Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2007-09-18
This topic provides an overview of the default authentication methods in the /owa virtual directory in Internet Information Services (IIS) Manager and the default access control lists (ACLs) in the file system under ClientAccess\owa. In addition, this topic provides procedures for checking and modifying the IIS and files system settings. These are the authentication methods and ACLs required for Microsoft Office Outlook Web Access to work correctly. Changing the authentication methods by using IIS Manager or the ACLs in the file system may make Outlook Web Access unavailable.
Before You Begin
To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.
For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.
Authentication Methods in IIS Manager
The necessary defaults for IIS Manager are set automatically when the Exchange 2007 Client Access server role is installed. You should not change the Outlook Web Access virtual directories through IIS Manager unless specifically instructed to do this. Most Outlook Web Access virtual directory properties must be managed through the Exchange Management Console or the Exchange Management Shell.
The /owa virtual directory and most of the sub directories require the same access method. By default, the authentication method is set to Basic. However, the method will reflect changes that were made by using the Exchange Management Console or the Exchange Management Shell. If the virtual directory has been configured to use forms-based authentication, the authentication in IIS Manager will be set to Basic.
The sub directories <version> (the build number of Exchange), auth, and bin do not use the same authentication method, but require anonymous access.
To view the authentication settings in IIS Manager-
Open IIS Manager.
-
Select Web Sites, and then select Default Web Site. Right-click owa, select Properties, and then click the Directory Security tab.
-
Under Authentication and access control, click Edit.
-
Click OK to close the Authentication Methods window.
-
Click OK again to close the Properties window.
-
Repeat as needed for the sub directories.
Check the authentication settings in the /owa virtual directory by using the Exchange Management Console or the Exchange Management Shell. For information about checking and modifying authentication methods for Outlook Web Access, see Managing Outlook Web Access Security.
If you find that the authentication methods do not match the settings for the /owa virtual directory in IIS Manager, reapply the authentication methods in the Exchange Management Console or the Exchange Management Shell before you make any changes in IIS Manager.
If reapplying the authentication methods in the Exchange Management Console or the Exchange Management Shell does not correct the authentication methods in IIS Manager, the most reliable method to set the correct authentication methods is to remove and re-create the affected virtual directories. For information about how to remove and re-create virtual directories see How to Remove an Outlook Web Access Virtual Directory and How to Create an Outlook Web Access Virtual Directory in Exchange 2007. You can use the Get-OwaVirtualDirectory cmdlet to create a backup copy of the virtual directory settings before you delete the virtual directory, and then use the Set-OwaVirtualDirectory cmdlet to apply those settings to the new virtual directory.
Use IIS Manager to change the authentication methods if the following conditions are true:
- The /owa virtual directory has been customized.
- It is not practical to remove and re-create it.
-
Open IIS Manager.
-
Select Web Sites, and then select Default Web Site. Right-click owa, select Properties, and then click the Directory Security tab.
-
Under Authentication and access control, click Edit.
-
Edit the authentication methods to match the settings that you found in the Exchange Management Console or the Exchange Management Shell.
-
Click OK to close the Authentication Methods window.
-
Click OK again to close the Properties window.
-
Repeat as needed for the sub directories.
Permissions in the File System
By default, Exchange 2007 is installed on the Drive C under Program Files\Microsoft
Exchange Server. By default, the Outlook Web Access files are stored in Program Files\Microsoft\Exchange Server\ClientAccess\Owa. That directory and all subdirectories and files in it should have the following ACLs:
- Local Administrators: Full Control
- Authentication User: Read
- SYSTEM: Full Control
- Owner: SYSTEM
-
Right-click Start and select Explore.
-
Select the directory where Exchange 2007 is installed.
-
Select ClientAccess and then Select Owa.
-
Right-click Owa and select Properties.
-
Click the Security tab.
-
Review the permissions for each entry in Group or user names and verify that they match the required permissions. Change any entry that has a lower permission level than is required. The permissions should be as follows:
- Local Administrators: Full Control
- SYSTEM: Full Control
- Authenticated Users: Read
- Local Administrators: Full Control
-
Click the Advanced button.
-
Click the Owner tab.
-
Verify that value in Current owner is SYSTEM. Change the value if it is necessary.
-
Click OK to close the Advanced properties window.
-
Click OK again to close the Owa Properties window.
-
By default, changes will automatically be applied to all sub directories.
For More Information
For information about Outlook Web Access authentication, see the following topics:
- Managing
Outlook Web Access Security
- Configuring
Forms-Based Authentication for Outlook Web Access
- Configuring
Standard Authentication Methods for Outlook Web Access
For information about Outlook Web Access virtual directories, see:
- Managing
Outlook Web Access Virtual Directories in Exchange 2007
- How to
Remove an Outlook Web Access Virtual Directory
- How to
Create an Outlook Web Access Virtual Directory in Exchange
2007
For information about how to use cmdlets to manage virtual directories see the following topics: