We are in the midst of a Groupwise 7.x to Exchange 2007 migration. OWA was setup correctly and was working fine until I was notified yesterday. When you go to https://owa.<name>/owa - the site appears as normal. But after you put in credentials the "You do not have permission to perform this action" is returned.I understand its an access issue, but I cannot find what parameter to check/set.We have:- checked the AppPool and confirmed it set to LocalSystem. We recycled teh AppPool and used IISRESET. No luck.- URLs seem to be set appropiately across the virtual sites (pointing to the Load-balanced DNS CAS name which is in the cert)- IIS OWA site is set to FBAHas anyone else experienced this? Any ideas of where to look at next?Thank you,

Hello,Take the IIS backup and perform the following action.Add NETWORK SERVICE to IISWAMREG admin serviceRe-created the OWA virtual directory by running the below command.Remove-OWAvirtualdirectory -identity OWA (default web site)New-OWAvirtualdirectoryHow To Back Up and Restore IIShttp://support.microsoft.com/default.aspx/kb/302573Remove-OwaVirtualDirectoryhttp://technet.microsoft.com/en-us/library/aa998237.aspxHow to Create an Outlook Web Access Virtual Directory in Exchange 2007http://technet.microsoft.com/en-us/library/bb124811.aspxArun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3

Issue description: Users cant access mailbox via OWA 2007, got error info after enter the credential, You do not have permission to perform this action Check info: 1. Please describe the exchange topology 2. Does the issue happen to all users? 3. Does the issue happen internally or externally, or both? 4. Does the issue happen if we access mailbox via OWA Light? 5. Does the issue happen if we access mailbox via OWA directly on the CAS server? 6. Is there any error or warning event in the application log on the CAS server after reproduced the issue? 7. Please verify if port 443 has been enabled on the firewall Troubleshooting: 1. Please use Aruns suggestion to recreate OWA virtual directory 2. Since the most possible cause may be the permission, please refer this article to verify the default permissions for exchange-related virtual directories 3. Please check if Everyone group has the proper permissions in the AD a. Launch ADSI Edit b. Expand configuration Container->CN=Configuration, DC= Domain_Name ,DC=com->CN=Services ->CN=Microsoft Exchange->CN= Your_Organization_Name c. Right-click " CN= Your_Organization_Name->Properties->Security tab d. Please make sure Everyone group has the listed permissions below: Create named properties in the information store Create public folder 4. You have confirmed on the IIS that the Identity of MSExchangeOWAAppPool is set to Local System, right? Please do the same to the application pools below MSExchangeAutodiscoverAppPool MSExchangeServicesAppPool MSExchangeUMAppPool 5. Please run ExBPA to do a health check on the exchange, see if we can get any related info Resources: Error message when you try to log on to Exchange 2007 by using Outlook Web Access: "440 Login Timeout"

Thanks James, 1. Single site Exchange with two CAS/HUB servers behind load balancer. Two Mailbox servers in CCR configuration, with one mailbox server in another site in SCR configuration. 2. Happens to all users including admins 3. Happens internally and externally 4. Both OWA and OWA light 5. Have not tried directly from the CAS servers, but I strongly assume that the same issue will happen since the LB are hitting both boxes. I can validate 6. No related errors in event log. There were some 400x or 500x errors when running test-outlookwebservices cmdlet. The errors were related to the Availability service being found but could not be contacted (assuming it timed out). This is next on my list if fixing OWA doesnt fix it. 7. 443 enabled over firewall. Great suggestions. I will run the ExBPA and evaluate that then move on to rebuilding the virtual sites. I will keep you all posted. Thank you,

New development. OWA works from Firefox in either mode. Only IE reports the error. Havent seen this before.

I'm in the same boat as Dyntek. I have:-deleted/re-created owa VD-enabled/disabled SSL on some/all Exchange related VD's-check app pools-disabled IPv6-disabled firewallsAs with Dyntek - I can access via Firefox as long as javascript is disabled.I am getting Kerberos errors in EventLog - I'm just not sure what to try next...Setup:1 CAS/HT FES2 MBX CCRAll running Windows Server 2008 Ent. with all patches/updates installed. This is a new installation.Outlook clients connect directly to the back-end without issue.

Sorry to hear that Triads, but glad that someone else is experiencing it confirming the issue. Since Firefox is working I dont believe rebuilding the OWA VD will change anything. This is now definitely something between how IE processes the OWA request at the Auth.dll passes off to the MBX store. I am going to collect some more information and then involve Microsoft PSS. Ill keep everyone posted. Very interesting problem.

Dyntek,My problem turned out to be duplicate SPN's for my CCR cluster. I suspect your issues are different than mine - but did you have to rebuild any of the Exchange servers as part of the migration? Or, did any of the installs fail (or not complete fully)?When you hit OWA, if you look at the details for the error - what do you see? Could you post the error dump here?Do you have any Kerberos errors in the System event log on your FES?

Issue has been resolved. Root cause seems to be that owapremiumenabled attribute was NOT set to true (i.e. - user error). Interestingly, if you set a single attribute with Set-CASMailbox, it sets ALL OTHER attributes to FALSE. So if you want to set just one attribute, you have to reset ALL the other BACK to true. This also fixed our calendar issue.Here is another thread that goes over what we experienced in detail, MSFT explained response at the bottom - http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/0accb305-3923-4898-b28e-6b8944b46a92Mailbox Folder Set will be the first thing I check next time ;-)Thanks to all for your assistance.