OWA 440 login timeout

Installed and configured SBS2003. Worked like a charm. RWW and OWA
working perfectly. Unfortunately, I applied domain controller policies
and have hosed OWA. RWW still works fine. No issues there. OWA, I get
my certificate, present my login credentials, and immediately get the
440 login timeout. I've tried the following:

1) Open AD Users & Computers. Expand the Users OU, right-click on the
IUSR_<servername> account and select 'Reset password' Reset the
password to anything you want (however, it can't be blank).


2) Open this User Account's properties and verify that the account is
not locked out :^) Also, make sure that 'Password never expires' and
'User cannot change password' are selected.


3) Repeat steps 1 & 2 for the IWAM_<servername> account. Close AD
Users & Computers.


4) Open Internet Information Services (Start | Administrative Tools)


5) Expand <servername> | Web Sites


6) Right-click on 'Default Web Site' and select Properties.


7) Go to the 'Directory Security' tab and click the Edit button under
'Authentication & Access Control'


8) Enter the new password for the IUSR_<servername> account and click
OK.


9) Enter the password again to confirm and click OK.


10) Click OK.


11) Open a command prompt and enter iisreset


12) At the command prompt, enter the following commands:
cd c:\inetpub\adminscripts
adsutil SET w3svc/WAMUserPass <password> (Where <password> =
the password you entered for the IWAM_<servername> account in AD Users
& Computers)
c:\windows\system32\cscript.exe
"c:\inetpub\adminscripts\synciwam.vbs" -v
iisreset

Still unable to get into OWA. Also doesn't work when I do
http:\\domain_name\exchange. I still get the 440 login timeout. This
doesn't work internally. I am not doing external rww yet. I have also
tried:

1. Go into Internet Information Services Manager.
2. Go to the properties of the default website.
3. Select the "Directory Security" tab and then click the edit button
under
"authentication and access control".
4. Type in a new password for the IUSR_COMPUTERNAME account and you
will be
asked to then reenter that password.
5. Apply the change to all the default virtual directories under the
default website.
6. Go to a command prompt and type IISRESET to stop and start all the
IIS
services and then test OWA again to see if it works.

I'm now trying to figure out how to reset the domain controller policy
to default if I can't find another answer. Rebuilding isn't out of the
question either.

Any help would be greatly appreciated. Also know, this isn't a business
issue so it's not pressing. I've been working on it for a couple of
weeks now. I'm just trying to learn for my own education.

Thanks,
John McDermott
john.mcdermott@sohosecure.net

Hi John,

Thanks for posting here.

From your post, my understanding on this issue is: you get the 440 login
time out error message when you access OWA. If I am off base, please feel
free to let me know.

Based on my research, this issue is related with the anonymous access on
the Exchweb virtual directory. Either anonymous account password is changed
unexpectedly or the anonymous access is disabled. Please use the following
way to check it.

1. Open IIS from the Server Management
2. Expand the Default Web Site and open the properties page of ExchWeb
Virtual Directory
3. In the Directory Security tab, Click Edit under Authentication and
Access Control
4. Please make sure ONLY Anonymous access is select.
5. Check the same settings on the Exchange Virtual Directory and make sure
ONLY 'Basic authentication' is selected
6. If any change, please restart your IIS service and test your issue again.

If the problem cannot be resolved, please use the following steps to reset
anonymous user password.

1. Open Active Directory Users and Computers snap-in and select users
container.
2. Right click IUSR_YourServerName user and click Reset Password??
3. Input a new password, confirm it and click OK
4. Open Server Management and expand IIS console
5. Expand website and right click Default Web Site and then, click
properties
6. In the directory security tab, click Edit??
7. Click Browse button
8. Input IUSR_YourServerName in the box and click OK
9. Input the new password in the Password box
10. Click OK

However, if you use the above steps, you may need to reset the anonymous
account in every virtual directory that need anonymous access. A better
method is listed in the below article

332167 IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password
http://support.microsoft.com/?id=332167

If the issue persists, please kindly help me collect the following
information for further analysis:

1. Metabase
=======
a. Install .NET Framework Version 1.1:
http://www.microsoft.com/downloads/d...5e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.
b. Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/d...2EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.
c. Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.
d. In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.
e. Compress this mbk file and send it to me for analysis.

2. IIS logs
======
1. Open IIS.
2. Locate Default web site. Right-click it and then click Properties.
3. Click to selected Enable logging and then click properties.
4. Click Advanced.
5. Click to select every checkbox here.
6. Click OK to close these windows.
7. Reproduce this issue and send the logs to me.

NOTE: The log files are located at %systemroot%\System32\LogFiles by
default.

