try your
suggestion and see if I can get it to work.

Thanks again
--
Steve Halvorson
Preferred Credit, Inc


"Phillip Windell" wrote:

It is supposed to be https://owa.mydomain.com/exchange, not
https://owa.mydomain.com/owa

Reducing it to https://owa.mydomain.com will only work for external
users,...not internal users because internal users should not be using the
ISA to get there (the Split-DNS thing is for that). This is because the
process is done by ISA and not the Exchange box. It may have side effects
and I've found it not worth messing with and have remove it.

But there are two ways to do it:

Option 1. In the Paths Tab of the OWA Publishing Rule add the following path
/* /exchange\* (the slashes are to be just as I typed
them)

Option 2. Create a OWA Web Publishing Deny Rule for specifically
https://owa.mydomain.com that redirects to https://owa.mydomain.com/exchange
where the "real" Publishing Rule picks it up from there. Here's the link to
the discussion on this:
http://forums.isaserver.org/m_2002021383/mpage_1/key_/tm.htm

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


"Steve Halvorson" <steveh@xxxxxxxxxxxxxx> wrote in message
news:E53B0C39-7B8B-4BF3-A02F-ADD1073216F2@xxxxxxxxxxxxxxxx
Thanks for the reply. I have DNS setup so that from the ISA server
(Internal
network) I can got to https://owa.mydomain.com/owa it resolves the name
and
goes into OWA. However, when I try from an external source, I get the
html
OWA login screen but when I log in, I get an error 500 the target
principle
name is incorrect. Also, I would like to get rid of the /owa. Can I
redirect https://owa.mydomain.com to https://owa.mydomain.com/owa?

Any help on either of these would be appreciated.
--
Steve Halvorson
Preferred Credit, Inc


"Phillip Windell" wrote:

You need to run Split-DNS so that owa.mydomain.com (not .net) resolves to
the *internal* IP# of the OWA when running from internal LAN
machines,...while the outside world still resolves the same name to the
Public IP# as they are now.

OWA needs to run with SSL and the Cert will require the same name be used
(owa.mydomain.com) throughout the whole process no matter where the user
is
comming from. The Split-DNS is what makes that possible.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

"Steve Halvorson" <steveh@xxxxxxxxxxxxxx> wrote in message
news:1E8D75E2-6F11-49B0-B202-BBCF51736E6E@xxxxxxxxxxxxxxxx
Sorry for the delay in getting back to this. Actually, the exchange
server
slowly started to melt down and eventually failed. We've been
struggling
to
restore full functionality in the exchange environment on a new server.
Now
I am back to OWA.

As far as I know DNS is working properly. Is there something specific
I
should check? The mail server (mail1.mydomain.net) is resolvable from
the
ISA server. Note that the internal domain root is different from the
inside
to the outside. inside the network it is mydomain.net and outside it
is
mydomain.com. therefore, from the outside you enter owa.mydomain.com
to
access the exchange server.
--
Steve Halvorson
Preferred Credit, Inc


""Ken Zhao [MSFT]"" wrote:

Hi Steve,

I am just writing to see how everything is going. If you have any
updates
or need any further assistance on this issue, please feel free to let
me
know.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.




