Forms based Authentication over trusted domains
All my users reside in Domain A, my exchange server is in Domain B. All mailboxes are cofigured to allow users from Domain A to access their mail in Domain B.
Most of my users use outlook and have no problem accessing their email. All of my OWA users were also able to access their email until a few days ago. I have no idea what happened but they can no loger access their mailboxes using OWA.
My Outlook users have no issues. If I turn off FBA the OWA user is able to log on with no problem. Once FBA is enabled they cannot log on. The only error message is "You could not be logged on to Outlook Web Access. Make sure your domain\user name and
password are correct, and then try again.
If the user account is enabled in DomainA the user can log on with no issue. I have no idea what could be wrong, no event logs messages, trusts relationships working don't know what else to check. Please assist
May 22nd, 2011 2:54pm
Can you try to modify in sing-in property in form base page to "User" mode and then tet it. You can configure the forms-based authentication sign-in page to prompt users to provide their sign-in information in the format domain\user name. However, a user
can also enter his or her user principal name (UPN) and the sign-in will be successful.
See the section "Configuring the Sign-in Prompt Used by Forms-Based Authentication"
Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2011, My Blog :
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2011 11:28pm
Thanks Anil,
I will take a closer look at the article you suggested, however, I have made changes to the from so that the domain is supplied and the user only has to enter their user name and this still did not work. The user is in Domain A and the Emil in Domain B and
they sign in as DOMAINA\Username however the page simply sends the message listed above. If the user logs in DOMAINB\username they will be successful, however we do not want the users to have to log into this domain.
Another thing I've noticed is that if I try to log in and type an incorrect password, my account does get locked out in the correct domain, so the communication across domains is occurring, but for some reason, FBA is not allowing the users in. If I disable
FBA the user gets in. I need FBA on for security reasons. Any other suggestions are very much welcome.
May 23rd, 2011 1:18am
1. Try to clean the cookie of IE in your client side.
2. Do IISREST and restart the system attendant services enabled FBA.
3. Run Test-OwaConnectivity -URL: -MailboxCredential:(get-credential contoso\kweku) to test OWA connectionPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 11:45pm
Hi Jason,
Thanks for responding. I have cleaned cookies and I have reset iis and turned FBA on and off. With no success. The thing is only users who are trying to log on to the trusted domain have the problem. Users in the "Email" domain can log
on with no issue.
The Test-Owa connectivity program, does that run on Exchange 2003, because I'm basically seeing it referencing Exchange 2007 in everything I've read.
May 24th, 2011 8:24am
It might help to see the IIS logs from the mailbox server. If a username is listed, then the credentials have been accepted, but denied access. If no usernames are listed, the credentials have not even been accepted.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 8:38am
Are you using any reverse proxy in front of your OWA? From research it could also be due to your reverse proxy isa\uag configured to only authenticate domainB users.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL
May 24th, 2011 9:25am
Hi Lee,
Thanks for the tip. The username and domain is listed with the following GET /owa+-MailboxCredential:(get-credential+domainname/kroach) - 443 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 404 0 2
I'm seeing the 443 and 404 I'll check these out. What are your thoughts?
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 9:48am
I assumed from one of your other answers that you had E2003. If that's correct, then any iis log entry showing a request for /owa can be ignored, since you don't have a directory named /owa (that's why the result is 404 - Not Found). I think
that what you found there is the result of you trying to run test-owaconnectivity. But if it got that far, then maybe you do have E2007 or E2010? So, I ought to ask you which version of Exchange you actually have.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 24th, 2011 9:54am
Hi Jason,
I am not running reverse proxy. Lee, I am running Exchange 2003. All of my users are in a Windows 2000 domain. All of my outlook users have no problem, only my OWA users. If I turn off FBA all the OWA users can get in without
issue. The problem of not getting in only occurs when FBA is turned on. Everything worked well until a few days ago, then it just stopped working. No errors in the logs that I can see. Just the following error: "You could not be logged on
to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again."
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 10:44am
Hi Everyone I really appreciate the assistance. Just to breakdown exactly what's happening
1) Exchange 2003 is installed on Domain A on a Windows 2003 Domain Controller
2) All users are located in Domain B. All Trusts are in place and working.
