Possible to RP Outlook Web Access without forms-based authentication?

Apr 5, 2010 at 4:24 PM

I originally had Forms-Based authentication enabled on my OWA 2003 server to accommodate URL Rewriter's reverse proxy.  This worked until I was ordered to make the iPhone and some other portable devices work with Exchange 2003's ActiveSync technology, then I disabled forms-based auth and instead used HTTP basic and NTLM auth (over SSL, so HTTP basic is OK for me).

Right now if I try to visit my OWA server, barring other difficulties, I'm repeatedly asked for my username and password.  The proxy's rewriter.log shows me this:

2010-04-05T10:48:30 [Rewrite] Input: https://[server-name]/exchange/GWFecyk/Inbox
2010-04-05T10:48:30 [Rewrite] Proxy: https://[server-name]/exchange/GWFecyk/Inbox
2010-04-05T10:48:30 **********************************************************************************
2010-04-05T10:48:30 [Proxy] Request: https://[server-name]/exchange/GWFecyk/Inbox
2010-04-05T10:48:30 [Proxy] Error received from https://[server-name]/exchange/GWFecyk/Inbox: The remote server returned an error: (401) Unauthorized.
2010-04-05T10:48:30 [Proxy] System.Net.HttpWebResponse
2010-04-05T10:48:30 [Proxy] Received '401 Unauthorized'
2010-04-05T10:48:30 [Proxy] Response: https://[server-name]/exchange/GWFecyk/Inbox
2010-04-05T10:48:30 [Proxy] Response is being buffered
2010-04-05T10:48:30 [Proxy] Responding '401 Unauthorized'
2010-04-05T10:48:30 **********************************************************************************

I have to somehow have the incoming URL and outgoing URL hostname identical, or Exchange 2003 will fail because of some kind of Base URL that it sends back to the client and I can't edit it. This is why the input and proxy have the same host name. But that's a different problem entirely.

Anyway, even though I'm seeing 200 OK on static things like GIF images on /exchweb/, I'm seeing repeated 401 Unauthorized on the actual inbox.

Right now I have both NTLM and Basic auth enabled on the Exchange Server.  Would forcing Basic auth remove this problem? I can't go back to forms-based auth because of these iPhones and the upcoming iSlab (oop did I say that out loud?) I mean iPad and other phones that use ActiveSync. I'm working around the problem by opening a different port directly to my Exchange server, which oddly enough works with the iPhone.

My configuration:

RewriteRule ^(/exchange.*)   https://[server-name]$1 [QSA,NC,P]
RewriteRule ^(/exchweb.*)   https://[server-name]$1 [QSA,NC,P]
RewriteRule ^(/public.*)   https://[server-name]$1 [QSA,NC,P]
RewriteRule ^(/OMA.*)   https://[server-name]$1 [QSA,NC,P]
RewriteRule ^(/Microsoft-Server-ActiveSync.*)   https://[server-name]$1 [QSA,NC,P]

Apr 5, 2010 at 7:49 PM
Edited Apr 8, 2010 at 12:56 AM

It seems that the Authentication isn't getting passed with the request.  I guess you could try dropping it down to Basic, but I am not really sure.  The Wireshark logs you are sending me are hard to decipher and debug from.  Can you just send me a Fiddler log instead.  To record with fiddler, just open the tool on the server with the proxy installed.  And make the following changes to your web.config on the server with the proxy installed.

		<defaultProxy enabled="true">
			<proxy proxyaddress="" />

After you do this you will start receiving/sending requests through Fiddler.  When you have recorded what you want to show me delete all the irrelevant requests that don't pertain to the bug, and then save the file to disk.  (File > Save > All Sessions)

Thanks this will really help out.