Additional login prompts are often the result of incorrect authentication settings. For RSA SecurID two-factor authentication interoperation with a Client Access Server (CAS), the owa virtual directory must have Integrated Windows Authentication enabled and Anonymous Access disabled.
To verify these setting on the CAS,
The Account lockout duration, Account lockout threshold and Reset account lockout counter after settings are configured in the Default Domain Policy. These settings define what will happen if a user attempts to logon to the domain using the incorrect password multiple times. Attempting to logon to OWA with an incorrect password will also increase the bad password count (badPwdCount), which will eventually lock a user out of the domain until it is reset.
Important consideration: Attackers can also use this strategy to lock users out of the network as long as they obtain valid usernames. The default settings of these Default Domain attributes are as follows:
|Account lockout duration||Specifies the number of minutes a locked out account will remain unavailable before a user can attempt to log back in|
Note that such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake.
Windows Server 2008 – Not Defined
Windows Server 2003 – Not Defined
Windows Server 2008 - 15 minutes
Windows Server 2003 - 0
|Account lockout threshold||This setting determines the number of failed logon attempts before a lockout occurs.|
Windows Server 2008 – 0
Windows Server 2003 - 0
Windows Server 2008 - 50 invalid logon attempts
Windows Server 2003- 20 invalid logon attempts
|Reset account lockout counter after||This is the length of time before the Account lockout threshold setting resets to zero.|
Windows Server 2008 – Not Defined
Windows Server 2003 – Not Defined
Windows Server 2008 - 15 minutes
Windows Server 2003 – 30 minutes
The document cannot be converted by the WebReady Document viewing service because it is larger than the maximum size limit set by the administrator for your organization.To alter the WebReady Document Viewing file size limit,
For additional information view the external links below: How to Configure WebReady Document Viewing
How to Manage Maximum Message Size in Outlook Web Access
Setting Up Outlook 2003 Cached Exchange Mode Accounts
If you are interested I giving users access to shared calendars from within OWA, like they do in Outlook, there is a company called Messageware that offers shared calendaring in OWA.
Pasting images into messages is not an OWA feature. There are two workarounds to getting images into your message:
There is a Microsoft knowledgebase article, available below, which explains how to paste an image into the OWA signature. The workaround does not always seem to work and is not supported by Microsoft as an official solution.
How to get an image into the signature file in OWA
When you open an attachment, rather than view it with WebReady Document Viewing or save it to a specified location, the attachment will always be saved to the temporary internet files folder on the local computer. This happens unknowingly to the user creating a real danger on computers where unauthorized people could get hold of confidential documents.
There are a few ways Administrators can secure attachments for all:
Disable access to all attachments
Although not practical, it is the safest way to make sure that attachments are never left behind.
Allow access only to files supported by WebReady Document Viewing
Although limited to 4 file types (Microsoft Word, Excel, PowerPoint, and Adobe PDF), this option is more convenient than the first.
Force WebReady Document Viewing and Force Save for all other file types
This is a good option if your company is okay with users saving files to local machine and possibly forgetting to permanently delete them.
Get third part help
Messageware (www.messageware.com) offers a product called AttachView which gives Administrators a wide variety of configuration options for securing attachments. Because AttachView support viewing over 300 file types as safe HTML pages, they really make it feasible to turn off the open and save attachment options for users while they are not in the office or on corporate devices.
Many companies who have Microsoft Exchange with the update Q911829 (released in March and April, 2006) installed and are using Outlook Web Access have been experiencing a problem addressing messages. In some environments, when the spacebar is pressed after addressing a message the address dialog box re-appears and in some cases, while typing the message body, entering a space suddenly activates the addressing dialog box.
There is a free fix available from Messageware, a company that specializes in OWA enhancement software. This patch is now available to companies and Exchange administrators who are running any version of Exchange or OWA. It can be downloaded at http://www.messageware.com/downloads/fixQ911829.php
The “One or more of your reminders could not be snoozed or dismissed” error can occur when the value of the user object attribute legacyExchangeDN is incorrect. To correct this error, follow Microsoft KB 556074 to correct the legacyExchangeDN attribute value for affected users. The Global Address Book should be rebuilt after updating the attribute.
