Hi, I've been experimenting with the website settings on one of my test Exchange 2003 backend servers for OWA and rpc over https. I thought I really messed things up last night by unchecking anonymous, integrated windows and basic authentication but found out that I could use either integrated windows, basic or anonymous and it would work ok meaning I could login but I don't understand something. I had originally got started on this because someone unchecked the non-expiring parameter of my iusr_servername account on one of my production servers which was generating a number of event 535 failures in my security log. I thought that if I unchecked anonymous access on the default website that the event 535's for my iusr account would stop but they didn't. I can see 4 event 535 failures for each login that I make via owa even though I have anonymous access unchecked and of course the password on my iusr account is still expired. I thought thought that what you have checked on the default website controls access to the resource. If I don't have anonymous access enabled why would the iusr account even be used by Windows? I also thought that a backend Exchange 2003 server had to have either anonymous access checked or basic authentication checked but I have neither checked at the moment, I have integrated windows authentication checked. Any help you can pass along will be much appreciated. Best Regards, Fred Towery

Hi, Could you post the event log here? Do you meant that even if you disable anonymous, integrated windows and basic authentication on backend server, you still can access owa from front-end server? It is normal. When you acccess the OWA on front-end server and input your credential, the front-end server handles authentication in two ways: either the front-end server authenticates the user itself (either using Basic or forms-based authentication), or it forwards the request anonymously to the back-end server. Either way, the back-end server also performs authentication whether the authentication options in its websites are disabled or not.

Thanks for your reply Gen Lin, If I disable anonymous, integrated windows and basic authentication I cannot access owa via our front end server to the back end server. This I would expect. I have discovered that I can use enable anonymous, integrated windows or basic authentication (any one of these or all of them checked) on the backend server website and virtual directories and still access owa successfully. What I don't understand is that even if I disable anonymous authentication why do I still get events 680 and 535 on my backend server security event log? The next thing I don't understand is how the owa front end server authenticates me back to the back end server when I enter my credentials on the front end owa webpage. I've included examples of both below, for each login I see an event 680 first, then a 535, then a second 680 and then a second 535. I see these messages on my back end Exchange server. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 7/14/2010 Time: 6:30:23 AM User: NT AUTHORITY\SYSTEM Computer: ExchangeBackendServerName Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: IUSR_ExchangeBackendServerName Source Workstation: ExchangeBackendServerName Error Code: 0xC0000071 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 535 Date: 7/14/2010 Time: 6:30:23 AM User: NT AUTHORITY\SYSTEM Computer: ExchangeBackendServerName Description: Logon Failure: Reason: The specified account's password has expired User Name: IUSR_ExchangeBackendServerName Domain: ExchangeBackendServerName Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: ExchangeBackendServerName Caller User Name: ExchangeBackendServerName$ Caller Domain: OurDomainName Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5420 Transited Services: - Source Network Address: - Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.