Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OUTLOOK WEB ACCESS HELP! 2

Status
Not open for further replies.

Shift838

IS-IT--Management
Jan 27, 2003
987
US
I have installed Exchange server 2000 and it has created my OWA within my IIS server on the same box. However when I go to I get a error 403 access forbidden. as far as I can see I have access I'm the administrator. any help?
 
Authenticated Access
Anonymous access is fine for an external Web site where you want as many folks as possible to view your content. But for an internal Web-based application, you will most likely want to identify the known individual users (rather than use the anonymous account access resources on their behalf) and control access to resources based upon who these users are. You can also select multiple authentication methods to be used.

Basic Authentication

Basic authentication (BA) is a widely used, industry standard method for identifying users. During the Basic authentication process, the user's Web browser will prompt the user to enter a valid Windows account user name and password before establishing a connection with restricted content. This will occur if the Web server is configured to use Basic authentication and if anonymous access has been disabled or was denied because Windows permissions have been set on the file being accessed.

More specifically, when IIS sends an "Access Denied" message it can also include the types of authentication methods it is configured to use in the HTTP headers. Most browsers first send back the user name and password that the user logged onto the client machine with. If that results in a second "Access Denied" message, the browser prompts the user for the correct user ID and password. (Note that you can set the default domain name in IIS with which to authenticate the user. However, the user can enter an alternative domain name in the prompted dialog box to override the default.)

Basic authentication is the only option for browsers other than Internet Explorer 3.0 or later. Grant each user "Log on Locally" right on the IIS server, because BA will not succeed if the user does not have local logon rights. This is especially important if the IIS box is also a Primary Domain Controller (PDC), because PDCs by default allow only domain administrators to log on locally.

Basic authentication results in the transmission of passwords across the network in an unencrypted, plaintext ASCII format. Anyone with a network-monitoring tool could intercept user names and passwords on that connection. As a result, this form of authentication is discouraged and should be avoided if NTCR is an option.

But if you must use browsers that don't support NTCR, you can use SSL to establish a secure session. This will result in an encrypted password using a very secure technology, but it does significantly affect performance.

Note that using Basic authentication requires that all users of your system have a valid Windows account in the domain or local system.
 
You can select any combination of Anonymous, Basic, and NTCR authentication in the Internet Services Manager. If Anonymous authentication is checked, IIS will try to handle the request without any actual authentication, and the request will execute in the context of the IUSR_computername account. If, for some reason, the IUSR_computername account does not have access to the resource, IIS will send back an access-denied error to the client indicating that the client needs to use one of the other authentication schemes. This scenario could occur if you limited access to the actual ISAPI DLL file to a specific user, such as "User1." IIS would receive the initial anonymous request and attempt to launch the ISAPI DLL under the IUSR_computername user context, only to get an access-denied error from the NTFS file system. IIS would respond to the client with a message saying that access was denied, and the client would need to submit the request using either the Basic or NTCR authentication schemes (depending on which one is enabled, possibly even both). The client can then resubmit the request with the Basic authentication credentials or with the initial NTCR. If either of these responses provides validation of the User1 account, then IIS will impersonate the User1 account and successfully launch the ISAPI DLL.
 
This article describes how to limit the use of Outlook Web Access (OWA) or how to grant permission to select individuals or to groups of individuals to use OWA.

I am certain that, from a DOMAIN perspective the working group does have the "log on locally" user right. You may just not know which working group really works. =)

Seriously, without "log on locally" Outlook Web Access will NOT function.
 
I got it working. Thanks for all your help. Apparently I cannot login to it with the default Administrator account. Once I created a standard user account and associated it with the correct rights for the mailbox and security it all started working..

Thanks again...
 
compgirl-

that article refers to exchange 5.5 does it still apply for a exchange 2000?

thanks
tmbtech
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top