How to Configure Outlook Web Access Web Administration in Exchange 2003

Troubleshooting Outlook Web Access Web Administration for Exchange 2003

Microsoft Exchange Server 2003 relies heavily on Internet Information Services (IIS) 6.0 to serve Outlook Web Access (OWA). When administrators cannot manage or access the OWA environment via web administration tools, the root cause usually stems from IIS misconfigurations, broken virtual directories, or Active Directory (AD) permissions issues.

Below is a comprehensive guide to diagnosing and fixing the most common points of failure in Exchange 2003 OWA administration. 1. Verify IIS Virtual Directory Status

OWA administration functions through specific IIS virtual directories. If these directories are misconfigured or stopped, web administration fails.

Check the Directories: Open the IIS Manager and ensure that Exchange, Public, Exchweb, and OMA are present under the Default Web Site.

Inspect the Application Pools: Exchange 2003 components typically run under the ExchangeApplicationPool. Ensure this pool is started. If it crashes repeatedly, check the Windows Event Viewer for W3SVC errors.

Rebuild if Corrupted: If directories are missing or severely misconfigured, use the Exchange System Manager (ESM) to recreate them. Right-click the HTTP protocol object under your server protocols and select New > Virtual Directory. 2. Resolve Authentication and SSL Conflicts

Authentication mismatches between IIS and Active Directory are the leading cause of HTTP 401 (Unauthorized) and HTTP 403 (Forbidden) errors during OWA administration.

Inheritance Flags: Ensure that the Exchweb folder inherits correct permissions. It requires Anonymous access enabled, as it houses the graphics, controls, and scripts utilized by the administration interface.

Integrated Windows Authentication: The web administration tools require Integrated Windows Authentication (NTLM/Kerberos) or Basic Authentication to validate administrator credentials against Active Directory. Turn off Anonymous access only on directories meant for strict administrative use.

SSL Requirements: If “Require Secure Channel (SSL)” is checked in IIS, ensure your administrative URLs use https:// instead of http://. A mismatch will immediately trigger a 403.4 error. 3. Correct URL Scan and ISAPI Filter Blockages

Security tools frequently block administrative scripts, mistaking them for malicious web requests.

URLScan Configurations: Exchange 2003 environments often utilize Microsoft’s URLScan tool. Check the UrlScan.ini file. If verbs like OPTIONS, PROPFIND, or BPROPFIND are listed under the [DenyVerbs] section, OWA web administration features will break. Move them to [AllowVerbs].

Exchweb ISAPI Filters: Verify that the Exchange ISAPI filters (exchmem.dll) are properly registered and active in the IIS Web Site properties. 4. Fix Enterprise Admin and Permission Inheritance Issues

Active Directory protects high-privileged accounts (like Domain Admins or Enterprise Admins) via a process called AdminSDHolder. This can inadvertently strip permissions required for Exchange web administration.

The Symptom: An administrator can log in initially, but suddenly loses the ability to manage OWA mailboxes or configurations after 60 minutes.

The Fix: Open Active Directory Users and Computers, enable Advanced Features, open the administrator account properties, and navigate to the Security tab. Click Advanced and ensure the checkbox for “Allow inheritable permissions from the parent to propagate to this object” is selected. 5. Analyze IIS Logs for Error Codes

When the browser displays a generic “Page Cannot Be Displayed” message, the raw IIS logs hold the exact sub-status codes needed for a precise fix.

Locate Logs: By default, logs are stored in %SystemRoot%\System32\LogFiles\W3SVC1</code>.