NOTE: The Outlook AutoComplete function may continue to use the incorrect legacyExchangeDN value; add the “incorrect” value to the affected user’s proxyAddresses attribute to ensure email delivery.
For more information, refer to Single-label Domain Names and Exchange Server 2007 SP1 (Part Deux)* Single-label domain names are names that do not contain a “dot” such as “root” instead of “fqdn.com”.
Users receive the following error when performing a search in OWA 2007: “Search results may take a long time to appear because Microsoft Exchange Search is unavailable. Results will not include matches in the e-mail body”. Additionally, running the test-exchangesearch command against the user’s mailbox does not find any search results.
In this scenario, the full-text index catalog is corrupted and must be rebuilt using the ResetSearchIndex.ps1 script. For more details, refer to the Microsoft Knowledgebase Article 945077: The Outlook Web Access search function does not work for some users in Exchange 2007.
Update available: Updated procedure to rename Exchange single label domains
Installing Exchange 2007 in an environment containing single-label domain names is not supported by Microsoft. Single-label domain names are names that do not contain a “dot” such as “root” instead of “fqdn.com”. It is no longer recommended to use single-labeled DNS names in a production environment.This workaround/fix allows Exchange 2007 SP1 to be installed in an environment containing single-label domain names, proceed as follows:
Spell check options are configured in the OWA Options page. Select the Spelling category and put a check mark beside Always check spelling before sending.
A lot of companies use an OWA session security solution such as OWA Forms-based authentication, ISA Forms-based authentication, RSA SecurID, Messageware TimeGuard, or SafeWord from Secure Computing. These solutions all have an inactivity timeout feature which logs users off OWA after an extended period of inactivity. Note that working on a new message is not seen as activity by OWA, you have to be moving in the main OWA frame to be active.
Delegate access to shared calendars is assigned using the desktop version of Microsoft Outlook. To assign delegate access, select Tool\Option from the top menu in Outlook and move to the Delegate tab. You can choose to send a summary message to delegates informing them of the permissions they have been assigned.
Assigning delegate permissions is not a feature in OWA since you can't open shared calendars as you can in Outlook, unless you have a third-party add-on like the one from Messageware (www.messageware.com). Messageware CalendarShare lets users assign delegate and folder access using their OWA Delegate Management console and opens up to 5 personal and shared calendars side-by-side like in Outlook.
OWA 2007 does not include an Add button as a spell check option. To add words to the dictionary you have to install a third-party product called Plus Pack by Messageware (www.messageware.com). This product offers users a personal roaming dictionary to which words can be added. It also offers globally accessible Corporate, Legal and Medical dictionaries.
Outlook Web Access 2007 incorporates the auto-fill feature many people are familiar with from desktop Outlook. How it works is when users type a name in the address bar of a new message or meeting request, a drop down list of the most recent recipients is displayed. The list is narrowed down as the user continues to type. Choosing names already in the drop down list makes addressing a message much more time efficient.
To remove a recent recipient from the drop-down list,
For more flexibility around managing favorites, there is a third-party add-on from Messageware (www.messageware.com) which allows users to manage their favorites by adding or removing them from the favorites list.
To turn on message previews in OWA click the Message Preview icon from any folder. You can choose to show the preview below or beside the mail item.
To open a shared calendar in OWA 2007 you must have "full mailbox rights" granted by the administrator. Click on your mailbox name on the upper right of the OWA window in Internet Explorer. A select mailbox / Open Other Mailboxes prompt appears. Enter the name of the other email user and press ENTER. You can now see all of their items including the Calendar. Be careful not to accidentally delete their messages though.
Another approach is available from a third party which allows each user to set Outlook-compatible delegate rights on the primary calendar. Once this is done the product allows you to open additional calendars (shared calendars) within OWA just like in desktop Outlook. It even has side-by-side shared calendar viewing (www.messageware.com).
A lot of companies use Microsoft OWA or ISA Forms-based authentication (FBA) to login to OWA which provides users with two options, "This is a public or shared computer" and "This is a private computer".
What is the difference? The difference is that Administrators can configure longer session inactivity timeouts for Private connections (e.g. laptop or home) and shorter Public connections (e.g. airport kiosk, customer's site). This ensures that if your session is left open by accident, it will safely be logged off after a configured period of time. Rule of thumb, always choose Public, this is the default, unless you are certain that the computer you are working from is "safe".
