Permissions on ActiveSync and OWA?

[esmithbda]

We had an HD crash over the weekend and had to restore the info store from our backups. After which, everything internally worked great.

But ever since then, the OWA and ActiveSync haven't been working. OWA originally was showing a "440" error with a timeout. We called in someone from our IT consulting group and they fixed that.

Now the issue is that I, with admin privs, can login to OWA and ActiveSync (ActiveSync using Treo 650) without issues. But no other users can.

Going into the AD, the users are setup so that they can use the mobile access.

Any suggestions as to how to resolve this? It was all working prior to the crash, and then for some reason many folders lost permissions. I don't know what would cause this one though so that no users other than those with admin rights could login on the external access points.

 

[markdmac]

Configure the security in IIS as follows.

Default Web site
Enable Anonymous access
Integrated Windows Authentication
Exadmin
Integrated Windows Authentication
Require SSL
Require 128 bit
Exchange
Basic Authentication
Default Domain \
Exchange-oma
Integrated Windows Authentication
Basic Authentication
ExchWeb
Enable Anonymous access
Require SSL
Require 128 bit
Microsoft-Server-ActiveSync
Scripts and Executables
Exchange Application Pool
Basic Authentication
Default Domain DomainName
OMA
Scripts Only
ExchangeMobileBrowseApplicationPool
Basic Authentication
Default Domain DomainName
Public
Basic Authentication
Default Domain \
Require SSL
Require 128 bit

I hope you find this post helpful.

Regards,

Mark

 

[esmithbda]

As an update, I added a user to the administrators group and then waited (30 mins - not entirely intentional, but got pulled away on other tasks) and then tried to login again with that user - they still could not login.

Going to try to add them under Enterprise Admins group now and see if that works - probably the worst way to get it working, but I need to narrow down why my user login works, but nobody else does.

 

[esmithbda]

Sorry markdmac, I hadn't seen your post yet when I posted.

As an aside, adding a user to admins and enterprise admins still did not allow them entrance - but my user login still can gain access. No clue why.

I will now make sure the config is as you have laid out here markdmac.

 

[esmithbda]

Okay, I did all of those.

Now when I put on the "Enable anon access" with the IUSR account (which had previously had its password forced in and all of the references to it updated with that new password, as well as the IWAM user) on the root node, it asked me which of the children I wanted to have it - I checked it for all of them. Not sure if that was bad since on some of yours you don't have anything about the anon access.

I made the changes as you have above and still, I can use ActiveSync no problem, and I can access OWA just fine.

But when I go in as another user, while I can get the OWA landing screen, even with the correct "DomainName\username" and password, it gives me a failure message.

So as long as the user is me, then it all works great. Anyone else though, not so much.

 

[esmithbda]

Note that after all of the changes, I did an "iisreset" on the command line in order to restart IIS. Still didn't work after that.

 

[esmithbda]

I just went through and followed the above list exactly as it says (so that the ones that don't mention anon don't have it) and then again did an iisreset from the command line, and then tried to login again.

Again, I can login (admin privs), but no other users can.

 

[markdmac]

Have you disabled the cert check on the device you are trying to sync with?

I hope you find this post helpful.

Regards,

Mark

 

[esmithbda]

The devices that were connecting worked fine prior to the crash - all of the issues were on the machine itself.

It is fixed now, but unfortunately I can't say what fixed it since I was out of the country on business and several other people came in to investigate it.