I've seen posts dealing with similar issues but not with mine specifically, so please forgive me if this is addressed elsewhere. 1. I have Exchange 2007 server with CAS/HTS/Mailbox roles at main HQ site - Domain A. OWA is published with an ISA server which does form based auth and then passes to the CAS with basic auth. This is working perfectly. 2. We just deployed a branch site which has a exchange 2007 server with CAS/HTS/Mailbox roles but is in a different domain, same forest - Domain B. Internal URL is configured and works if accessed directly. 3. I have read many posts about this issue but the thing that seems to throw a wrench in it for me is that we publish OWA with an ISA box. Domain B - new CAS setup: ***Config 1: Basic Auth only. I point my browser to our external OWA site. Enter credentials in the login form and get this error: "Outlook Web Access is not currently available for this mailbox because it could not authenticate the connection to the Microsoft Exchange Client Access server that should be used for mailbox access. If the problem continues, contact technical support for your organization." DETAILS: Request Url: https://mail.company.com:443/owa/ev.owa?oeh=1&ns=HttpProxy&ev=ProxyRequest User host address: 10.24.200.12 User: OWA test EX Address: /o=IT-Exchange/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=owa.test SMTP Address: owa.test@domainB.com OWA version: 8.1.291.1 Second CAS for proxy: https://itiipexb01.it.corp/owa Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaProxyException Exception message: The proxy CAS failed to authenticate to the second CAS (it returned a 401) Call stack No callstack available Inner Exception Exception type: Microsoft.Exchange.Clients.Owa.Core.OwaAsyncOperationException Exception message: ProxyPingRequest async operation failed Call stack Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.EndSend(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyEventHandler.SendProxyPingRequestCallback(IAsyncResult asyncResult) Inner Exception Exception type: System.Net.WebException Exception message: The remote server returned an error: (401) Unauthorized. Call stack System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) Microsoft.Exchange.Clients.Owa.Core.ProxyUtilities.EndGetResponse(HttpWebRequest request, IAsyncResult asyncResult, Stopwatch requestClock) Microsoft.Exchange.Clients.Owa.Core.ProxyPingRequest.GetResponseCallback(IAsyncResult asyncResult) ***Config 2: Integrated Windows Auth only I get this error: "Outlook Web Access is not currently available for the user mailbox that you are trying to access. If the problem continues, contact technical support for your organization and tell them the following: The Microsoft Exchange Client Access server that is proxying the Outlook Web Access requests is running an older version of Microsoft Exchange than the Client Access server in the mailbox Active Directory site. " ***Config 3: both Integrated Windows Auth and Basic Auth "Outlook Web Access is not currently available for the user mailbox that you are trying to access. If the problem continues, contact technical support for your organization and tell them the following: The Microsoft Exchange Client Access server that is proxying the Outlook Web Access requests is running an older version of Microsoft Exchange than the Client Access server in the mailbox Active Directory site." Any suggestions would be appreciated! Thanks.

How is ISA set up to authenticate? Is ISA aware of both domain environments?Did you spcify anythin in the domain auth for domain1\* and domain2\*?BP

The ISA server has a Web Listener that listens for port 80/443 and uses HTML Form Authentication using a customized HTM form for Exchange. It also has Single Sign On enabled for both domains. If I move a mailbox from the mailbox server at the new site to mailbox server at the HQ site, OWA works perfectly. It's only when the mailbox lives on the new mailbox server at the second site that problems occur.The users login to OWA using their UPN user.name@domain.com

Is the environemnt in production yet? Are you able to bypass the ISA server and authenticate to one of the CAS servers and see what happens then? I'm trying to limit the problem, AD or ISA. :)Are all the Exchange servers in the same AD site? Can you ping the other CAS server? I would like to eliminate DNS as the problem.What about IP subnet. Does ISA recongize that subnet as an internal subnet which it is allowed to communicate with?BP

Hi,Please check whether the version of the Exchange server on the two domains are identical. We need to ensure the version on the destination server must be the same as the Internet CAS.Below article is for your reference:http://support.microsoft.com/kb/947168Moreover, the Windows Integrated authentication needs to be turned on on the 2nd CAS for OWA virtual directory.How Exchange Server 2007 CAS Proxying works for Outlook Web Access (OWA)http://msexchangeteam.com/archive/2007/09/10/446957.aspxThanksAllen

Versions were mismatched. Once I got both systems to the same rollup level, OWA worked for a user account at my second site.Thanks!