Troubleshooting Outlook Web Access from an IIS Perspective (301428)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0
This article was previously published under Q301428
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

This article describes several ways to troubleshoot two of the most common problems that affect Outlook Web Access (OWA) from an IIS perspective:
  • Users cannot access the OWA logon page.
  • Users cannot change passwords from OWA, either when they log on or from the Options page after logon.

MORE INFORMATION

Troubleshooting OWA Access Problems

Common error messages that users receive when they attempt to access the OWA logon page (also called the Gold Page) include the following:
HTTP 500 Internal Server Error
-or-
Directory Listing Denied
-or-
VBScript Runtime Error
To troubleshoot this problem, follow these steps:
  1. Verify that the Default Web Site is configured properly. To do this, follow these steps:
    1. Open the Internet Services Manager and expand Default Web Site.
    2. Right-click the Default Web Site and click Properties.
    3. On the Home Directory tab, verify that a Remove button exists next to the Application name box. If you do not see the Remove button, click Create to create the default application.
    4. Click the Directory Security tab. Under Anonymous Access and Authentication Control, click the Edit button.
    5. Verify that Anonymous Access and Windows NT Challenge/Response (in IIS version 4.0) or Integrated Windows Authentication (in IIS version 5.0) are both selected.
    6. Click OK twice to close the property sheet.
  2. After you have made sure that the Default Web Site is configured properly, verify that the Exchange virtual folder is configured properly. To do this, follow these steps:
    1. Verify that a virtual folder named Exchange is listed below the Default Web Site.
    2. Right-click the folder and click Properties.
    3. Verify that a Remove button exists next to the Application name box. If you do not see it, click Create to create the Exchange application.
    4. On the Documents tab, verify that Logon.asp is the top default document. If it is not listed, click Add, type Logon.asp, and move this file to the top of the list.
    5. Click the Directory Security tab. Under Anonymous Access and Authentication Control, click the Edit button.
    6. Verify that Anonymous Access and Windows NT Challenge/Response (in IIS 4.0) or Integrated Windows Authentication (in IIS 5.0) are both selected.
    7. Click OK twice to close the property sheet.

Troubleshooting Password Change Problems

When users attempt to change passwords in OWA, they may receive a blank white page or the following error message:
Access Denied
To resolve this problem, do either of the following:
  • Verify that the Iisadmpwd folder has been set up correctly. To do this, follow these steps:NOTE: By default, IIS 5.0 does not create the Iisadmpwd folder. You must create this folder to change passwords.

    1. Open the Internet Services Manager and expand Default Web Site.
    2. Verify that a folder named Iisadmpwd exists below the Default Web Site. If you do not see this folder, follow these steps:
      1. Right-click the Default Web Site, click New, click Virtual Directory, and then click Next.
      2. For the alias, type Iisadmpwd and click Next.
      3. Browse to \Winnt\System32\Inetsrv\Iisadmpwd, click OK, and then click Next.
      4. Verify that both Run Scripts and Execute are selected and click Next.
      5. Click Finish.
    3. Right-click the Iisadmpwd folder and click Properties.
    4. Verify that the check boxes for Script source access, Write, and Directory browsing are cleared.
    5. In IIS 4.0, verify that Permissions are set to Execute (including script). In IIS 5.0, verify that Execute permissions are set to Scripts and Executables.
    6. Click the Directory Security tab. Under Anonymous Access and Authentication Control, click the Edit button.
    7. Verify that Anonymous Access and Windows NT Challenge/Response (in IIS 4.0) or Integrated Windows Authentication (in IIS 5.0) are both selected.
    8. Click OK twice to close the property sheet.
  • Verify that the domain policy does not prevent password changes. To do this in Windows NT Server 4.0, follow these steps:

    1. In Administrative Tools, open User Manager for Domains.
    2. On the Policies menu, click Account.
    3. At the bottom of the Account Policy window, ensure that Users must log on in order to change password is cleared.
    4. Click OK.
    5. On the Policies menu, click User Rights.
    6. In the list, select Log on locally and verify that the IUSR_<servername> and IWAM_<servername> accounts are listed. If these accounts are not listed, you must add them. To do so, follow these steps:
      1. Click Add, then click Show Users.
      2. Select the IUSR_<servername> and IWAM_<servername> accounts and click Add.
      3. Click OK.
    7. In the list, select Access this computer from the network and verify that the IUSR_<servername> and IWAM_<servername> accounts are listed. If these accounts are not listed, add them as described previously.
    8. Click OK to close the User Rights Policy window.
    9. Close the User Manager window.
    To do this in Windows 2000 Server, follow these steps:

    1. In Administrative Tools, open Local Security Policy.
    2. Expand Local Policies and select User Rights Assignment.
    3. Double-click Log on locally. Verify that the IUSR_<servername> & IWAM_<servername> accounts are listed and that both Local Policy Setting and Effective Policy Setting are selected.
    4. Double-click Log on as a batch job. Verify that the IUSR_<servername> & IWAM_<servername> accounts are listed and that both Local Policy Setting and Effective Policy Setting are selected.
    5. Double-click Access this computer from the network. Verify that the IUSR_<servername> & IWAM_<servername> accounts are listed and that both Local Policy Setting and Effective Policy Setting are selected.NOTE: If Effective Policy Setting is not selected, check the User Rights Assignment on the domain controller and ensure that Define these policy settings is not selected for these user rights.

    6. Close the Local Security Settings window.
Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbinfo KB301428
©2004 Microsoft Corporation. All rights reserved.