OWA with Integrated Login Problems
I recently had to change our OWA access to Integrated Authentication from Forms Authentication. In doing so, some issues have developed. If a person is NOT on the local network and tries to get to our OWA address from INTERNET EXPLORER, they will get a page cannot be displayed. However, if that same person tries from Firefox or any other browser, they get prompted with the login box. To make things more interesting, from within the LAN, IE works just fine. Anyone have an idea as to what this is? I suspect it has something to do with the integrated login for IE 7 and 8.
December 7th, 2009 8:21pm

Check your settings in IE. It may be set to pass through or to log in annonymous. You may need to add the OWA site as trusted and set to log in with current permissions etc.SF - MCITP:EMA, MCTS: Exchange 2010, Exchange 2007, MOSS 2007, OCS 2007 -- http://www.scottfeltmann.com
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 1:09am

In advanced settings I have "Enabled Integrated Windows Authentication" enabled. What is strange, is that DISABLING this option makes it all work. Makes no sense to me.
December 8th, 2009 1:47am

Odd, could have something to do with permissions being passed on.SF - MCITP:EMA, MCTS: Exchange 2010, Exchange 2007, MOSS 2007, OCS 2007 -- http://www.scottfeltmann.com
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 7:02am

Hi Craig, Would you please let me know whether the page cannot be displayed error is received immediately when you attempting to access the OWA externally or after providing credential? Would you please check the IIS log on the Exchange Server for more detailed information? In addition, whether does the issue occur on all external clients or only specific client? ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~
December 8th, 2009 1:35pm

Hi Craig,Any updates?Thanks,Mike
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 12:46pm

Sorry I missed your last post. The Page Cannot Be Displayed error does happen immediately. I will dig up the logs today and post back.
December 11th, 2009 6:26pm

I am not really sure what I am looking for in the logs. However, when I run a packet capture on the server I do see my traffic hit the server.Also, I am only seeing this on external clients that have the "Enable Integrated Windows Authentication" option checked in IE.
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 9:23pm

I believe this is a problem with Kerberos authentication for the external clients. Looking at this site http://blog.super-networking.net/2008/02/internet-explorer-enable-integrated-windows-authentication/"I start searching through user groups on the Internet and I finally find the answer. In IE 6 and IE 7 the browser will use Integrated Windows Authentication if you have that checkbox enabled or disabled. The difference is the authentication type. With the box checked it with try Kerberos authentication first then fallback on NTLM. If you uncheck the box then it will just use NTLM. Thank you Microsoft for mislabeling that feature. The really annoying thing is if both ends support Kerberos authentication, you have that Integrated Windows Authentication box checked, and Kerberos fails it will not fail back to NTLM. The only way it will fail back to NTLM is if your website doesnt support Kerberos."This seems to discribe my problem exactly. Any idea how to fix the Kerberos problem?
December 11th, 2009 9:39pm

Are the CAS attached directly to the Internet or is there a reverse proxy in the path?What Virtual Directory are they hitting? /exchange or /owa? What version of Windows?SF - MCITP:EMA, MCTS: Exchange 2010, Exchange 2007, MOSS 2007, OCS 2007 -- http://www.scottfeltmann.com
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2009 10:40pm

Directly to the internet.
December 14th, 2009 7:43pm

Hi Craig, I have performed some local test on my lab. Nevertheless, I am not able to reproduce your issue. The blog is correct. If the Enable Integrated Windows Authentication is selected, the Kerberos Authentication is used firstly and fail over to NTLM if the client/server is not able to perform Kerberos authentication. If the option is unchecked, the NTLM authentication is used. Nevertheless, according to following article: Integrated Windows Authentication (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true Kerberos v5 requires that the client have a direct connection to Active Directory, which is generally not the case in Internet scenarios. For external clients, as they are not able to connect to AD, they should not be able to use Kerberos authentication. They should be use NTLM authencation. In addition, according to above article: Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client is used for Integrated Windows authentication. If the authentication exchange initially fails to authorize the user, Internet Explorer prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication. According to your descrption, you receive the error page cannot be displayed directly without prompted for username/password. Therefore, currently, I think that it is hard to say whether the issue related to Kerberos authentication. Would you please post related IIS log here when the issue occurs when you attempting to access OWA from Internet? In addition, please capture a screenshot to me (v-mishen@microsoft.com) when the issue occurs. ~~~~~~~~~~~~~~~~ Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2009 10:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics