We recently added a new Exchange 2003 back end server to our environment, which consisted of a single front end Exchange 2003 server in the DMZ and three back end Exchange 2003 servers on the same LAN. The front end server is providing Outlook Web Access services. All exchange servers in our organization are running Exchange SP2 on Server 2003 SP2. All servers are running OWA on IIS 6.0.
The problem is that users whose mailboxes reside on the new BE exchange server cannot access them through OWA on the front end server. They receive the error message “You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.” This happens for both users whose mailboxes were created on the new server, and users whose mailboxes were moved there from one of the existing back end servers. Users whose mailboxes were moved, could access their mailbox through OWA prior to the move. These same users can access their mailboxes through OWA when connecting directly to the new BE server using either implicit or explicit logon methods.
The FE server can ping the new BE server and connect to it on port 80. In fact all ports between this FE server in the DMZ and our 3 DC's and 4 BE servers on the LAN are open. The FE server uses forms based authentication. All three BE servers have Basic authentication using the default domain "MYDomain" and Integrated Windows authentication enabled on the exchange virtual directory. I have verified that the permissions on the Virtual servers, exchange virtual directories, and the NTFS permissions on the Exchweb folder are all the same between the old BE servers and the new one.
Looking through the windows security log on the FE server, I can see a success Audit when one of the affected users tries to log on through OWA. However when looking through the IIS logs I see there is an http error code 401.5 which according to Microsoft means "Authorization failed by ISAPI\CGI app." An abbreviated version of the line follows:
2011-04-19 16:21:31 192.168.1.50 GET /exchange - 443 mydomain\fsmith 10.0.0.100 ...[content removed for brevity] 401 5 0
I performed an LDAP query against the user’s object in Active Directory and ensured that the user had a proxy address in the correct domain, and that the user’s email server attribute correctly pointed to the new BE server.
I'm not sure that it makes a difference but on two of our old BE servers there are Sharepoint administration websites. All three of the old BE servers also have Trend Mail Scan software installed, for which there is a web interface hosted on IIS.
I'm hoping someone here can spot some configuration or troublshooting step that I missed. Does anyone have any idea why our FE OWA server is not successfully connecting to user's mailboxes on our new BE exchange server?