Blog
Exchange 2007 OWA on Windows Server 2008
How to spend a few hours fighting with a new server. Thought I'd post this to help out any other poor soul that's stuck with the same problem.
The Setup
Exchange Server 2007 SP1 running on Windows Server 2008, and having users trying to run Outlook Web Access (OWA).
The Problem
Only users that are members of the Administrators group can connect to OWA successfully.
The Resolution
Ensure that the "Domain Users" group is a member of the Builtin\Users group.
Sounds simple right! Well for some reason, Microsoft have kindly changed the default permissions on the %windir% folder on Server 2008 so that "Authenticated Users" no longer have Read access as they used to on Server 2003.
This means that anyone not in any of the other groups that has access by default can no longer read the ASP.Net ISAPI filters; so when the user logs in, IIS responds with a 401.3 to say Unauthorized: Access is denied due to an ACL.
"Domain Users" do not have any permissions on the folder either, so newly created users in an AD domain will not have access by default.
I presume this is only an issue if OWA is running on a domain controller as "Domain Users" would normally be added as a member of Users on a member server; hopefully Microsoft will get this right when SBS 2008 comes out later in the year.
By Theo Gray on February 25, 2008 | Permalink | Comment
Reader Comments
Skip to form
July 3, 2008
,Joe Plumb says:This is an annoying change. Thanks for writing up the resolution; I was ready to uninstall and start again!
May 3, 2011
,Mugahed Bakri says:Thank you very much for this post!!
I've been searching for a solution for about 1 and half years.