Donate with
Categories
Donate with
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC
Created: February 22nd 2012
Last updated: May 1st 2020
Categories: Windows Server 2003
Author: Marcus Fleuti
Last updated: May 1st 2020
Categories: Windows Server 2003
Author: Marcus Fleuti
Resetting all Exchange-OWA folder permissions in Windows Server 2003
Donate with
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC
Sometimes it may occur that the OWA doesn't work properly anymore. In our case we've been having issues because of the installation of a Blackberry Enterprise Server. If the Microsoft Exchange OWA doesn't work anymore a last resort might be resetting all the OWA folder permissions:
Firstly, let’s begin by taking a look at the Virtual Directory structure of OWA. Table 1 below shows the structure of OWA in IIS.
| Virtual Directory | Description |
| Exadmin | The Exadmin virtual directory is used for administering Public Folders in the Exchange System Manager. |
| Exchange | The Exchange virtual directory stores the mailbox root (\\.\BackOfficeStorage\domain\MBX) |
| Exchweb | The Exchweb virtual directory contains all the graphics and files used by Outlook Web Access. This virtual directory points to C:\Program Files\Exchsrvr\ExchWeb. |
| Microsoft-Server-ActiveSync | The Microsoft-Server-ActiveSync virtual directory contains all the files used by Exchange ActiveSync (EAS) and points to C:\Program Files\Exchsrvr\OMA\Sync. |
| OMA | The OMA virtual directory stores all files used by Outlook Mobile Access (OMA). This virtual directory points directly to C:\Program Files\Exchsrvr\OMA\Browse. |
| Public | The Public virtual directory stores the Public folders (\\.\BackOfficeStorage\domain\Public Folders). |
Table 1:OWA structure in IIS
By far the most common problem I experience is a Loading … message, with placeholder images. This could be caused by a number of different issues. Follow the steps below to resolve this issue.
After logging into OWA, if you get placeholder images, with a Loading… message, this is typically caused by the following issues:
- The Exchweb virtual directory in IIS is not configured correctly
- The permissions for the Exchsrvr\Exchweb folder are incorrect
- The Require secure channel (SSL) check box is selected on the Exchweb virtual directory in IIS
- The IUSR password is set incorrectly.
- You upgraded from Microsoft Windows Server 2000 to Microsoft Windows Server 2003 and URLScan was installed before the upgrade. URLScan is not required for IIS 6.0 and will most likely cause problems.
Reset the HighWaterMarks
When I have a problem with OWA, this is normally the first step that I take, as it resets the OWA virtual directories in IIS, so I personally feel it acts as a good starting point. This involves deleting all six OWA virtual directories in IIS and recreating them. So it pretty much resets IIS.
Firstly, download and install the IIS 6.0 Resource Kit Tools. Visit the following Microsoft Web site to download the IIS Resource Kit:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en
If you prefer not to install all the Resource Kit Tools, click the Custom installation option to install only the Metabase Explorer.
Start IIS. Click Start, All Programs, Administrative Tools, Internet Information Services.
Backup the metabase just in case. To do this, right-click Default Web Site, click All Tasks, and then click Save Configuration to a File. Type a filename for the file and click OK.
Expand Default Web Site, and then delete the following virtual directories:
Microsoft-Server-ActiveSync
OMA
Exadmin
Exchange
Public
ExchWeb
Start Metabase Explorer. To do this, click Start, All Programs, IIS Resources, and then click Metabase Explorer.
Expand the LM key, right-click the DS2MB key, and then click Delete.
Close Metabase Explorer.
Restart the Microsoft Exchange System Attendant service to re-create the virtual directories in IIS.
Checking the security permissions in Internet Information Services (IIS)
Open IIS. Expand the default website. Right Click the Exchange Virtual Directory. Ensure there is a Check next to Basic Authentication, as in the Figure 1 below. Click OK twice.
Figure 1: Exchange Virtual Directory settings
Right click the ExchWeb Virtual Directory. Ensure there is a Check next to Anonymous access as in Figure 2 below.
Figure 2: ExchWeb Virtual Directory Settings
Checking the folder security permissions using windows explorer
Right-click the Exchweb folder, and then click Properties. Click the Security tab.
Verify that the Authenticated Users group has the following permissions:
- Read and execute
- List folder contents
- Read
Figure 3: ExchWeb Folder Settings
If the Authenticated Users group is not listed in the Access Control List, click Add to add the Authenticated Users group. Add the correct permissions as above in Figure 3.
Require secure channel (SSL)
Certificates can have a major impact on OWA. If none of the above steps work try accessing OWA using http. You will not be able to use Forms Based Authentication (FBA) using http as this relies on a certificate. So expect to type your password into a pop-up. This will allow you to check whether OWA at least works.
If OWA does display correctly when accessing it using http, then it is highly likely that the certificate is configured incorrectly. For details of how to configure a certificate, please follow this tutorial:
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Reset the IUSR Password
Personally, I would do this last, as it will affect all the websites hosted in IIS on the server. If you change the IUSR password, make sure you change the IUSR password for each website residing in IIS. See Figure 2 above for details of changing the IUSR password.
Fixing OWA requires a back to basics approach. Strip everything back to the most basic of configurations. Make sure OWA works using http, then build your configuration and secure using a SSL from there.