Professional Documents
Culture Documents
ResettingOWAFolderandIISsecuritypermissionsinExchange2003
ResettingOWAFolderandIISsecuritypermissionsinExchange2003
Exchange 2003
The various steps needed to reset OWA folder and Internet Information Services (IIS)
security permissions.
Introduction
I use Outlook Web Access (OWA) every day, and quite literally couldn’t exist without
it. I regularly need to do troubleshooting to fix display problems with OWA. Especially
after installing Exchange 2003 onto an existing Small Business Server (SBS) 2003
installation.
Once fixed, OWA will give hours of happy motoring and rarely falls over once it’s up
and running correctly.
In this article, I will walk through the various steps needed to reset OWA folder and
Internet Information Services (IIS) security permissions.
Whether you are having difficulties with a new installation, or if you suddenly experience
display issues or pop-ups, follow these steps to fix the most common reasons for OWA
display problems.
Firstly, let’s begin by taking a look at the Virtual Directory structure of OWA. Table 1
below shows the structure of OWA in IIS.
Exchange The Exchange virtual directory stores the mailbox root (\\.\
BackOfficeStorage\domain\MBX)
Exchweb
The Exchweb virtual directory contains all the graphics and files
used by Outlook Web Access. This virtual directory points to
C:\Program Files\Exchsrvr\ExchWeb.
OMA The OMA virtual directory stores all files used by Outlook
Mobile Access (OMA). This virtual directory points directly to
C:\Program Files\Exchsrvr\OMA\Browse.
Public The Public virtual directory stores the Public folders (\\.\
BackOfficeStorage\domain\Public Folders).
After logging into OWA, if you get placeholder images, with a Loading… message, this
is typically caused by the following issues:
When I have a problem with OWA, this is normally the first step that I take, as it resets
the OWA virtual directories in IIS, so I personally feel it acts as a good starting
point. This involves deleting all six OWA virtual directories in IIS and recreating
them. So it pretty much resets IIS.
Firstly, download and install the IIS 6.0 Resource Kit Tools. Visit the following
Microsoft Web site to download the IIS Resource Kit:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-
B628-ADE 629C89499&displaylang=en
If you prefer not to install all the Resource Kit Tools, click the Custom installation
option to install only the Metabase Explorer.
Start IIS. Click Start, All Programs, Administrative Tools, Internet Information
Services.
Backup the metabase just in case. To do this, right-click Default Web Site, click All
Tasks, and then click Save Configuration to a File. Type a filename for the file and
click OK.
Expand Default Web Site, and then delete the following virtual directories:
Microsoft-Server-ActiveSync
OMA
Exadmin
Exchange
Public
ExchWeb
Start Metabase Explorer. To do this, click Start, All Programs, IIS Resources, and then
click Metabase Explorer.
Expand the LM key, right-click the DS2MB key, and then click Delete.
Restart the Microsoft Exchange System Attendant service to re-create the virtual
directories in IIS.
Right click the ExchWeb Virtual Directory. Ensure there is a Check next to Anonymous
access as in Figure 2 below.
Figure 2: ExchWeb Virtual Directory Settings
Right-click the Exchweb folder, and then click Properties. Click the Security tab.
Verify that the Authenticated Users group has the following permissions:
If the Authenticated Users group is not listed in the Access Control List, click Add to
add the Authenticated Users group. Add the correct permissions as above in Figure 3.
Certificates can have a major impact on OWA. If none of the above steps work try
accessing OWA using http. You will not be able to use Forms Based Authentication
(FBA) using http as this relies on a certificate. So expect to type your password into a
pop-up. This will allow you to check whether OWA at least works.
If OWA does display correctly when accessing it using http, then it is highly likely that
the certificate is configured incorrectly. For details of how to configure a certificate,
please follow this tutorial:
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Personally, I would do this last, as it will affect all the websites hosted in IIS on the
server. If you change the IUSR password, make sure you change the IUSR password for
each website residing in IIS. See Figure 2 above for details of changing the IUSR
password.
Fixing OWA requires a back to basics approach. Strip everything back to the most basic
of configurations. Make sure OWA works using http, then build your configuration and
secure using a SSL from there.