Resetting OWA Folder and IIS security permissions in Exchange 2003

by Chris Dalby [Published on 13 Feb. 2007 / Last Updated on 13 Feb. 2007]

The various steps needed to reset OWA folder and Internet Information Services (IIS) security permissions.

Introduction

I use Outlook Web Access (OWA) every day, and quite literally couldn’t exist without it. I regularly need to do troubleshooting to fix display problems with OWA. Especially after installing Exchange 2003 onto an existing Small Business Server (SBS) 2003 installation. 

Once fixed, OWA will give hours of happy motoring and rarely falls over once it’s up and running correctly.

In this article, I will walk through the various steps needed to reset OWA folder and Internet Information Services (IIS) security permissions.

Whether you are having difficulties with a new installation, or if you suddenly experience display issues or pop-ups, follow these steps to fix the most common reasons for OWA display problems.

About the OWA Structure

Firstly, let’s begin by taking a look at the Virtual Directory structure of OWA. Table 1 below shows the structure of OWA in IIS.

Virtual Directory

Description

Exadmin

The Exadmin virtual directory is used for administering Public Folders in the Exchange System Manager.

Exchange

The Exchange virtual directory stores the mailbox root (\\.\BackOfficeStorage\domain\MBX)

Exchweb

 

The Exchweb virtual directory contains all the graphics and files used by Outlook Web Access. This virtual directory points to C:\Program Files\Exchsrvr\ExchWeb.

Microsoft-Server-ActiveSync

The Microsoft-Server-ActiveSync virtual directory contains all the files used by Exchange ActiveSync (EAS) and points to C:\Program Files\Exchsrvr\OMA\Sync.

OMA

The OMA virtual directory stores all files used by Outlook Mobile Access (OMA). This virtual directory points directly to C:\Program Files\Exchsrvr\OMA\Browse.

Public

The Public virtual directory stores the Public folders (\\.\BackOfficeStorage\domain\Public Folders).

Table 1: OWA structure in IIS

By far the most common problem I experience is a Loading … message, with placeholder images. This could be caused by a number of different issues. Follow the steps below to resolve this issue.

After logging into OWA, if you get placeholder images, with a Loading… message, this is typically caused by the following issues:

  • The Exchweb virtual directory in IIS is not configured correctly
  • The permissions for the Exchsrvr\Exchweb folder are incorrect
  • The Require secure channel (SSL) check box is selected on the Exchweb virtual directory in IIS
  • The IUSR password is set incorrectly.
  • You upgraded from Microsoft Windows Server 2000 to Microsoft Windows Server 2003 and URLScan was installed before the upgrade. URLScan is not required for IIS 6.0 and will most likely cause problems.

Reset the HighWaterMarks

When I have a problem with OWA, this is normally the first step that I take, as it resets the OWA virtual directories in IIS, so I personally feel it acts as a good starting point. This involves deleting all six OWA virtual directories in IIS and recreating them. So it pretty much resets IIS.

Firstly, download and install the IIS 6.0 Resource Kit Tools. Visit the following Microsoft Web site to download the IIS Resource Kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE 629C89499&displaylang=en

If you prefer not to install all the Resource Kit Tools, click the Custom installation option to install only the Metabase Explorer.

Start IIS. Click Start, All Programs, Administrative Tools, Internet Information Services

Backup the metabase just in case. To do this, right-click Default Web Site, click All Tasks, and then click Save Configuration to a File. Type a filename for the file and click OK.

Expand Default Web Site, and then delete the following virtual directories:

Microsoft-Server-ActiveSync
OMA
Exadmin
Exchange
Public
ExchWeb

Start Metabase Explorer. To do this, click Start, All Programs, IIS Resources, and then click Metabase Explorer.

Expand the LM key, right-click the DS2MB key, and then click Delete.

Close Metabase Explorer.

Restart the Microsoft Exchange System Attendant service to re-create the virtual directories in IIS.

Checking the security permissions in Internet Information Services (IIS)

Open IIS. Expand the default website. Right Click the Exchange Virtual Directory. Ensure there is a Check next to Basic Authentication, as in the Figure 1 below. Click OK twice.


Figure 1: Exchange Virtual Directory settings

Right click the ExchWeb Virtual Directory. Ensure there is a Check next to Anonymous access as in Figure 2 below.


Figure 2: ExchWeb Virtual Directory Settings

Checking the folder security permissions using windows explorer

Right-click the Exchweb folder, and then click Properties. Click the Security tab.

Verify that the Authenticated Users group has the following permissions:

  • Read and execute
  • List folder contents
  • Read


Figure 3: ExchWeb Folder Settings

If the Authenticated Users group is not listed in the Access Control List, click Add to add the Authenticated Users group. Add the correct permissions as above in Figure 3.

Require secure channel (SSL)

Certificates can have a major impact on OWA. If none of the above steps work try accessing OWA using http. You will not be able to use Forms Based Authentication (FBA) using http as this relies on a certificate. So expect to type your password into a pop-up. This will allow you to check whether OWA at least works. 

If OWA does display correctly when accessing it using http, then it is highly likely that the certificate is configured incorrectly. For details of how to configure a certificate, please follow this tutorial:

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Reset the IUSR Password

Personally, I would do this last, as it will affect all the websites hosted in IIS on the server. If you change the IUSR password, make sure you change the IUSR password for each website residing in IIS. See Figure 2 above for details of changing the IUSR password.

Fixing OWA requires a back to basics approach. Strip everything back to the most basic of configurations. Make sure OWA works using http, then build your configuration and secure using a SSL from there.     

References

Troubleshooting OWA when the contents frame displays “Loading”

Fixing a Damaged or Incorrectly Configured OWA 2003 Installation

SSL Enabling OWA 2003 using your own Certificate Authority

Advertisement

Featured Links