3) All Mailboxes are configured to allow access to all Domain B users
4) All users who use Outlook have no issue sending or receiving email.
5) If FBA is enabled the users of the Trusted Domain (Domain B) cannot log on using OWA.
6) If FBA is turned off, users can type DomainName\Username and access their mailbox without issue.
7) If the user account is enabled on Domain A the user can use OWA with no problem. E.g. the user types DomainB\username and access to the mailbox is granted.
8) If the user on the Trusted Domain (Domain B) tries to log on to OWA and types the wrong password will be locked out as per network policy. This shows that the user is being validated in the correct domain.
The issue seems to lie with FBA simply not allowing access to the users from the Trusted Domain and I just can't figure out why.
May 24th, 2011 10:58am
Okay, for the IIS logs you are only interested in requests for /Exchange. Note that the times in those logs are in GMT. Have another attempt at logging in, just to create some log entries. Wait a few minutes (so that iis can flush the
cached entries from memory into the log file), and let us know what is logged. If anything.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 11:00am
FBA adds another layer of complication to iis authentication. The fact that your users can access the mailboxes if you disable FBA means that this isn't really an Exchange issue, but an IIS one, insofar as the FBA mechanism is one of Exchange's extensions
to IIS. If no usernames are present in the iis logs when FBA is enabled, then FBA just isn't working at all. Maybe owaauth.dll (the dll that does the actual FBA authentication) isn't allowing iis to execute it. Maybe you have decided to block
cookies in IE (FBA is a cookie-based authentication scheme) using group policy? Lots of things to check when you use FBA.
Anyway, first place to look is the iis logs, to see if any usernames are being recorded for the /Exchange requests.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 24th, 2011 11:30am
Hi Again,
Usernames are being recorded for the /Exchange requests, I'm not sure to check if it's browser a cookie thing because no one can logon, so unless it's some universal cookie setting. The iis log shows:
GET /exchange - 443 DomainName\KROACH Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 12:20pm
Hi Again,
Usernames are being recorded for the /Exchange requests, I know it's not an individual browsers/cookie thing because no one can logon, so unless it's some universal cookie setting that I can check.
In the meantime The iis log shows:
GET /exchange - 443 DomainName\KROACH Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398
May 24th, 2011 12:23pm
OK hold on, let me insure that that GET /exchange was for the correct user.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 12:27pm
Yes is it getting the GET /Exchange for the Trusted Domain.
May 24th, 2011 12:32pm
Could this be a certificate issue? This is the only thing that I have not redone. I have a home-grown cert.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2011 1:14pm
Okay, so FBA itself appears to be working. Also, I can't imagine that SSL would cause any problem that would only appear when you use FBA. The only way to check is to turn off the requirement for SSL and try again. The trouble is, without
SSL you won't see the FBA login screen any more, and it will just fall back to something else, probably Basic auth.
See if you can work out what the direct URL for the user's mailbox would be. It's usually based on their primary SMTP address, so it might be something like
https://server/exchange/ , although if you want to be sure, without trying a few guesses, you'll have to check the iis log again, and look for the URLs from a successful session
(when you weren't using FBA). Then, try typing in the direct URL, and see if it works any better than just typing
https://server/Exchange .Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 24th, 2011 2:48pm
I did as u suggested. The user is able to log on if FBA is turned off. I need it on.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2011 11:55am
Do you have any mailboxes for users in domain B, rather than in domain A? If not can you try creating a test user in domain B, so that you can see if a user in domain B can log on?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 25th, 2011 12:07pm
All My DomainA users have accounts in DomainB. That's by design so that I could of created the new Exchange mailboxes. The exchange mailboxes in Domain A grants the users of Domain A access.
If I enable the user account in Domain B the user has no problem logging in using FBA. E.g
using this login:
All Trusted users LOCATION DomainA
All Mailboxes Location DomainB
Logon from: DOMAINB\JSMITH Access Granted
Logon: DOMAINA\JSMITH Error message: "You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again."
