XWEB: How to Set Up OWA for Specific Users

ID: Q236811

The information in this article applies to:
  • Microsoft Outlook Web Access, version 5.5 Service Packs 1, 2

SUMMARY

The information in this article describes how to limit the use of Outlook Web Access (OWA) or grant permission to select individuals or groups of individuals to use OWA if OWA is installed on an NTFS partition.


MORE INFORMATION

By default, the Everyone group has Full Control access rights on the Exchsrvr\Webdata folder. By targeting the Logon.asp file for granting users permission to OWA, you can be selective as to which users can have access to their mailboxes through OWA.

NOTE: You may need to make this change on all servers that have OWA installed on them.

  1. Locate the Logon.asp files in the Exchsrvr\Webdata\country folders.


  2. On the File menu, click Properties, and click the Security tab.


  3. Click Permissions, and remove the Everyone group from the File Permissions dialog box.


  4. Add individual groups or users by clicking the Add button. Give these users or groups Full Control access.


  5. Click OK twice to quit the File Permissions dialog box, and click OK once more to quit the Logon.asp Properties dialog box.


Users who have Full Control access rights to the Logon.asp file can log on to the OWA logon screen by typing the HTTP address for OWA, for example:
http://iisserver/exchange
Users who do not have permission to the Logon.asp file receive a blank screen that says "Access Denied."

When Microsoft Internet Information Server (IIS) and OWA are on a different computer than Exchange Server, you see the following behavior:
  • If the user has Full Control access rights on the Logon.asp file, the user is prompted once for his or her credentials, and then the user can access the OWA logon screen.


  • If the user has NO permission on the Logon.asp file, he or she is prompted three times for credentials.

    This behavior is by design. The user has three opportunities to type the correct password information.


NOTE: You cannot use NTLM in this scenario. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
Q183545 XCLN: NTLM Authentication Fails Between Two Computers with OWA
When IIS, OWA, and Exchange Server are on the SAME computer, you see the following behavior:

NOTE: Enabling NTLM is recommended in this scenario.
  • If the user has Full Control access rights on the Logon.asp file, the user is NOT prompted at all for credentials and can access the OWA logon screen immediately.


  • If the user has NO permission on the Logon.asp file, the user is prompted three times for credentials.


  • If user who has NO permission to the Logon.asp file types the domain name, user name, and password of a user that does have access to this file, he or she will gain access to the logon screen and can type in his or her mailbox name. At this point, the user is prompted a second time, which appears to be to gain access to the Logon.asp file again. If the user then types the domain name, user name, and password of a user that does have access to this file, the user gains access to his or her mailbox through OWA, and has full functionality.


For additional information on IIS, Security, and Challenge Response, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q170851 How Windows NT/Challenge Response Authentication Works
Q158229 INFO: Security Ramifications for IIS Applications

Additional query words:

Keywords :
Version : WINDOWS:5.5
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.