Troubleshooting Outlook Web Access logon failures in Exchange 2000 and in Exchange 2003 (327843)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q327843

SYMPTOMS

When you try to log on to your Microsoft Exchange 2000 Server mailbox or your Microsoft Exchange Server 2003 mailbox by using Microsoft Outlook Web Access (OWA), you may experience one or more of the following symptoms:
  • You receive one of the following error messages:

    Error Message 1
    You are not authorized to view this page. You do not have permission to view this directory or page using the credentials you supplied.

    HTTP 401.1 - Unauthorized: Logon Failed
    Error Message 2
    Error: Access is denied.
    Error Message 3
    Page Cannot be Displayed.
  • You can log on successfully, but you are prompted for your credentials again. If you do not type your user name in the domain\alias format, or if you click Cancel, you receive the following error message:
    Login failed or cancelled.
  • You can log on to Outlook Web Access by using some browsers, such as Netscape, but you cannot log on by using other browsers.
  • After you type the correct credentials, the Outlook Web Access page does not load.

CAUSE

These issues typically occur when you use incorrect authentication methods or when users have not been granted the correct permissions.

RESOLUTION

To resolve these issues, make sure that you are using the correct authentication methods and that you have the correct permissions to the Exchange folders. To do this, follow these steps.

Important Because of a change in Microsoft Internet Information Services (IIS) 6.0, if Exchange 2003 is installed on a computer that is running Microsoft Windows Server 2003, you may have to enter your username in the format of domain\username, even if you entered a backslash as the default domain. To work around this issue, you may either enter the network basic input/output system (NetBIOS) name of your domain as the default domain or you can apply the hotfix that is discussed in Microsoft Knowledge Base (KB) article 827991. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

827991 FIX: "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message if the Basic authentication Default Domain property is set to a backward slash character (\) in IIS

Additionally, you must use a backslash as the default domain when Exchange 2003 is installed on a computer that is running Windows Server 2003 and forms-based authentication is enabled on that computer. When you modify the authentication method of Outlook Web Access, you should do so in Exchange System Manager. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

240105 General information on Directory Service/Metabase Synchronization in Exchange 2000 Server

  1. Modify the authentication methods for the Exchange virtual directory and for the Public virtual directory in Exchange System Manager. To do this, follow these steps:
    1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
    2. Expand Servers, expand Server Name, expand Protocols, expand HTTP, and then expand Exchange Virtual Server.
    3. Under Exchange Virtual Server, right-click Exchange, and then click Properties.
    4. Click the Access tab, and then click Authentication.
    5. Click to select the Basic authentication check box if it is not already selected.
    6. In the Default domain box, type the network basic input/output system (NetBIOS) name of your domain, or type a backslash if it is not already there.
    7. Click OK two times to close the property windows.
    8. Right-click the Public virtual directory, and then click Properties.
    9. Click the Access tab, and then click Authentication.
    10. Click to select the Basic authentication check box if it is not already selected.
    11. In the Default domain box, type the NetBIOS name of your domain, or type a backslash if it is not already there.
    12. Click OK two times, and then quit Exchange System Manager.
    Note The default domain that is specified for basic authentication on the Exchange virtual directory and on the Public virtual directory must match. If the default domains do not match, you will continue to be prompted for credentials after you log on to Outlook Web Access.
    For additional information about how to configure authentication methods for Exchange 2000 Outlook Web Access, click the following article number to view the article in the Microsoft Knowledge Base:

    290341 Configuring authentication methods in an Exchange 2000 OWA virtual directory

  2. Modify the authentication method for the Exchweb virtual directory in Microsoft Internet Information Services (IIS). To do this, follow these steps.
    • Microsoft Windows 2000 Server (IIS 5)
      1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
      2. Expand Default Web Site.
      3. Right-click Exchweb, and then click Properties.
      4. Click the Directory Security tab, and then click Edit under Anonymous access and authentication control.
      5. Make sure that the Basic Authentication check box and the Integrated Windows Authentication check box are not checked, and then click to select the Anonymous access check box if it is not already selected.
      6. Click OK two times.
      7. Right-click Default Web Site, click Stop, and then click Start.
    • Microsoft Windows Server 2003 (IIS 6)
      1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
      2. Expand Web Sites, and then expand Default Web Site.
      3. Right-click Exchweb, and then click Properties.
      4. Click the Directory Security tab, and then click Edit under Authentication and access control.
      5. Make sure that the Basic Authentication and Integrated Windows Authentication check boxes are not checked, and then click to select the Enable anonymous access check box if it is not already selected.
      6. Click OK two times.
      7. Right-click Default Web Site, click Stop, and then click Start.
  3. Grant the Authenticated Users group a minimum of Read and Execute permissions, Read permissions, and List Folder Contents permissions on the appropriate Exchange and Microsoft Windows directories.
  4. To assign the correct permissions, follow these steps:
    1. In Windows Explorer, locate and right-click the Exchsrvr\Exchweb folder, and then click Properties.
    2. Click the Security tab, and then make sure that the Authenticated Users group has the following permissions:
      • Read and Execute
      • List Folder Contents
      • Read
    3. Verify that the system account has the Full Control permission on the Exchweb directory.
    4. Repeat step a through step c for the following directories:
      • Winnt\System32
      • Winnt\System32\Inetsrv
      • Winnt\System32\Wbem
      • Exchsrvr\Bin
      • Exchsrvr\RES