In the OWA Options page you can customize the OWA interface in the following ways:
The Microsoft Track Changes is a feature in Microsoft Word that keeps track of document edits. The edits are not shown in OWA when viewing documents using WebReady Document Viewing. There is a third party add-on from Messageware (www.messageware.com) that extends WebReady Document Viewing and gives users the ability to view Track Changes in documents.
Highlight the word or phrase which should be underlined and use the CTRL+U keyboard short-cut key or press the underline button (U) to mark the highlighted text underlined.
Highlight the word or phrase which should be italicised and use the CTRL+I keyboard short-cut key or press the italics button (I) to make the highlighted text italic.
Highlight the word or phrase which should be bolded and use the CTRL+B keyboard short-cut key or press the bold button (B) to make the highlighted text bold.
Select the text for which you want to create a hyperlink and use the CTRL+L keyboard short-cut key to bring up the hyperlink dialog box which lets you insert or change a hyperlink in the text.
Use the CTRL+F10 keyboard short-cut key to display a menu of options just like the right-click menu, if one exists.
Use the CTRL+F keyboard short-cut key to find text. This will bring up a text box into which you can enter the text for which you want to search.
Use the PAGE DOWN keyboard short-cut key to select the first message on the next page for lists that are two or three pages.
Use the PAGE UP keyboard short-cut key to select the first message on the previous page for lists that are two or three pages.
There are a few ways to do this, you can,
Use the TAB keyboard short-cut key to select the next option, message, appointment, or meeting. Use the SHIFT+TAB keyboard short-cut key to select the previous option, message, appointment, or meeting.
The auto-fill addressing feature is available only on Premium browsers (Internet Explorer 6.0 and higher) on PCs. OWA Light users can access the Most Recent Recipients list on the left-hand side of the new message or new meeting request forms.
There is an add-on that extends this functionality, called Messageware Plus Pack (http://www.messageware.com/) which allows users to manage their favorites and see all favorites in one address list.
Click image to enlarge
Microsoft has created a correction for this issue which is available from http://support.microsoft.com/kb/941552/en-us. The issue occurs because IMAP folder does not have the PR_CONTAINER_CLASS property set.
All environments are complex and differ in their requirements.
Generally, we recommend keeping OWA 2003 and 2007 environments separate during the migration by keeping the Exchange 2003 front-end/back-end servers intact. In this scenario, an Exchange 2007 CAS and Exchange 2007 Mailbox Servers support the 2007 users, in addition to the existing Exchange 2003 Front-end and Back-end Servers.
The redirection can be configured on the CAS where requests for /exchange are redirected to the Exchange 2003 front-end servers.
To further simplify the environment, we recommend putting an ISA server out front to act both as a firewall and a proxy server. Requests received by the ISA server are sent directly to the Exchange 2007 CAS or the Exchange 2003 Front-end Server depending on the where the user’s mailbox resides.
Diagrammatically, here is what the migration model would look like, with ISA 2006:
Click image to enlarge
The ISA scenario is preferred because:
• It simplifies authentication and configuration
• It simplifies the management of the 2003 and 2007 environments
The safest way to access attachments in OWA is not too access them at all. Simply turn off attachments using the Block Attachments feature in the Exchange Management console. This will ensure that your users are restricted to only using documents on their dedicated office machines with Microsoft Outlook.
Secondly you may choose to set the “Force Web Ready Viewing” option. In this case users will not be able to open or save documents, only view documents that are supported: Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Adobe Acrobat PDF.
A third option is to look for a third party attachment security and enhancement product such as Messageware AttachView. AttachView enhances WebReady Document Viewing with several hundred file types as well as providing more granular security which allows you to specify which users and from which locations OWA allows open, save, or viewing of documents.
The OWA address book shows recipients in the Global Address List and contacts from the Primary contact folder. To extend access to additional Exchange Address Lists, a third-party add-on is required.
One such add-on is Messageware Plus Pack (http://www.messageware.com/), which gives users the ability to see custom Exchange Address Lists, additional personal address lists, SharePoint contact lists, and Public Folder contact lists from a single interface.