--------------------
| X-Tomcat-ID: 85318082
| References: <CFED25E2-FBDB-4C58-A312-7D782F0AC75C@xxxxxxxxxxxxx>
<PkhsYvLWIHA.6404@xxxxxxxxxxxxxxxxxxxxxx>
<5CF15DDA-CBA6-4EDF-9724-5418F012EE63@xxxxxxxxxxxxx>
<OTg40cpWIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-kzhao@xxxxxxxxxxxxxxxxxxxx ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Mon, 21 Jan 2008 09:05:47 GMT
| Subject: RE: OWA 403 access denied error
| X-Tomcat-NG: microsoft.public.isa
| Message-ID: <oYC5WzAXIHA.360@xxxxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.isa
| Lines: 202
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.isa:5577
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Hi Steve,
|
| I have checked your information but I cannot see the exact error
screenshot
| of the OWA 403 error. Can you attach it?
|
| From your BPA report, I see the error description:"The connectivity
| verifier "OWA" reported an error when trying to connect to
http://xxx.xxx.";
| Reason: Can't resolve the server name.
|
| Can you help us confirm if your DNS server is working fine in the
network?
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your
newsreader
so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
| --------------------
| | X-Tomcat-ID: 8001983
| | References: <CFED25E2-FBDB-4C58-A312-7D782F0AC75C@xxxxxxxxxxxxx>
| <PkhsYvLWIHA.6404@xxxxxxxxxxxxxxxxxxxxxx>
| <5CF15DDA-CBA6-4EDF-9724-5418F012EE63@xxxxxxxxxxxxx>
| | MIME-Version: 1.0
| | Content-Type: text/plain
| | Content-Transfer-Encoding: 7bit
| | From: v-kzhao@xxxxxxxxxxxxxxxxxxxx ("Ken Zhao [MSFT]")
| | Organization: Microsoft
| | Date: Fri, 18 Jan 2008 08:46:38 GMT
| | Subject: RE: OWA 403 access denied error
| | X-Tomcat-NG: microsoft.public.isa
| | Message-ID: <OTg40cpWIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
| | Newsgroups: microsoft.public.isa
| | Lines: 151
| | Path: TK2MSFTNGHUB02.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.isa:5567
| | NNTP-Posting-Host: TOMCATIMPORT3 10.201.220.210
| |
| | Hi Steve,
| |
| | I have received your info and it need some time to research them.
I
| | appreciate your patience.
| | Thanks & Regards,
| |
| | Ken Zhao
| |
| | Microsoft Online Support
| | Microsoft Global Technical Support Center
| |
| | Get Secure! - www.microsoft.com/security
| <http://www.microsoft.com/security>
| | ====================================================
| | When responding to posts, please "Reply to Group" via your
newsreader
so
| | that others may learn and benefit from your issue.
| | ====================================================
| | This posting is provided "AS IS" with no warranties, and confers
no
| rights.
| |
| |
| |
| |
| |
| | --------------------
| | | Thread-Topic: OWA 403 access denied error
| | | thread-index: AchZKAcY4Uu+6tExQSeRIjLAMluCkA==
| | | X-WBNR-Posting-Host: 207.46.19.168
| | | From: =?Utf-8?B?U3RldmUgSGFsdm9yc29u?= <steveh@xxxxxxxxxxxxxx>
| | | References:
<CFED25E2-FBDB-4C58-A312-7D782F0AC75C@xxxxxxxxxxxxx>
| | <PkhsYvLWIHA.6404@xxxxxxxxxxxxxxxxxxxxxx>
| | | Subject: RE: OWA 403 access denied error
| | | Date: Thu, 17 Jan 2008 08:43:03 -0800
| | | Lines: 119
| | | Message-ID: <5CF15DDA-CBA6-4EDF-9724-5418F012EE63@xxxxxxxxxxxxx>
| | | MIME-Version: 1.0
| | | Content-Type: text/plain;
| | | charset="Utf-8"
| | | Content-Transfer-Encoding: 8bit
| | | X-Newsreader: Microsoft CDO for Windows 2000
| | | Content-Class: urn:content-classes:message
| | | Importance: normal
| | | Priority: normal
| | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| | | Newsgroups: microsoft.public.isa
| | | Path: TK2MSFTNGHUB02.phx.gbl
| | | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.isa:5557
| | | NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| | | X-Tomcat-NG: microsoft.public.isa
| | |
| | | I'll gather the info and send it to you. Just for
clarification,
there
| | is no
| | | error message when publishing the OWA rule.
| | |
| | | Thanks
| | | --
| | | Steve Halvorson
| | | Preferred Credit, Inc
| | |
| | |
| | | ""Ken Zhao [MSFT]"" wrote:
| | |
| | | > Hello Steve,
| | | >
| | | > Thank you for using newsgroup!
| | | >
.

Relevant Pages

  • RE: Problem with OWA
    ... Please help me collect IIS log and Metabase for further ... Microsoft CSS Online Newsgroup Support ... <Thread-Topic: Problem with OWA ... Click Start, click Server Management. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot reply/forward in OWA - Page cannot be displayed
    ... I understand all the pictures in the OWA ... Check if OfficeScan is installed on the SBS server. ... Microsoft is providing this information as a convenience to you. ... Locate the Urlcache folder. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot reply/forward in OWA - Page cannot be displayed
    ... I understand all the pictures in the OWA ... IE, go to Tools -> Internet Options menu, go to Advanced tab, move down the ... Check if OfficeScan is installed on the SBS server. ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with OWA
    ... mostly the issue is related to the IIS settings ... Microsoft CSS Online Newsgroup Support ... <Thread-Topic: Problem with OWA ... Click Start, click Server Management. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with OWA
    ... Please help me collect IIS log and Metabase for further ... Microsoft CSS Online Newsgroup Support ... <Thread-Topic: Problem with OWA ... Click Start, click Server Management. ...
    (microsoft.public.windows.server.sbs)