Announcement

Collapse
No announcement yet.

OWA Requires Authentication Twice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OWA Requires Authentication Twice

    G'day.

    I've scoured this site for help on this one but no joy.

    SBS 2003, ISA 2004, Exchange 2003, PIX Firewall, IE7 and Firefox

    I've published OWA and it works up to a point. The OWA login screen displays and the username/password is entered and accepted. I look at the ISA logs and it's all good.

    When used internally, then another screen pops up saying "The server mailname at domain requires a username and password". I can see the URL at the bottom of explorer "Waiting for https://mail.domain.name:446/exchange/my.name/Inbox/contents=?" (I use 446 and redirect to 443). When I enter the username/password again I get to my inbox.

    When used externally, the 2nd popup doesn't display but the OWA mail screen will start to display (just the blue vertical bar that separates the Folders and the inbox view). The "Waiting..." message is displayed. After 30 seconds or so the "Page cannot be displayed..." message is shown.

    It seems that OWA is not passing the credentials along. I've tried basic authorization, integrated, both and only by using Basic can I get into the mailbox. I've tried the helps and guides here and elsewhere all to no avail.

    Hopefully someone can offer some enlightenment???

  • #2
    Re: OWA Requires Authentication Twice

    Can you provide what your security setting are on IIS and Exchange?

    Do you have "Forms Authentication" checked?

    Comment


    • #3
      Re: OWA Requires Authentication Twice

      Originally posted by rute67 View Post
      Can you provide what your security setting are on IIS and Exchange?

      Do you have "Forms Authentication" checked?
      Do you mean like IIS: Exchange virtual directory - Basic Authentication, all options ticked (read, write, directory browsing, etc.) Anonymous access not enabled; Exchweb, basic auth, anon access not enabled, only read option ticked.

      Exchange has "Enable forms based authentication" deselected. Exchange properties under exchange virtual server has all access properties ticked, "none" selected for execute permissions.

      ISA listener has OWA forms based authentication selected, require all users to authenticate deselected.

      I think I've tried all combinations of ticking and unticking but hopefully I've missed the only one that works.

      Cheers

      Comment


      • #4
        Re: OWA Requires Authentication Twice

        Here is a link that has helped me in times where I have "tinkered" with the security settings and have not been able to figure it out.

        http://forums.msrportal.com/showthread.php?t=14116

        Let me know if it helps.

        Comment


        • #5
          Re: OWA Requires Authentication Twice

          Originally posted by rute67 View Post
          Here is a link that has helped me in times where I have "tinkered" with the security settings and have not been able to figure it out.

          http://forums.msrportal.com/showthread.php?t=14116

          Let me know if it helps.
          Thanks for the help but unfortunately none of those tips worked.

          It seems that the OWA Listener is authenticating correctly and then passing control onto exchange which then wants me to authenticate again before allowing access to the mailbox.

          I just tried something else which is interesting. As long as I enter ANY valid username/password combo to the SECOND logon screen it will allow access to the mailbox of the INITIAL OWA Forms authentication logon screen.

          Did that make sense?

          Comment


          • #6
            Re: OWA Requires Authentication Twice

            I just want to verify that I got this correct. You can login with one user to the mailbox and the second login prompt, you can use any account and it will allow you to retreve the messages? If this is the case then I don't think that there is anything wrong with IIS or Exhange. I believe that you have an issue with how you setup you rules on ISA. Can you give me some details for that.
            Last edited by rute67; 11th July 2007, 05:12.

            Comment


            • #7
              Re: OWA Requires Authentication Twice

              Originally posted by rute67 View Post
              I just want to verify that I got this correct. You can login with one user to the mailbox and the second login prompt, you can use any account and it will allow you to retreve the messages?
              That's correct. At the "Outlook Web Access" logon screen I enter my username/password. When the second screen pops up ("The server mail.domain.com.au at domain requires a username and password") I can enter any authenticated account e.g. administrator/administrator-password and I am logged into my inbox.

              OWA Rules properties:

              General: Enable
              Action: Allow; Log requests matching this rule
              From: Anywhere
              To: Server mail.domain.com.au; Forward the original host header...; Requests appear to come from the ISA server...
              Traffic: HTTPS
              Listener: Networks - Internal/External;Port(Http) - disabled;Port(Https) - 443;Certificate - mail.domain.com.au (internal certificate);Authentication - OWA forms-based;Always Authenticate - no (i've changed this to yes but the same deal still happens)
              Users: All users
              Bridging: Web server; Redirect requests to SSL port 446 (which I've setup for the default website)
              Public name: mail.domain.com.au

              Anything else you need? BTW, the domain is in the form domain.local (as in microsoft.local, for example)

              Comment


              • #8
                Re: OWA Requires Authentication Twice

                Quick question. when you first installed the SBS server did you run the internet and email wizard? If yes, did you choose OWA, OMA and firewall options to installed?

