I've got a problem with OWA, and I'm pretty much at the end of my rope with this. OWA authenticates perfectly on the internal network. No problems at all. On the outside, you have to log in two or three times before it "sticks" at which point it won't ask you to authenticate again for hours.
The problem cropped up after an admin left and we were forced to change a bunch of passwords, so it's almost certainly a password/directory ownership issue somewhere. However, I've gone over the configuration and I can't find anything that's not running with a password unique to the local machine.
The setup is Exchange 2003, running behind an Apache proxy. Since the problem is external only, I've gone over the proxy extensively, and I can't find any problems. The whole setup has been running fine for ~4 years, so again, it's probably tied to the password change (which shouldn't have effected the proxy in any way).
I'm sure it's some stupid configuration setting that I'm missing, but I can't find it for the life of me. Anyone have any ideas?
@PQD
Here's mine:
SetOutputFilter proxy-html
RequestHeader unset Accept-Encoding
ProxyHTMLURLMap https://myserver.mydomain.com/exchange /exchange
ProxyPass /exchange https://myserver.mydomain.com/exchange
ProxyPassReverse /exchange https://myserver.mydomain.com/exchange
ProxyPass /exchweb https://myserver.mydomain.com/exchweb
ProxyPassReverse /exchweb https://myserver.mydomain.com/exchweb
ProxyPass /public https://myserver.mydomain.com/public
ProxyPassReverse /public https://myserver.mydomain.com/public
ProxyPass /OMA https://myserver.mydomain.com/OMA
ProxyPassReverse /OMA https://myserver.mydomain.com/OMA
ProxyPass /Microsoft-Server-ActiveSync https://myserver.mydomain.com/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://myserver.mydomain.com/Microsoft-Server-ActiveSync
I'm pretty sure this isn't the problem. Nothing has changed on the proxy, and this configuration has worked for years.
setting apache2 reverse proxy for exchange 2003 owa was [ censored ]. but at the end it works fine for me.
the trick was to fool apache into thinking that in-house exchange server has same host-name as one under which people access the apache from the outside of company.
so in dns i have: owa.company.com pointing to public ip of apache and in /etc/hosts of machine with apache reverse proxy i have owa.company.com pointing to the internal ip of exchange:
my apache also does ssl encryption - internet uses connect over https, while apache uses http to talk with exchange. in vhost configuration i have:
obiously mod_proxy, mod_proxy_http are loaded.
and yes - i'm aware that this sounds like voodoo; it does to me, but i found it described somewhere, applied - and it worked. what can i say...
After about 10 days the issue just went away. Seems like something weird was propagating through the AD. I bounced it off the corporate exchange people, and they had nothing. I ran through the whole configuration and it was all normal.
Unfortunately I have no idea what eventually fixed it: it was certainly dependent on some screwy behaviour attached to the admin who left, but his credentials weren't directly attached to the exchange server or IIS, and I fixed so many peripheral issues in that time period that it could have been any number of things.
Highly unsatisfying non-solution. If has any AD experience that would explain a server that forced repeated re-authentication, I'd be interested in hearing about it, and I'll switch the accepted solution to anything convincing.