Hi all, I have an odd issue...

I have an IIS 6 server (actually running Exchange OWA) and two users, one of
whom is allowed full access and the other is denied all access. The denied
user is a member of domains admins and exchange admins, and can log onto a
mailbox fine using Outlook but not with OWA, the allowed user is just a
normal domain user but can access their mailbox in OWA no problem.

Looking through the AD properties of the two users, I found the only
distinction (apart from one being more administrative) is that the allowed
user has a 'userPrincipalName' set whereas the failing user doesn't. Is
there any configuration setting that might be in force on IIS that might
cause this to happen?

I'm aware that userPrincipalName is used for Kerberos authentication, but
not sure what happens if a user doesn't have one (I've done the same thing
in other environments for users without a userPrincipalName many times).
Could it be that the IIS/OWA configuration is disallowing NTLM as its
'integrated' authentication method, so forcing Kerberos and that's failing?

I've looked around the other configuration options, and can see nothing that
would explain why one user would connect and the other be refused.

Any ideas?
Thanks,
Dave

[ Post a follow-up to this message ]

No such configuration on IIS exists for your theory.

My guess is that you have some DENY ACL against a group that the
Administrator is in but NOT against the group the normal user is in.
Remember, giving access is not about just having permission; it is also
about not being denied permission.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Dave Williams" <davewilliams29@yahoo.com> wrote in message
news:%236EUc9quFHA.3152@TK2MSFTNGP12.phx.gbl...
Hi all, I have an odd issue...

I have an IIS 6 server (actually running Exchange OWA) and two users, one of
whom is allowed full access and the other is denied all access. The denied
user is a member of domains admins and exchange admins, and can log onto a
mailbox fine using Outlook but not with OWA, the allowed user is just a
normal domain user but can access their mailbox in OWA no problem.

Looking through the AD properties of the two users, I found the only
distinction (apart from one being more administrative) is that the allowed
user has a 'userPrincipalName' set whereas the failing user doesn't. Is
there any configuration setting that might be in force on IIS that might
cause this to happen?

I'm aware that userPrincipalName is used for Kerberos authentication, but
not sure what happens if a user doesn't have one (I've done the same thing
in other environments for users without a userPrincipalName many times).
Could it be that the IIS/OWA configuration is disallowing NTLM as its
'integrated' authentication method, so forcing Kerberos and that's failing?

I've looked around the other configuration options, and can see nothing that
would explain why one user would connect and the other be refused.

Any ideas?
Thanks,
Dave

[ Post a follow-up to this message ]

Thanks for that answer.

My next question is perhaps predictable - what object might have a DENY ACE
in its ACL that would prevent a user from accessing a webpage?

The primary failure was of the OWA website, but the per-user configuration
to allow use of OWA was set to allow OWA, and OWA should not have been
blocking access based on Exchange permissions, because all was well
accessing the mailbox using Outlook.

I believe we were also getting the same access failures accessing the root
of the default website, which is outside OWA's scope.

Also, I see there's a 'permissions' menu option on the IIS 'default web
site' object, but that is not set to disallow any users access to the site.

Any suggestions of where we should be looking for DENY settings would be
gratefully received.
Thanks,
Dave


"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:ej9gXt3uFHA.3588@tk2msftngp13.phx.gbl...
> No such configuration on IIS exists for your theory.
>
> My guess is that you have some DENY ACL against a group that the
> Administrator is in but NOT against the group the normal user is in.
> Remember, giving access is not about just having permission; it is also
> about not being denied permission.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Dave Williams" <davewilliams29@yahoo.com> wrote in message
> news:%236EUc9quFHA.3152@TK2MSFTNGP12.phx.gbl...
> Hi all, I have an odd issue...
>
> I have an IIS 6 server (actually running Exchange OWA) and two users, one
> of
> whom is allowed full access and the other is denied all access. The denied
> user is a member of domains admins and exchange admins, and can log onto a
> mailbox fine using Outlook but not with OWA, the allowed user is just a
> normal domain user but can access their mailbox in OWA no problem.
>
> Looking through the AD properties of the two users, I found the only
> distinction (apart from one being more administrative) is that the allowed
> user has a 'userPrincipalName' set whereas the failing user doesn't. Is
> there any configuration setting that might be in force on IIS that might
> cause this to happen?
>
> I'm aware that userPrincipalName is used for Kerberos authentication, but
> not sure what happens if a user doesn't have one (I've done the same thing
> in other environments for users without a userPrincipalName many times).
> Could it be that the IIS/OWA configuration is disallowing NTLM as its
> 'integrated' authentication method, so forcing Kerberos and that's
> failing?
>
> I've looked around the other configuration options, and can see nothing
> that
> would explain why one user would connect and the other be refused.
>
> Any ideas?
> Thanks,
> Dave
>
>
>

[ Post a follow-up to this message ]