I am really stumped here.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 9:32am
Yes, it's very odd. The iis log entry you have earlier:
GET /exchange - 443 DomainName\KROACH Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398
shows that FBA has accepted the credentials (otherwise there wouldn't be any logged). Are there any other exchange-related log entries immediately after this (i.e. showing the same time, and therefore definitely part of the same logon attempt)?
What does a log entry for a successful logon look like? Is anything different?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 26th, 2011 9:49am
Hi Lee,
Thanks for sticking with me on this i really appreciate it. Here's what you requested. The first result is when I try to log on using the Trusted domain username and password.
iis logs show:
GET /exchange - 443 DOMAINA\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 401 1 1398
Successful login to actual email domain using domain credentials
2011-05-26 13:42:42 W3SVC1 GET /exchange - 443 DOMAINB\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 302 0 0
2011-05-26 13:42:42 W3SVC1 GET /exchange/ - 443 DOMAINB\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 200 0 0
2011-05-26 13:42:42 W3SVC1 GET /exchange/KROACH/ Cmd=navbar 443 DOMAINB\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 200 0 0
2011-05-26 13:42:42 W3SVC1 GET /exchange/KROACH/Inbox/ Cmd=contents 443 DOMAINB\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 200 0 0
2011-05-26 13:42:45 W3SVC1 GET /exchange/KROACH/ Cmd=logoff 443 DOMAINB\KROACH Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 302 0 0
2011-05-26 13:42:45 W3SVC1 GET /exchweb/bin/auth/owalogon.asp url= 443 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: 200 0 0
GET /exchange - 443 DomainName\KROACH Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398
Don't know if this helps
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 10:48am
Sorry, I didn't explain myself enough. I was looking for successful logons for DOMAINA\KROACH . I know you won't find any where FBA is enabled, but I think you said it worked if FBA was turned off. Can you find any of those in your
older logs? Or temporarily turn off FBA to create some new log entries?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 26th, 2011 10:55am
Here are the entries when FBA is turned off. I hope you see something cause I can't :-)
2011-05-26 21:24:22 W3SVC1 GET /exchange/KROACH/Inbox/ Cmd=contents 443 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 2 2148074254
2011-05-26 21:24:22 W3SVC1 GET /exchange/KROACH/ Cmd=navbar 443 DomainA\kroach Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0
2011-05-26 21:24:22 W3SVC1 GET /exchange/KROACH/Inbox/ Cmd=contents 443 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
2011-05-26 21:24:22 W3SVC1 GET /exchange/KROACH/Inbox/ Cmd=contents 443 DomainA\kroach Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 5:47pm
Do you see an entry that just says
GET /exchange
for DomainA/KROACH ?
Also, I suppose it's possible that domain A users don't have permission to execute the FBA plugins on the server, although I'm not sure if server would try to do that using the user's credentials, or using its own SYSTEM account. I don't have an E2003
server in front of me today, so I can't tell you what to check, but can you have a look at the ISAPI filters installed on your default web site, and give me a list of the names?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 27th, 2011 8:58am
The only filters listed are
and OWaLogon
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2011 10:06am
OwaLogon is probably the FBA mechanism. See if you can find out which dll it points to, then check the NTFS permissions on it.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 27th, 2011 10:10am
The permissions are
Read and Read & Execute
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2011 11:29am
Who has those permissions? Do you see any group that is likely to contain the users from DomainA?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 27th, 2011 12:39pm
The Authenticated users group has the access described, no specific user from DomainA
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2011 8:07pm
Authenticated Users in that location presumably refers only to users in domain B. That will probably include the account that IIS uses (IUSR_Servername); but I once a user is authenticated I'm not sure that that account plays any part in
the process. Is the SYSTEM account listed? On my server it has Full Control permisions on that dll. If the server is a member server, try adding (at least temporarily) the Everyone group, with Read and Execute permissions.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
May 31st, 2011 9:42am
My SYSTEM account has full access too. The computer is the Domain control on the that Domain so I can't add the users group from another Domain, however I tried adding my account from the trusted domain to the security tab and giving my account
full access. This still did not work ;-(
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2011 12:31pm
My SYSTEM account has full access too. The computer is the Domain controler on the that Domain so I can't add the users group from another Domain, however I tried adding my account from the trusted domain to the security tab and giving my account
