Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Problem with OWA when using Forms Based Authentication

Created: 08 Dec 2005 • Updated: 21 May 2010 | 10 comments

In our current configuration we have a front end exchange 2k3sp1 and back end exchange cluster 2k3sp1 and EV6 sp1. When connecting directly with the back end server in OWA everything works and when Forms Based Authentication on the front-end is turned off everything works.

But when FBA is turned on I can store items to my vault and restore them but I am unable to open an archived item or open search / archive explorer. When clicking on an archived item it will open a new window and eventually display only the shortcut contents and not load the original item.

Has any one else had problems when using FBA, or is anyone currently using FBA without any problems?


Thanks,

~Kirk

Discussion Filed Under:

Comments 10 CommentsJump to latest comment

Tremaine's picture

Yep, FBA works for us.
Had a problem when we were using IIS compression, so switched that off.

Also you might want to make sure that the proxycfg settings are correctly excluding all your back end servers.

Just type proxycfg from a command line and check the results.

Then on your Enterprisevaultproxy virtual directory make sure you have 'scripts only' set under 'Execute permissions'

Cheers

Kirk MacDonald's picture

IIS compression is switched off.
Proxycfg appears to configured correctly.
Enterprisevaultproxy virtual directory has 'scripts only' selected.

I have also tested using just SSL with no forms based and it does work.

It only seems to be not working when Forms Based Authentication is enabled.

~Kirk

Tremaine's picture

So you get any errors in the IIS log when going throught the FE with FBA?

This is FBA on the FE and not offloaded through ISA 2004?

Cheers

Kirk MacDonald's picture

This is our Exchange environment:

- Active/Passive cluster (2 nodes) - 1 virtual server

- FE server for OWA with FBA enabled (SSL)

This is what is currently happening:

1. When clicking the "Archive Explorer" and "Search Archives" link in OWA, an IE authentication box prompts for your username and password (We do not want this... only authenticate once at the very beginning).

2. After typing in your username and password, you are able to search and browse your archive. Messages open just fine from here.

3. When double clicking on an archived message in the Inbox, the email comes up with only the 150 first characters, not the entire message (doesn't retrieve it).

4. If we click on the link called "The archived item is currently unavailable." we get a small error box with "200 OK" on it and a OK button.

5. If we click on "Click here to preview the original item" the archived email is shown but not in the standard OWA window. You can't reply or forward the message. If you click Restore, it prompts you for the exchange server and mailbox. And if you type the correct information in, you get an error that it can't restore the message.

So as you can see we have some issues.

I am guessing a lot of our issues are with security settings in correct on the FE, BE, and eVault servers (IIS).

Ghost: Would it be possible to list the permissions in IIS for each of your virtual web sites and folders on the FE, BE, and eVault server? I know it's a lot, but it would really help us.

I really need to know how you have your FE server setup. Specifically the EnterpriseVaultProxy virtual directory, Exchange, and ExchWeb folders.

Thanks,

~Kirk

Matthew Edwards's picture

On the EnterpriseVaultProxy Virtual Directory - try changing the default domain from '\' to the name of your domain.

Brian Spooner's picture

Kirk,

We're experiencing problems #3, 4 and 5 as you described. Did you ever find the solution?

Tremaine's picture

What I don't understand is why it only gives the problem when FBA is on.
You might want to check the following out:
http://support.microsoft.com/default.aspx?scid=kb;...

Also you never really said whether this is FBA on the FE or whether you are offloading through ISA 2004?

Are you making use of any type of reverse proxy? Are you using non-standard ports?

I doubt whether changing the basic login domain from / to domainName will make a difference as FBA sets this specifically.

Brian Spooner's picture

I've been working with Symantec Support and we finally resolved these problems. I thought I might share it with others in case they're running into the same thing.

Basically, the problem was when trying to access archived items in OWA, I had symptoms #3, 4 and 5 as Kirk described.

After turning up some diagnostic logging in EVBackend.ini on the back-end Exchange Server, we tried to access an item from OWA and then discovered in the diagnostic logs that it was failing to create a file in the shopping folder. Specifically, Shopping\\vaultowa. And vaultowa is the name of our vault OWA service account. For some reason it could not create this directory & file. To test it out we granted full control to everyone on the shopping folder and created the vaultowa folder manually....Voila...all the vault OWA problems went away.

Hope this helps...

Chris Barnes's picture

Kirk,

Did you ever solve:

"1. When clicking the "Archive Explorer" and "Search Archives" link in OWA, an IE authentication box prompts for your username and password (We do not want this... only authenticate once at the very beginning)."

I am having the same problem.

Thanks,

Chris

Kirk MacDonald's picture

That's a good question, I no longer have that problem, but the reason is the buttons no longer show up. Users can now get to archived items so at the current time we are calling that a success.