You can access Public Folder contact lists by navigating through the Public Folders. The public contact list will show all recipients and you can create a new message by clicking the “New message” button.
There is a third-party solution, Messageware Plus Pack (www.messageware.com), which enables users to add Public Folder contact lists directly into to the OWA address book
Click image to enlarge
Highlight the content using the mouse by dragging the mouse, with the left-button depressed, across the text to be copied. To add more content after letting go of the mouse, press down the CTRL button and keep holding it down while you continue to highlight more content. When all the content is highlighted let go of the mouse and either press CTRL+C or right-click on the highlighted text with the mouse and choose copy from the menu.
Outlook Web Access has been completely rewritten for Exchange Server 2007. Some of the new features include:
New mail notification
WebReady Document Viewing
Integrated Mailbox Search
Out of Office Assistant
To visually see a demonstration of all these features and more, refer to Microsoft’s Microsoft Outlook Web Access 2007 Feature.
Microsoft ISA 2006 and Exchange Server 2007 provide a login form that lets users decide if they are on a Public (insecure) or Private (more secure) computer. Currently, the blocked attachment list can only be controlled for OWA 2007 using Microsoft Exchange 2007. This is because according to Microsoft, blocking attachment access using ISA 2006 with Exchange 2007 is not supported and needs to be configured on the Exchange 2007 server (Publishing Exchange Server 2007 with ISA Server 2006, Microsoft).
Configuring attachment access using the Exchange Management Console (EMC) is done on the Properties page of the /owa virtual directory on the Client Access Server (CAS). To get to the OWA folder,
Although it appears that different file access settings can be set for Public and Private computers, setting one will overwrite the other (How to Manage Public and Private Computer File Access, Microsoft). As a result, administrators must decide on the most secure and practical attachment access configuration of both Public and Private connections.
The configuration options that are available include the ability to enable Direct File Access to create custom Block, Allow and Force Save file extension lists and enable WebReady Document Viewing. Web Ready Document Viewing is Microsoft’s new feature which enables users to safely view attachments as HTML pages that are not left behind on the client machine.
The most secure configuration is to disable Direct File access and to enable Force WebReady Document Viewing. Although this will limit attachment access to four file types (Microsoft PowerPoint, Word, Excel and Adobe PDF) users can not unknowingly leave behind attachments in the computer’s Temporary Internet Files.
Segmentation lets administrators enable and disable OWA features including calendars, tasks, Unified Messaging integration, Public Folder and OWA Premium access. Although this is not a new feature to OWA, segmentation configuration options are now available in the Exchange Management Console (EMC), instead of having to manually calculate and edit the registry value.
The EMC allows Administrators to customize a user’s OWA experience based on the Client Access Server (CAS) they connect to. Segmentation is configured on the /owa folder on the Properties page. To get to the OWA folder,
As an example, some organizations may decide to disable the “Change Password” feature which allows users to change their Active Directory user account password from within OWA, and would do so by changing the default segmentation value of “Enabled” to “Disabled”. As a result, all users connecting to the /owa folder will not be able to change their password using OWA.
Advanced administrative options are available through the Exchange Management Shell which extends the Exchange Management Console’s functionality by allowing OWA options to also be applied on a user level. See Microsoft’s How to Manage Segmentation in Outlook Web Access information on all segmentation options.
Outlook Web Access 2007 does not allow users to address from Sharepoint contact lists. However, there is a third-party add-on called Plus Pack from Messageware (www.messageware.com) that provides this functionality. With Plus Pack, address lists are categorized as Corporate, Personal, SharePoint and Public Folders making them available through a single interface.
The Microsoft Exchange Team Blog
"For a brief period of time on August 9, 2008, a pre-release version of Update Rollup 4 for Exchange Server 2007 Service Pack 1 (KB952580) was inadvertently made available to Microsoft Update, the Microsoft Update Catalog, and Windows Software Update Services (WSUS) servers for download. While we quickly removed the update from Microsoft Update within a short period of time, some servers using these distribution methods might have detected, downloaded and/or installed this version of the update.