                Comment


                • #9
                  Re: OWA Requires Authentication Twice

                  Originally posted by rute67 View Post
                  Quick question. when you first installed the SBS server did you run the internet and email wizard? If yes, did you choose OWA, OMA and firewall options to installed?
                  Ah there you have me. We got a 3rd party to do the build. Is there any way I can check to see if this was done (aside from asking them)?

                  Comment


                  • #10
                    Re: OWA Requires Authentication Twice

                    Look in the
                    \program files\microsoft windows small business server\networking\ICW directory. If it has been run, there will be a config.vbs file - a script which can be midified and re-reun, if required. OTOH, if it has been run multiple times, for each additional run you will have a configx.vbs file where x is the nth-1 time it has been run. Each time it has been run, you will have a corresponding icwdetailsx.htm with the details of how it was configured.
                    Failing all that, you can just run it again (and again, and again ...... n again!) till you get what you want.
                    As to your origianl problem, I think you will solve it by going back to the original 443 port instead of re-directing. How much do you gain by redirecting as opposed to creating problems like you have now?
                    TIA

                    Steven Teiger [SBS-MVP(2003-2009)]
                    http://www.wintra.co.il/
                    sigpic
                    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                    We donít stop playing because we grow old, we grow old because we stop playing.

                    Comment


                    • #11
                      Re: OWA Requires Authentication Twice

                      Originally posted by teiger View Post
                      Look in the
                      \program files\microsoft windows small business server\networking\ICW directory. If it has been run, there will be a config.vbs file - a script which can be midified and re-reun, if required.
                      There are 2 config files

                      Originally posted by teiger View Post
                      As to your origianl problem, I think you will solve it by going back to the original 443 port instead of re-directing. How much do you gain by redirecting as opposed to creating problems like you have now?
                      The reason I had to redirect is that everything is sitting on the SBS server. When I created the listener for ports 80 & 443, I got the "The Web Proxy filter failed to bind to it socket" error, because the Default Web Site was already there. So I set the default web site to 446 and got the listener to redirect 443 to 446.

                      Comment


                      • #12
                        Re: OWA Requires Authentication Twice

                        UTFW: Rerun the CEICW and all the ports should be set for you including OWA. SBS is really that simple - you shouldn't have to touch IIS at all!
                        TIA

                        Steven Teiger [SBS-MVP(2003-2009)]
                        http://www.wintra.co.il/
                        sigpic
                        Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                        We donít stop playing because we grow old, we grow old because we stop playing.

                        Comment


                        • #13
                          Re: OWA Requires Authentication Twice

                          Originally posted by teiger View Post
                          UTFW: Rerun the CEICW and all the ports should be set for you including OWA. SBS is really that simple - you shouldn't have to touch IIS at all!
                          The FW has been used twice but not be me. If I run the CEICW again will it do any damage to the parts that are already working?

                          Comment


                          • #14
                            Re: OWA Requires Authentication Twice

                            You can consider the wizard to be in 4 parts. In each part, you have the option to not make changes. Unless you have something completely whacko on your SBS, the wizard will always return it to a well-known safe configuration. Hint: don't let the wizard configure your router for you if it is uPnP capable.
                            TIA

                            Steven Teiger [SBS-MVP(2003-2009)]
                            http://www.wintra.co.il/
                            sigpic
                            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                            We donít stop playing because we grow old, we grow old because we stop playing.

                            Comment


                            • #15
                              Re: OWA Requires Authentication Twice

                              Originally posted by teiger View Post
                              You can consider the wizard to be in 4 parts. In each part, you have the option to not make changes. Unless you have something completely whacko on your SBS, the wizard will always return it to a well-known safe configuration. Hint: don't let the wizard configure your router for you if it is uPnP capable.
                              Tried it, unfortunately no change. It's feels like it's just out of reach of my fingertips. The OWA rule is allowing access and passing me onto the mail server (without passing the credentials) which then wants me to authenticate again.

                              Strangely, the above is ONLY if I access internally. If I try externally, the 2nd logon doesn't appear. I just get a message (after a bit of a wait) that the page cannot be displayed.

                              If I had any hair I wouldn't have any by now...

                              Comment

                              Working...
                              X