AnsweredAssumed Answered

Protecting Outlook Web Access on Exchange 2013 with Web Agent

Question asked by Damian Lock on Jul 16, 2017
Latest reply on Jul 17, 2017 by Jeff Shurtliff

I have an exchange 2007 server on Windows 2008, running IIS, with Outlook Web Access enabled.  The "/owa" page is protected with the RSA Authentication for Web for IIS.   (not sure the exact version -  what ever was the most recent version when the server was installed.)  This works great-  users connecting to the /owa web page have to enter secure ID credentials.

 

My company is migrating to Exchange 2013 , so I have a new server running Exchange 2013 on Windows 2012 R2.  I have installed  RSA Authentication Agent 8.0.1 for Web for IIS.          The /owa, /ecp and /oab virtual directories are protected by RSA agent, and are also in the RSA SecurID application pool.

 

When I connect to https://newserver.mydomain/owa  they get the RSA authentication screen.  After authenticating, Ithen get a windows authentication pop-up screen (if in IE).  I can login with my windows creds (myname@mydomain.com)   but then get the message:

 

The website declined to show this webpage

 HTTP 403

Most likely causes:

  • This website requires you to log in.

This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.

 

(In firefox, just end up with a blank page.)

 

The virtual directories in question are configured to use basic authentication (same as on the /owa directory Exchange 2007 server.)  If I enable anonymous authentication I don't get the windows login promt, but then I still don't get to the OWA login page.

 

 

When I disable RSA SecurID authentication then OWA works fine -  except of course with out the additional protection.

Outcomes