During the co-existence period of a transition from Exchange Server 2003 to Exchange Server 2010 you may encounter an issue with the legacy Outlook Web Access URL redirection.

When users connect to the Exchange 2010 Client Access server for OWA login they receive a second login prompt for the legacy URL.

Authentication prompt when accessing OWA legacy URL
Authentication prompt when accessing OWA legacy URL

No matter which credentials are entered into this authentication dialog box the login is not successful, and a HTTP 500 error is displayed.

HTTP 500 error accessing OWA legacy URL
HTTP 500 error accessing OWA legacy URL

The solution is to enable forms-based authentication on the Exchange 2003 front-end server.  This is located in the Properties of the Exchange Virtual Server.

Open the Properties of the Exchange Virtual Server
Open the Properties of the Exchange Virtual Server

In the Settings tab enable forms-based authentication and click OK to apply the change.

Enabling Forms-Based Authentication for Exchange 2003
Enabling Forms-Based Authentication for Exchange 2003

Exchange will warn you that SSL must be configured and IIS restarted if you are not offloading SSL elsewhere, or have not already configured it in IIS.  Click OK to close the warning (and obviously if you have not already got SSL offloaded or configured then you should go ahead and do that).

Exchange 2003 warning about SSL configuration for forms-based authentication
Exchange 2003 warning about SSL configuration for forms-based authentication

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Brandon Lee

    Paul,

    Hello, great site! I wanted to shoot you a question as in working with a company recently who was running NT4 domains – yes NT4 domains, the decision was made to migrate the NT4 domains to child domains of the parent AD domain that was in place for the company. Before the migration, the Exchange 2003 infrastructure worked. Child domain accounts were “associated external accounts” on the parent domain mailbox users. OWA, Activesync and outlook all worked for NT4 domain users.

    As soon as the migration was completed, OWA and Activesync now both give Error 500’s. The weird thing is that Outlook still works fine. I have been pulling my hair out trying to figure this one out. I have looked at permissions everywhere which seems to be the culprit but nothing is really panning out. Every change I have made has not affected the issue.

    Thanks Paul,
    Brandon

    1. Avatar photo

      I don’t have any Exchange 2003 environments that I could use to even begin to look at why you’d be having this problem, sorry. I guess you should test whether the issue only impacts migrated users vs newly created users. That may give you some clues. Other than that, perhaps check that inherited permissions is correctly enabled on the security tab of the user accounts.

  2. Tom

    So I enable form based authentication and reset IIS on my 03 server and now the legacy redirect works great.. However, it broke ActiveSync.. Error below.. I’m not sure how to fix this..

    Event Type: Error
    Event Source: Server ActiveSync
    Event Category: None
    Event ID: 3031
    Date: 7/16/2013
    Time: 10:46:43 AM
    User: DOMAINjsmith
    Computer: SERVER
    Description:
    The mailbox server [SERVER.DOMAIN.com] does not allow “Negotiate” authentication to its [exchange] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme. For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, “Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003” (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379). For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, “How To Configure IIS to Support Both Kerberos and NTLM Authentication” (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383). This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, “You receive a “Page not found” error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services” (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  3. Bayram

    Fixed;

    Microsoft Exchange Forms-Based Authentication Service. Starting this service fixed the blank page issue and allowed clients to authenticate correctly.

  4. Daniel Lafond

    I got an issue here. I have a mixed 2003/2010 Exchange setup and if I enable forms base authentication, ActiveSync stop working for my legacy users. But OWA start working for my legacy users. So right now I have to choose between OWA and ActiveSync.

    I have transfered my Exchange2010 certificate to my Exchange 2003.

    I have looked for a fix, but can only find a solution for each problem alone, not for both at the same time.

    Please help.

    1. Avatar photo

      Strange that changing one breaks the other, because OWA and EAS run off different virtual directories.

      I suggest you run the ActiveSync test at exrca.com as it may reveal more about where things are going wrong.

  5. Joseph Ghanem

    Hi all,
    I’m facing a problem with exchange 2007 owa. Everytime I log on, I get the same page asking me for credentials again, with reason=3 . Anyone can help?
    Thanks.