Please kindly send these log files to my working mailbox:
v-stezhu@microsoft.com.

Also, please let me know which domain policy you applied on the server.

If you have any questions or concerns related to this issue, please let me
know.

I appreciate your time and look forward to hearing from you.

Have a nice day!

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

Steven,

Thanks for the response. I have set the web sites as requested with
basic anonymous authentication. Now when I try to access my site, I
receive 401.1 unauthorized access errors. In my security event viewer,
I receive event 534 errors for logon type 8. I'll try to get the rest
of the setup done tomorrow.Ran out of time tonight.

Thanks again,
John McDermott


Steven Zhu [MSFT] wrote:
> Hi John,
>
> Thanks for posting here.
>
> From your post, my understanding on this issue is: you get the 440 login
> time out error message when you access OWA. If I am off base, please feel
> free to let me know.
>
> Based on my research, this issue is related with the anonymous access on
> the Exchweb virtual directory. Either anonymous account password is changed
> unexpectedly or the anonymous access is disabled. Please use the following
> way to check it.
>
> 1. Open IIS from the Server Management
> 2. Expand the Default Web Site and open the properties page of ExchWeb
> Virtual Directory
> 3. In the Directory Security tab, Click Edit under Authentication and
> Access Control
> 4. Please make sure ONLY Anonymous access is select.
> 5. Check the same settings on the Exchange Virtual Directory and make sure
> ONLY 'Basic authentication' is selected
> 6. If any change, please restart your IIS service and test your issue again.
>
> If the problem cannot be resolved, please use the following steps to reset
> anonymous user password.
>
> 1. Open Active Directory Users and Computers snap-in and select users
> container.
> 2. Right click IUSR_YourServerName user and click Reset Password??
> 3. Input a new password, confirm it and click OK
> 4. Open Server Management and expand IIS console
> 5. Expand website and right click Default Web Site and then, click
> properties
> 6. In the directory security tab, click Edit??
> 7. Click Browse button
> 8. Input IUSR_YourServerName in the box and click OK
> 9. Input the new password in the Password box
> 10. Click OK
>
> However, if you use the above steps, you may need to reset the anonymous
> account in every virtual directory that need anonymous access. A better
> method is listed in the below article
>
> 332167 IIS 6.0: HOW TO: Configure IIS to Control the Anonymous Password
> http://support.microsoft.com/?id=332167
>
> If the issue persists, please kindly help me collect the following
> information for further analysis:
>
> 1. Metabase
> =======
> a. Install .NET Framework Version 1.1:
> http://www.microsoft.com/downloads/d...5e3-f589-4842-
> 8157-034d1e7cf3a3&DisplayLang=en.
> b. Install MBExplorer by installing IIS 6 Resource Kit Tools:
> http://www.microsoft.com/downloads/d...2EE-A71A-4C73-
> B628-ADE629C89499&displaylang=en.
> c. Once it is installed, access it from Start, Programs, IIS Resources,
> Metabase Explorer.
> d. In the left pane, right click ''LM'' (under your server computer name)
> to choose ''Export to file'', and then save it as IIS.mbk.
> e. Compress this mbk file and send it to me for analysis.
>
> 2. IIS logs
> ======
> 1. Open IIS.
> 2. Locate Default web site. Right-click it and then click Properties.
> 3. Click to selected Enable logging and then click properties.
> 4. Click Advanced.
> 5. Click to select every checkbox here.
> 6. Click OK to close these windows.
> 7. Reproduce this issue and send the logs to me.
>
> NOTE: The log files are located at %systemroot%\System32\LogFiles by
> default.
>
> Please kindly send these log files to my working mailbox:
> v-stezhu@microsoft.com.
>
> Also, please let me know which domain policy you applied on the server.
>
> If you have any questions or concerns related to this issue, please let me
> know.
>
> I appreciate your time and look forward to hearing from you.
>
> Have a nice day!
>
> Best Regards,
>
> Steven Zhu
> MCSE
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
> updated on February 14, 2006.? Please complete a re-registration process
> by entering the secure code mmpng06 when prompted. Once you have
> entered the secure code mmpng06, you will be able to update your profile
> and access the partner newsgroups.
> ======================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from this issue.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
> ======================================================

Hi John,

Thanks for your update.

Please try the other troubleshooting steps provide in my previous reply,
and please kindly send these log files (IIS metabases, IIS log) to my
working mailbox: v-stezhu@microsoft.com.

Also, please let me know which domain policy you applied on the server.

I will looking forward to your reply.

Thanks for your time and have a good day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.? Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may

learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================