        Note You may have to restart the World Wide Web Publishing service for these settings to take effect.

MORE INFORMATION

If you install or reinstall Microsoft Exchange 2000 Server Service Pack 3, Integrated Windows Authentication is re-enabled on the Outlook Web Access folders.

Reasons to use basic authentication

  • When a proxy server exists between the client browser and the Web server, Integrated Windows Authentication between the client browser and the Web server does not function.
  • Integrated Windows Authentication does not support double-hop impersonation.
  • Integrated Windows Authentication may fail if there is a time difference between the client and the server.
  • Web Proxy clients that use secure network address translation (SecureNAT) in Microsoft Internet Security and Acceleration Server may also experience issues when the Web Proxy clients try to authenticate to Outlook Web Access. When the Outlook Web Access client is hosted internally, and the SecureNAT Web Proxy clients are accessing the site either by using the fully qualified domain name (FQDN) or by using the Internet Protocol (IP) address, the Outlook Web Access client sends the request through the Web Proxy to the Internet Security and Acceleration Server computer. The IP address is interpreted as an FQDN because of the periods in the name.

    To work around this issue, use one of the following methods:
    • Access the Web server by using the NetBIOS (single-label) name.
    • Remove Integrated Windows Authentication from the Outlook Web Access site.
    • Add the FQDN, the IP address of the Outlook Web Access server, or both to the Do not use proxy server for addresses beginning with list in the advanced proxy settings of the LAN settings in the Internet Explorer options.
    • Install the Internet Security and Acceleration Server firewall client, and then add the FQDN of the Outlook Web Access site to the local domain table in Internet Security and Acceleration Server.

      For additional information about how to configure Internet Security and Acceleration Server to publish an internal Microsoft Exchange Server that is running Microsoft Internet Information Server and Outlook Web Access, click the following article numbers to view the articles in the Microsoft Knowledge Base:

      308599 How to configure Internet Security and Acceleration Server to publish an internal Exchange server



      290113 How to publish Outlook Web Access behind Internet Security and Acceleration Server

For additional information about how to use Microsoft Internet Security and Acceleration Server 2004 to publish a Microsoft Exchange server for Outlook Web Access client access, click the following article number to view the article in the Microsoft Knowledge Base:

837354 How to publish a Microsoft Exchange server for Outlook Web Access in ISA Server 2004


For additional information about logon failures that occur when you use a Netscape browser, click the following article number to view the article in the Microsoft Knowledge Base:

300512 Cannot log on to OWA through Netscape Communicator


For additional information about the Directory Service/Metabase Synchronization process in Exchange 2000 Server, click the following article number to view the article in the Microsoft Knowledge Base:

240105 General information on Directory Service/Metabase Synchronization in Exchange 2000 Server

Cautions about basic authentication

We recommend that you use Secure Sockets Layer (SSL) on Web pages for Outlook Web Access when you use basic authentication.

For additional information about how to install and use SSL with Exchange 2000 Server and Exchange Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base:

319574 How to use certificates with virtual servers in Exchange 2000 Server



823024 How to use certificates with virtual servers in Exchange Server 2003


Additional items to consider

  1. If you cannot log on to a mailbox by using a proprietary program that uses Web Distributed Authoring and Versioning (WebDAV), click the following article number to view the article in the Microsoft Knowledge Base:

    839422 When you try to log on to an Exchange 2000 or an Exchange 2003 mailbox by using a WebDAV program, you receive a 401 status code in Internet Explorer

  2. If users receive a 401 ("Access is denied") error message when they log on implicitly, but they receive a 404 error when they log on explicitly, the user accounts may not be stamped with the appropriate SMTP address. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    293386 HTTP 401 or 404 error messages when you access OWA implicitly or explicitly

  3. If domain users can log on to Outlook Web Access internally, but they receive a 401 error when they try to connect remotely through a proxy server, confirm that the users are assigned the following rights on the proxy server:
    • Log on locally
    • Access this computer from the network
  4. This problem may also occur if you have a topology that contains multiple forests.
Modification Type:MinorLast Reviewed:1/3/2005
Keywords:kberrmsg kbprb KB327843 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.