  6. Jim

    Hi Paul,

    I seem to be having a similar but not exact issue with co-existence redirection. I would like my 2003 mailbox users to be able to browse to my internal http[s]://webmail[.domain.com] CAS array and have it just ask for the username and login once, just like it does with 2003 now. I setup my laptop to mimic this scenario (hosts file points ‘webmail’ to the Casarray farm IP), and I currently receive these results…

    http://webmail, https://webmail, http://webmail.domain.com & https://webmail.domain.com redirects to a 2010 CAS server and prompts for credentials. If I enter a 2003 mailbox name, it generates a cert error, I click continue, it prompts to login to legacy.domain.com, then takes me to 2003 OWA.

    What am I missing to streamline the legacy logins? Do I need to add my new UCC cert to the 2003 OWA servers? The website link I posted has more details from the technet forum site if that helps. Thanks!

    Jim

    1. Avatar photo

      Hi Jim, yes you’ll get cert errors if you haven’t added a cert with the legacy name to your 2003 FE server.

      If you’re publishing both the Exchange 2010 CAS and the legacy FE server via ISA, and you’ve got Single Sign On configured on the ISA then the legacy redirection should work without a second authentication prompt.

  7. Flavio Boniforti

    Hy Paul, you gave me correct suggestions: indeed I have to do httpS and it *is* working when using /owa.
    Now, as I’m thinking back to how it was on SBS2003 with Exchange 2003, I’d like to explain how I was connecting to OWA2003.
    When typing http://mail.mydomain.com/exchange I was automatically being redirected to https://mail.mydomain.com/exchweb/bin/auth/owalogon.asp?url=https://mail.mydomain.com/exchange&reason=0

    Is it somehow possible to obtain this behaviour back again with my new setup (SBS2011, Exchange 2010, IIS7)?

    Again, many thanks!
    F.

    1. Avatar photo

      Starting with Exchange 2007 the virtual directory for Outlook Web Access changed to /owa

      You could create another virtual directory of /exchange (if there isn’t already one) and set up a redirect rule but its a bit of work.

  8. Flavio Boniforti

    Hello Paul, it’s me again! 🙂
    I successfully managed to migrate SBS2003 to SBS2011.
    After having done that. I redirected my NATted ports from the old 2003 to the new 2011 server (ports 25, 110, 143, 80, 443).
    I now have to main troubles:
    1) I cannot access OWA. I try to connect to http://mail.mydomain.com/exchange but I get a “Server error in application ‘/'” – “Runtime Error”. What do I have to set up/configure to get my OWA back working (of course on the news 2010 Exchange)?
    2) while migrating, during the execution of the “Internet Connection Wizard”, I’ve seen that there was some “http://remote.mydomain.com” being configured. Now I can access from my LAN the “remote” application and from inside there I can also use OWA. Questions: why does the migration NOT ASK for anything and automatically create a “remote.mydomain.com” service? Is there any way to customize that?

    Kind regards and thanks in advance,
    F.

    1. Avatar photo
      1. Flavio Boniforti

        Hy Paul,
        that website is good, but it doesn’t seem to check for OWA. I used it for testing ActiveSync connectivity…
        Thank you anyway!

        Kind regards,
        F.

      2. Avatar photo
  9. Wayne

    Awesome, thanks!

  10. Siiby

    Yeah, they are all resistant to changing things and having users complain. Sadly, everyone who uses webmail uses the non SSL one from outside the network. Quite an eye opener being here, but I hope to change things with this new deployment and keep to best practices.
    So I take it the best route would be to install the new SAN certificate for exchange 2010 on the SSL-based OWA server (it will have the legacy name webmail.xxxx.com, the Exch2010 OWA will be owa.xxx.com) and then redirect users to that new OWA and have them use Forms based Auth, That should allow for co-existence while mailboxes are moved between 2003 and 2010 for webmail.

  11. Siiby

    I have a situation where the Exchange 2003 org (for various reasons that I dont necessarily agree with) have 2 FE servers, one using HTTP and no forms based auth and one using SSL and forms based auth. For other reasons, management refuses to have users redirected to the SSL enabled FE. So, during a co-existence phase with 2010, would this mean that users would HAVE to use the SSL enabled FE?
    I am negotiating with them on decommisioning the non-SSL FE altogether, as it is on very old hardware.

Leave a Reply