You enable forms-based authentication in a Microsoft Exchange Server 2003 organization. After you do this, users receive the following error message when they try to log on by using Outlook Web Access:

Back to the top

This problem occurs when one or more of the following conditions are true:

•	The IUSR_Server_Name account (IUSR account) is missing.
•	The IUSR account password in the user account is not synchronized with Internet Information Services (IIS).
•	Permissions on folders and files in IIS are incorrect.
•	Permissions for the IUSR account are incorrect.
•	Basic authentication is not configured for Outlook Web Access access.

Back to the top

To resolve this problem, you must perform the following five steps. After each step, you can determine whether the problem is solved. If the problem persists, continue to the next step.

Back to the top

Step 1: Verify that the IUSR account exists, and create the account if it does not exist

The IUSR account for the server may not exist if Active Directory has been removed from a domain controller and the computer is designated as a member server. To verify that the IUSR account exists, and to create the IUSR account if it does not exist, follow these steps:

1.	Open the Computer Management snap-in.
2.	Expand Local Users and Groups.
3.	Click Users. Verify that an account named IUSR_Server_Name is located in this folder. If this account exists, go to "Step 2: Verify the permissions on folders and files in IIS Manager." If this account does not exist, continue with the remaining steps in this section.
4.	Right-click in the right window pane, and then click New User.
5.	In the User name box, type IUSR_Server_Name .
6.	Type an appropriate password in the Password and Confirm Password boxes.
7.	Click to select the User cannot change password and Password never expires check boxes, and then click Create.
8.	Click Close.
9.	Start Internet Information Services (IIS) Manager.
10.	Expand Server_Name, and then expand Web Sites.
11.	Right-click Default Web Site, and then click Properties.
12.	Click the Directory Security tab.
13.	In the Access and authentication area, click Edit.
14.	In the Enable Anonymous access area, click Enable Anonymous access.
15.	In the User name and Password boxes, type IUSR_Server_Name and the password, respectively.
16.	In the Authenticated access area, verify that the Integrated Windows authentication check box is checked.
17.	Click OK.
18.	In the Confirm Password box, reenter the password, and then click OK.
19.	If the Inheritance Overrides dialog box is displayed, click Select All, and then click OK two times.

Back to the top

Step 2: Verify the permissions on folders and files in IIS Manager

To verify the permissions on folders and files in IIS Manager, follow these steps:

1.	Start IIS Manager.
2.	Expand Server_Name, expand Web Sites, expand Default Web Site, and then expand Exchweb.
3.	Right-click bin, and then click Properties. On the Virtual Directory tab, verify that the Read check box is checked.
4.	Expand bin.
5.	Right-click auth, and then click Properties. On the Directory tab, verify that the Read check box is checked.
6.	Right-click usa, and then click Properties. On the Directory tab, verify that the Read check box is checked.
7.	Expand usa. In the right pane, right-click logon.asp, and then click Properties.
8.	On the File tab, verify that the Read check box is checked.
9.	Right-click Default Web Site, and then click Stop.
10.	Right-click Default Web Site again, and then click Start.
11.	Try to log on to a mailbox by using Outlook Web Access. You may receive the following error message: Error: Access is denied. If you receive this message, perform the steps that are described in "Step 3: Verify that the IUSR account password is synchronized to the password that is entered in IIS Manager."

Back to the top

Step 3: Verify that the IUSR account password is synchronized to the password that is entered in IIS Manager

The "Error: Access is denied" error message occurs when the IUSR account password is not synchronized to the password that is entered in IIS Manager. To verify that the IUSR account password is synchronized, follow the steps that are described in the following Microsoft Knowledge Base article: For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Back to the top

Step 4: Verify that basic authentication is configured on the Exchange Server virtual directory

1.	Start Exchange System Manager.
2.	Expand Administrative Groups, and then expand First Administrative Group.
3.	Expand Servers, and then expand Server_Name.
4.	Expand Protocols, and then expand Exchange Virtual Server.
5.	Right-click Exchange, and then click Properties.
6.	Click the Access tab, and then click Authentication.
7.	In the Authentication Methods dialog box, verify that the Enable anonymous access check box is not checked.
8.	Click to select the Basic authentication (password is sent in clear text) check box.
9.	Type the name of the default user domain in the Default domain text box. For example, type Domain.com.
10.	Click OK two times.
11.	Click Apply, and then click OK to close the Exchange Properties dialog box.

Back to the top

Step 5: Verify that basic authentication is configured on the Exchweb virtual directory in IIS Manager

1.	Start IIS Manager.
2.	Expand Server_Name, expand Web sites, and then expand Default Web Site.
3.	Right-click Exchweb, and then click Properties.
4.	On the Directory Security tab, click Edit in the Authentication and access control area.
5.	In the Authentication Methods dialog box, verify that the Enable anonymous access check box is checked.
6.	Click to select the Basic authentication (password is sent in clear text) check box.
7.	Type the name of the default user domain in the Default domain text box. You can click Select and then select the default domain from a list.
8.	Click OK.
9.	Click Apply, and then click OK.
10.	Right-click Server_Name in the left pane of the console, point to All Tasks, and then click Restart IIS.
11.	In the Stop/Start/Restart dialog box, click Restart Internet Services on the Server_Name in the What do you want IIS to do list.

Back to the top