Skip navigation.


Exchange 2007 OWA on Windows Server 2008

How to spend a few hours fighting with a new server. Thought I'd post this to help out any other poor soul that's stuck with the same problem.

The Setup

Exchange Server 2007 SP1 running on Windows Server 2008, and having users trying to run Outlook Web Access (OWA).

The Problem

Only users that are members of the Administrators group can connect to OWA successfully.

The Resolution

Ensure that the "Domain Users" group is a member of the Builtin\Users group.

Sounds simple right! Well for some reason, Microsoft have kindly changed the default permissions on the %windir% folder on Server 2008 so that "Authenticated Users" no longer have Read access as they used to on Server 2003.

This means that anyone not in any of the other groups that has access by default can no longer read the ASP.Net ISAPI filters; so when the user logs in, IIS responds with a 401.3 to say Unauthorized: Access is denied due to an ACL.

"Domain Users" do not have any permissions on the folder either, so newly created users in an AD domain will not have access by default.

I presume this is only an issue if OWA is running on a domain controller as "Domain Users" would normally be added as a member of Users on a member server; hopefully Microsoft will get this right when SBS 2008 comes out later in the year.

By on February 25, 2008 | Permalink | Comment

Reader Comments

Skip to form

July 3, 2008, Joe Plumb says:

This is an annoying change. Thanks for writing up the resolution; I was ready to uninstall and start again!

May 3, 2011, Mugahed Bakri says:

Thank you very much for this post!!

I've been searching for a solution for about 1 and half years.

Comment on This Article:

Your Name:
Your Email Address:

Your Email Address will not be made public,
but the MD5 hash of it will be used to display your Gravatar.
All HTML, except <i>, <b>, <u> will require your comment to be moderated before it is publicly displayed.
If you would like your own avatar displayed, read about comment avatars.