Resetting OWA Folder and IIS security permissions in

Exchange 2003
The various steps needed to reset OWA folder and Internet Information Services (IIS)
security permissions.

Introduction

I use Outlook Web Access (OWA) every day, and quite literally couldn’t exist without
it. I regularly need to do troubleshooting to fix display problems with OWA. Especially
after installing Exchange 2003 onto an existing Small Business Server (SBS) 2003
installation.

Once fixed, OWA will give hours of happy motoring and rarely falls over once it’s up
and running correctly.

In this article, I will walk through the various steps needed to reset OWA folder and
Internet Information Services (IIS) security permissions.

Whether you are having difficulties with a new installation, or if you suddenly experience
display issues or pop-ups, follow these steps to fix the most common reasons for OWA
display problems.

About the OWA Structure

Firstly, let’s begin by taking a look at the Virtual Directory structure of OWA. Table 1
below shows the structure of OWA in IIS.

Virtual Directory Description

Exadmin The Exadmin virtual directory is used for administering Public
Folders in the Exchange System Manager.

Exchange The Exchange virtual directory stores the mailbox root (\\.\
BackOfficeStorage\domain\MBX)
Exchweb
The Exchweb virtual directory contains all the graphics and files
used by Outlook Web Access. This virtual directory points to
C:\Program Files\Exchsrvr\ExchWeb.

Microsoft-Server- The Microsoft-Server-ActiveSync virtual directory contains all

ActiveSync the files used by Exchange ActiveSync (EAS) and points to C:\
Program Files\Exchsrvr\OMA\Sync.

OMA The OMA virtual directory stores all files used by Outlook
Mobile Access (OMA). This virtual directory points directly to
C:\Program Files\Exchsrvr\OMA\Browse.

Public The Public virtual directory stores the Public folders (\\.\
BackOfficeStorage\domain\Public Folders).

Table 1: OWA structure in IIS

By far the most common problem I experience is a Loading … message, with

placeholder images. This could be caused by a number of different issues. Follow the
steps below to resolve this issue.

After logging into OWA, if you get placeholder images, with a Loading… message, this
is typically caused by the following issues:

 The Exchweb virtual directory in IIS is not configured correctly

 The permissions for the Exchsrvr\Exchweb folder are incorrect
  The Require secure channel (SSL) check box is selected on the Exchweb virtual
directory in IIS
 The IUSR password is set incorrectly.
 You upgraded from Microsoft Windows Server 2000 to Microsoft Windows
Server 2003 and URLScan was installed before the upgrade. URLScan is not
required for IIS 6.0 and will most likely cause problems.

Reset the HighWaterMarks

When I have a problem with OWA, this is normally the first step that I take, as it resets
the OWA virtual directories in IIS, so I personally feel it acts as a good starting
point. This involves deleting all six OWA virtual directories in IIS and recreating
them. So it pretty much resets IIS.

Firstly, download and install the IIS 6.0 Resource Kit Tools. Visit the following
Microsoft Web site to download the IIS Resource Kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-
B628-ADE 629C89499&displaylang=en

If you prefer not to install all the Resource Kit Tools, click the Custom installation
option to install only the Metabase Explorer.

Start IIS. Click Start, All Programs, Administrative Tools, Internet Information
Services.

Backup the metabase just in case. To do this, right-click Default Web Site, click All
Tasks, and then click Save Configuration to a File. Type a filename for the file and
click OK.

Expand Default Web Site, and then delete the following virtual directories:

Microsoft-Server-ActiveSync
OMA
Exadmin
Exchange
Public
ExchWeb

Start Metabase Explorer. To do this, click Start, All Programs, IIS Resources, and then
click Metabase Explorer.

Expand the LM key, right-click the DS2MB key, and then click Delete.

Close Metabase Explorer.

Restart the Microsoft Exchange System Attendant service to re-create the virtual
directories in IIS.

Checking the security permissions in Internet Information

Services (IIS)
Open IIS. Expand the default website. Right Click the Exchange Virtual
Directory. Ensure there is a Check next to Basic Authentication, as in the Figure 1
below. Click OK twice.
Figure 1: Exchange Virtual Directory settings

Right click the ExchWeb Virtual Directory. Ensure there is a Check next to Anonymous
access as in Figure 2 below.
Figure 2: ExchWeb Virtual Directory Settings

Checking the folder security permissions using windows

explorer

Right-click the Exchweb folder, and then click Properties. Click the Security tab.

Verify that the Authenticated Users group has the following permissions:

 Read and execute

 List folder contents
 Read
Figure 3: ExchWeb Folder Settings

If the Authenticated Users group is not listed in the Access Control List, click Add to
add the Authenticated Users group. Add the correct permissions as above in Figure 3.

Require secure channel (SSL)

Certificates can have a major impact on OWA. If none of the above steps work try
accessing OWA using http. You will not be able to use Forms Based Authentication
(FBA) using http as this relies on a certificate. So expect to type your password into a
pop-up. This will allow you to check whether OWA at least works.

If OWA does display correctly when accessing it using http, then it is highly likely that
the certificate is configured incorrectly. For details of how to configure a certificate,
please follow this tutorial:
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Reset the IUSR Password

Personally, I would do this last, as it will affect all the websites hosted in IIS on the
server. If you change the IUSR password, make sure you change the IUSR password for
each website residing in IIS. See Figure 2 above for details of changing the IUSR
password.

Fixing OWA requires a back to basics approach. Strip everything back to the most basic
of configurations. Make sure OWA works using http, then build your configuration and
secure using a SSL from there.