Known issues exist with this pre-release version of Update Rollup 4, including issues with Exchange Web Services (EWS) that creates the potential for a continuous crashing cycle, an uninstall issue where the EWS web.config is reset, and an issue with backup validation. The final release version of Update Rollup 4 will be released in the upcoming weeks, and until then, we recommend that customers who have not already installed Update Rollup 4 wait to do so. If you have already installed Update Rollup 4, we recommend uninstalling it. (...)"
This article, by ISA Firewall specialist Thomas Shinder, explains that earlier versions of ISA Firewall (2000 and 2004) included navigation protection. Navigation protection ensures that if a user goes to another website, such as Google, without logging off OWA, ISA automatically logs the user off. With navigation protection, administrators can rest assured that users are not leaving active OWA sessions behind.
ISA Firewall 2006 no longer includes navigation protection. This is explained in more detail in an ISA Security report published by Messageware Incorporated (ISA Security Report: OWA Security Issues Undetected by ISA Server) referenced in Thomas Shinder’s article.
To read the full article, go to:
The article gives an overview of an OWA attachment solution called AttachView by Messageware, which lets users safely view a wide array of attachments without ever downloading the file to the local computer. AttachView offers users secure access to attachments via an enhanced viewing window with features such as: view Microsoft Word Track Changes revisions, a hyperlinked table of contents, printer-friendly version, rotate and zoom buttons.
Administrators can set rules giving users access to users to open, save and print attachments based on criteria such as IP address, username, hostname and if they are connecting from a corporate device.
To view the full article, go to http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1310616,00.html
ISA Server Product Team Blog
The article outlines the most common authentication methods and certificate consideration as well as steps to troubleshoot the 6 most common ISA Server issues (summary below).
Scenario 1: Users are re-prompted for authentication after entering username and password on the ISA FBA logon page.
Resolution: Verify that FBA is only enabled on the CAS or ISA Server.
Scenario 2: Users receive the error “Target Principle name is incorrect” after entering credentials on the FBA form.
Resolution: Verify the certificate name, the CAS name referenced on the ISA rule, and make sure the ISA server can resolve the CAS FQDN to an IP.
Scenario 3: Typing in the OWA URL without using /owa gives “403 Access Forbidden” error
Resolution: The ISA paths only allow for access to OWA with /owa. Either update the allowed paths or use /owa in the URL.
Scenario 4: After logging into OWA users receive a “404 Not Found” error and ISA logs show a “Failed connection attempt” error
Resolution: Make sure that the ISA server can resolve the CAS FQDN to an IP, use telnet to connect to the FQDN and check if you get a response, and enable logging.
If you see a “Failed connection attempt” error in the ISA logs, also check for connection issues between ISA and the CAS such as closed or restricted ports, do a network trace, and check the IIS logs to see if the connection was received.
Scenario 5: Users get a “10061 Connection Refused” error after logging into OWA.
Resolution: Make sure that the port on the Bridging tab used by ISA to connect to Exchange matches the port configured on the OWA website in IIS. In this scenario, the ISA logs will show a “Failed connection attempt” error.
Scenario 6: When connecting to OWA via ISA users can login but all the buttons are disabled on a new message form. The issue does not occur when connecting to the Exchange Server directly.
Resolution: Verify if you have other 3rd party ISAPI filters on the OWA website.
To access the full article, go to http://blogs.technet.com/isablog/archive/2008/04/29/troubleshooting-owa-2007-publishing-rules-on-isa-server-2006.aspx
This article provides a low-level overview of what is new in Exchange 2007 including a feature summary. In Exchange 2007, the main focus is on security, mobility, and efficiency.
Microsoft’s article outlines the top 10 reasons to upgrade to Exchange 2007 from a business perspective.
The top 10 user and administrator features in Exchange 2007 are outlined in the article by InfoWord.
This article describes how to secure and enhance OWA by installing the Messageware Suite for Exchange 2007 SP1.
This product review outlines how Messageware’s AttachView product extends WebReady Document Viewing with security and productivity features.
This article discusses the configuration options available when using the Set-OwaVirtualDirectory cmdlet. The cmdlet offers 77 configuration options some of which are available through the Exchange Management Console and some of which are only available through the Exchange Management Shell.
The article covers the 16 most significant changes Exchange 2007 SP1 offers, including: