During the co-existence period of a transition from Exchange Server 2003 to Exchange Server 2010 you may encounter an issue with the legacy Outlook Web Access URL redirection.
When users connect to the Exchange 2010 Client Access server for OWA login they receive a second login prompt for the legacy URL.
Authentication prompt when accessing OWA legacy URL
No matter which credentials are entered into this authentication dialog box the login is not successful, and a HTTP 500 error is displayed.
HTTP 500 error accessing OWA legacy URL
The solution is to enable forms-based authentication on the Exchange 2003 front-end server. This is located in the Properties of the Exchange Virtual Server.
Open the Properties of the Exchange Virtual Server
In the Settings tab enable forms-based authentication and click OK to apply the change.
Enabling Forms-Based Authentication for Exchange 2003
Exchange will warn you that SSL must be configured and IIS restarted if you are not offloading SSL elsewhere, or have not already configured it in IIS. Click OK to close the warning (and obviously if you have not already got SSL offloaded or configured then you should go ahead and do that).
Exchange 2003 warning about SSL configuration for forms-based authentication
About Paul Cunningham
I have a situation where the Exchange 2003 org (for various reasons that I dont necessarily agree with) have 2 FE servers, one using HTTP and no forms based auth and one using SSL and forms based auth. For other reasons, management refuses to have users redirected to the SSL enabled FE. So, during a co-existence phase with 2010, would this mean that users would HAVE to use the SSL enabled FE?
I am negotiating with them on decommisioning the non-SSL FE altogether, as it is on very old hardware.
I don’t understand why your managers would not allow you to use the solution that works.
Yeah, they are all resistant to changing things and having users complain. Sadly, everyone who uses webmail uses the non SSL one from outside the network. Quite an eye opener being here, but I hope to change things with this new deployment and keep to best practices.
So I take it the best route would be to install the new SAN certificate for exchange 2010 on the SSL-based OWA server (it will have the legacy name webmail.xxxx.com, the Exch2010 OWA will be owa.xxx.com) and then redirect users to that new OWA and have them use Forms based Auth, That should allow for co-existence while mailboxes are moved between 2003 and 2010 for webmail.
Awesome, thanks!
Hello Paul, it’s me again!
I successfully managed to migrate SBS2003 to SBS2011.
After having done that. I redirected my NATted ports from the old 2003 to the new 2011 server (ports 25, 110, 143, 80, 443).
I now have to main troubles:
1) I cannot access OWA. I try to connect to http://mail.mydomain.com/exchange but I get a “Server error in application ‘/’” – “Runtime Error”. What do I have to set up/configure to get my OWA back working (of course on the news 2010 Exchange)?
2) while migrating, during the execution of the “Internet Connection Wizard”, I’ve seen that there was some “http://remote.mydomain.com” being configured. Now I can access from my LAN the “remote” application and from inside there I can also use OWA. Questions: why does the migration NOT ASK for anything and automatically create a “remote.mydomain.com” service? Is there any way to customize that?
Kind regards and thanks in advance,
F.
Flavio, I don’t have an SBS 2011 handy so I’m not sure. My first step when troubleshooting remote access problems is to go to the http://www.testexchangeconnectivity.com website and start there.
Hy Paul,
that website is good, but it doesn’t seem to check for OWA. I used it for testing ActiveSync connectivity…
Thank you anyway!
Kind regards,
F.
You’ll probably find that /exchange is the wrong path anyway, and that /owa is correct. Also try it over HTTPS, I’m surprised it is allowing you to hit it on HTTP.
Test it internally on your LAN as well, go to https://yourservername/owa
Hy Paul, you gave me correct suggestions: indeed I have to do httpS and it *is* working when using /owa.
Now, as I’m thinking back to how it was on SBS2003 with Exchange 2003, I’d like to explain how I was connecting to OWA2003.
When typing http://mail.mydomain.com/exchange I was automatically being redirected to https://mail.mydomain.com/exchweb/bin/auth/owalogon.asp?url=https://mail.mydomain.com/exchange&reason=0
Is it somehow possible to obtain this behaviour back again with my new setup (SBS2011, Exchange 2010, IIS7)?
Again, many thanks!
F.
Starting with Exchange 2007 the virtual directory for Outlook Web Access changed to /owa
You could create another virtual directory of /exchange (if there isn’t already one) and set up a redirect rule but its a bit of work.
Hi Paul,
I seem to be having a similar but not exact issue with co-existence redirection. I would like my 2003 mailbox users to be able to browse to my internal http[s]://webmail[.domain.com] CAS array and have it just ask for the username and login once, just like it does with 2003 now. I setup my laptop to mimic this scenario (hosts file points ‘webmail’ to the Casarray farm IP), and I currently receive these results…
http://webmail, https://webmail, http://webmail.domain.com & https://webmail.domain.com redirects to a 2010 CAS server and prompts for credentials. If I enter a 2003 mailbox name, it generates a cert error, I click continue, it prompts to login to legacy.domain.com, then takes me to 2003 OWA.
What am I missing to streamline the legacy logins? Do I need to add my new UCC cert to the 2003 OWA servers? The website link I posted has more details from the technet forum site if that helps. Thanks!
Jim
Hi Jim, yes you’ll get cert errors if you haven’t added a cert with the legacy name to your 2003 FE server.
If you’re publishing both the Exchange 2010 CAS and the legacy FE server via ISA, and you’ve got Single Sign On configured on the ISA then the legacy redirection should work without a second authentication prompt.
Hi all,
I’m facing a problem with exchange 2007 owa. Everytime I log on, I get the same page asking me for credentials again, with reason=3 . Anyone can help?
Thanks.
I got an issue here. I have a mixed 2003/2010 Exchange setup and if I enable forms base authentication, ActiveSync stop working for my legacy users. But OWA start working for my legacy users. So right now I have to choose between OWA and ActiveSync.
I have transfered my Exchange2010 certificate to my Exchange 2003.
I have looked for a fix, but can only find a solution for each problem alone, not for both at the same time.
Please help.
Strange that changing one breaks the other, because OWA and EAS run off different virtual directories.
I suggest you run the ActiveSync test at exrca.com as it may reveal more about where things are going wrong.
Fixed;
Microsoft Exchange Forms-Based Authentication Service. Starting this service fixed the blank page issue and allowed clients to authenticate correctly.