full access. This still did not work ;-(
May 31st, 2011 12:37pm
In OWA 2003, each OWA directory (i.e. the /exchange directory you go to in iis) can only serve users that have email addresses in a particular smtp domain. Have a look at the properties of the exchange virtual directory in Exchange System Manager (or,
you might have to look at the exchange virtual server, I can't remember which), and you should find a property named Exchange Path. It will either say 'default', or a particular smtp domain. If it says Default, have a look at the Default Recipient
Policy, and see which domain (there is probably only one) is listed as the primary domain. Any user that wants to use OWA on that server must have an email address in that domain. It doesn't have to be their main address, but it does need to be
in their list of addresses. If you are sure that none of these have been changed recently, it's unlikely to be the cause of your particular problem, but you never know. Since you have two domains, you have an odd situation where a domainA
user must have an email address in the default smtp domain for domainB in order to use OWA in domainB. Or you should specifically configure domainB's OWA installation to server users with SMTP addresses in domainA.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 8:51am
Sorry, I mean that the mailboxes in domain B need to have email addresses in the SMTP domain that I asked you to look at. This is nearly always the case, but domains that end in things like .local can have problems with OWA if the OWA directory is
configured to consider that to be it's exchange path value.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
June 1st, 2011 8:54am
Hi Lee,
The thing is that this configuration was working fine and just stopped. I have no idea what the problem is. All my mailboxes are configured with the trusted domain user having access. All my Outlook users are working. Users can use OWA in FBA
is turned off, the only issue is turning FBA on and that what has me stumped, in essence everything actually works the way it should. The issuse is definitely with FBA
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 9:17am
Oh. I forgot that the problem only appeared with FBA. Do you know if your FBA logon will accept usernames in the UPN format? Like instead of DOMAINA\USERNAME ?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
June 1st, 2011 10:13am
At this point I would probably try recreating your Exchange virtual directories, I don't think it's a trust or port restrictions with authentication since it works with basic. Something within IIS or the binaries is probably screwed up.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 10:15am
Thanks everyone for sticking with me..James I have recreated the directories no luck. I did that early on when the problem started.
Lee: Can't log in with same error
You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.
June 1st, 2011 3:10pm
If you look at the Exchange vdir in IIS, on the authentication page, can you see the field where you can specify the default domain for Basic Authentication? This is usually set to \ . Does it help if you change it to DOMAINA ?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 5:38pm
Hi Lee,
No it doesn't. I tried that earlier on too. ;-( Will try it again tomorrow just to see what happens
June 1st, 2011 8:34pm
Have you tried it yet? With the default domain set to DOMAINA, try logging on a just USERNAME, instead of DOMAINA\USERNAME.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 8:40am
Yes I did and it did not work. ;-(
June 3rd, 2011 9:53am
It's strange that you are getting access denied at the /exchange level without it even attempting to access the actual mailbox folder. Maybe it is having trouble finding the correct path for logons in DomainA. Does it make any difference
if you try to go direct to
?Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 10:05am
Hi Lee, sorry for taking so long to respond I didn't realise that you answered. Using the format above you still cannot get into the mailbox, only the page to login comes up.
Now if the user were to type the wrong password their AD account in the trusted domain will be locked out so there is validation in the correct domain and for the correct mailbox user, however OWA simply will not display the mailbox and this only happens
to users from the trusted domain. If I create a user in the domain where exchange is hosted everything works.
June 10th, 2011 12:03pm
Well, I just don't know what else to say, I'm afraid. If it wasn't for the fact that it once worked, I'd be thinking maybe it wasn't possible by now. It might be worth starting a new topic for this one, and hope someone from MS picks it up
(which they do, occasionally). Or give them a call, if you can spare the money. I only say this because I don't want to waste any more of your time, when I'd just be guessing at things.Outlook Web Access For PDA , OWA For WAP
email a@t leederbyshire d.0.t c.0.m
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 8:30am
Thanks Lee. You've been very helpful. I'll let you know if I ever get it resolved.
June 13th, 2011 9:47am