Outlook Web Access session unexpectedly quits when forms-based authentication is used
When you log on to your mailbox by using Microsoft Outlook Web Access (OWA), you may experience the following symptoms:
- You receive one of the following error messages when you try to use the OWA spell checking feature:
Message 1Unspecified error.Message 2The spelling in this item can't be checked. Try again later.
- Your OWA session quits unexpectedly.
This behavior may occur if the Outlook Web Access server is published through Microsoft Internet Security and Acceleration (ISA) Server, or if both of the following conditions are true:
- You log on by using only your user alias and password instead of by specifying the domain in a Universal Naming Convention (UNC) format (Domain\User) or your user principal name (UPN) format (firstname.lastname@example.org).
- The Exchange virtual server is configured to use forms-based authentication (Cookie-auth).
To work around this behavior, use one of the following methods.
Method 1: Specify the domain when you log onWhen you log on, specify your domain in your logon credentials. To do so, use one of the following formats in the User name list of the Connect to Servername.com dialog box (where domain is the name of your domain, where user is your alias, and where UPN is the user principal name):
Method 2: Customize Logon.aspIf you do not want to specify the domain when you log on, create a custom Logon.asp page that includes the default domain (either visible or hidden). You can also display a list of the domains that the server supports.
The following example code illustrates how to create a custom Logon.asp page. To use this code, replace both instances of <FORM> in each language-version of the Logon.asp file with the following code.
Note You must replace both instances of <FORM> with this code because one instance is for rich experience and the other instance is for basic experience. This replacement is required for browser compatibility.Also, if you make a custom Logon.asp page, users will no longer be able to log on with a user name of domain\user name. If they do this they will actually be passing domain\domain\user name.
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
Important Microsoft does not provide assistance in customizing OWA objects and if you contact Microsoft about an OWA issue for a server that OWA is customized on, you must replace the customized files with the original versions of the files.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
327178 Microsoft support policy for the customization of Outlook Web Access for Exchange
Note In the script, make sure that you add the name of your network basic input/output system (NetBIOS) domain in the code. In the script that is provided, put your domain name in the <name of NetBIOS domain here> location.
Method 3: Disable authentication for incoming Web requests in ISA Server 2000If OWA is published behind a server that is running ISA Server, verify that no authentication methods are configured for incoming Web requests.
- Open ISA Server 2000.
- Right-click the ISA Server name, and then click Properties.
- Click the Incoming Web Requests tab.
- Select the Web request listener that is used for OWA, and then click Edit.
- Click to clear all the authentication methods, including the Integrated authentication method.
- Click OK.
- Restart the Microsoft ISA Server Web Proxy service.
Note In ISA Server 2004 and ISA Server 2006, this method must be done on the listener for the publishing rule.
In Exchange Server 2003, forms-based authentication (Cookie-auth) requires that you use a backslash character as the default domain setting in Exchange System Manager. This restriction is designed to support user logons using the UPN format. If you modify the default domain in Microsoft Internet Information Services (IIS) to anything other than the default domain setting of "\", Exchange System Manager will reset the default domain setting to "\" on the server.
Additionally, if forms-based authentication is deployed in a front-end-back-end configuration, the default domain setting on the back-end server must match the default domain setting on the front-end server, or you may experience authentication problems. Therefore, if forms-based authentication is enabled on the front-end server (which requires the backslash as the default domain), the default domain on the back-end server must also be set to "\" in Exchange System Manager.
For more information about why you should administer authentication and default domain settings in Exchange System Manager, click the following article numbers to view the articles in the Microsoft Knowledge Base:
240105 General information on Directory Service/Metabase Synchronization in Exchange 2000 Server
264941 Changes to virtual directory settings are not maintained
This behavior is by design.
XCCC FE/BE fe be
Article ID: 820378 - Last Review: 05/07/2008 16:21:04 - Revision: 13.0
Microsoft Exchange Server 2003 Enterprise Edition, Microsoft Exchange Server 2003 Standard Edition, Microsoft Windows Small Business Server 2003 Premium Edition, Microsoft Windows Small Business Server 2003 Standard Edition
- kbnofix kbbug KB820378