0

I've got a problem with OWA, and I'm pretty much at the end of my rope with this. OWA authenticates perfectly on the internal network. No problems at all. On the outside, you have to log in two or three times before it "sticks" at which point it won't ask you to authenticate again for hours.

The problem cropped up after an admin left and we were forced to change a bunch of passwords, so it's almost certainly a password/directory ownership issue somewhere. However, I've gone over the configuration and I can't find anything that's not running with a password unique to the local machine.

The setup is Exchange 2003, running behind an Apache proxy. Since the problem is external only, I've gone over the proxy extensively, and I can't find any problems. The whole setup has been running fine for ~4 years, so again, it's probably tied to the password change (which shouldn't have effected the proxy in any way).

I'm sure it's some stupid configuration setting that I'm missing, but I can't find it for the life of me. Anyone have any ideas?

@PQD

Here's mine:

SetOutputFilter proxy-html
RequestHeader unset Accept-Encoding
ProxyHTMLURLMap https://myserver.mydomain.com/exchange /exchange

ProxyPass /exchange https://myserver.mydomain.com/exchange
ProxyPassReverse /exchange https://myserver.mydomain.com/exchange

ProxyPass /exchweb https://myserver.mydomain.com/exchweb
ProxyPassReverse /exchweb https://myserver.mydomain.com/exchweb

ProxyPass /public https://myserver.mydomain.com/public
ProxyPassReverse /public https://myserver.mydomain.com/public

ProxyPass /OMA https://myserver.mydomain.com/OMA
ProxyPassReverse /OMA https://myserver.mydomain.com/OMA

ProxyPass /Microsoft-Server-ActiveSync https://myserver.mydomain.com/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://myserver.mydomain.com/Microsoft-Server-ActiveSync

I'm pretty sure this isn't the problem. Nothing has changed on the proxy, and this configuration has worked for years.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
  • Can you provide more information about the configuration? Is this a single server configuration that is hosted in your "DMZ" behind the proxy server or is it a split configuration where the OWA server is in the DMZ and the Exchange server is in the internal LAN? -Thanks – Kevin Garber Dec 22 '09 at 17:10
  • It's the second one. Proxy in the DMZ, Exchange on the internal LAN. – Satanicpuppy Dec 22 '09 at 17:36
  • how about the hosts? give it a try. assuming your apache is accessed from the outside by https://some.name.com/ - change all myserver.mydomain.com to some.name.com and add some.name.com to /etc/hosts so it points internal ip... – pQd Dec 22 '09 at 17:37
  • External DNS is managed by corporate, and getting the change passed through would be a total nightmare. People CAN authenticate, it just takes 2 attempts for some reason. – Satanicpuppy Dec 22 '09 at 17:43
  • well - you do not have to touch dns managed by the corp. i assume it points to your the machine with apache rev proxy; only think you need to change is to use the same hostname in your apache config and put mapping that hostname<->internal ip in /etc/hosts – pQd Dec 22 '09 at 17:53

2 Answers2

0

After about 10 days the issue just went away. Seems like something weird was propagating through the AD. I bounced it off the corporate exchange people, and they had nothing. I ran through the whole configuration and it was all normal.

Unfortunately I have no idea what eventually fixed it: it was certainly dependent on some screwy behaviour attached to the admin who left, but his credentials weren't directly attached to the exchange server or IIS, and I fixed so many peripheral issues in that time period that it could have been any number of things.

Highly unsatisfying non-solution. If has any AD experience that would explain a server that forced repeated re-authentication, I'd be interested in hearing about it, and I'll switch the accepted solution to anything convincing.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
0

setting apache2 reverse proxy for exchange 2003 owa was [ censored ]. but at the end it works fine for me.

the trick was to fool apache into thinking that in-house exchange server has same host-name as one under which people access the apache from the outside of company.

so in dns i have: owa.company.com pointing to public ip of apache and in /etc/hosts of machine with apache reverse proxy i have owa.company.com pointing to the internal ip of exchange:

10.11.12.13     owa.company.com

my apache also does ssl encryption - internet uses connect over https, while apache uses http to talk with exchange. in vhost configuration i have:

# you can skip it if internet clients use http
RequestHeader set Front-End-Https "On"

ProxyPass /exchange http://owa.company.com/exchange/
ProxyPassReverse /exchange http://owa.company.com/exchange/
ProxyPass /exchweb http://owa.company.com/exchweb/
ProxyPass /oma http://owa.company.com/oma
ProxyPassReverse /oma http://owa.company.com/oma
ProxyPassReverse /exchweb http://owa.company.com/exchweb/
ProxyPass /public http://owa.company.com/public/
ProxyPassReverse /public http://owa.company.com/public/
ProxyPass /iisadmpwd http://owa.company.com/iisadmpwd/
ProxyPassReverse /iisadmpwd http://owa.company.com/iisadmpwd/

obiously mod_proxy, mod_proxy_http are loaded.

and yes - i'm aware that this sounds like voodoo; it does to me, but i found it described somewhere, applied - and it worked. what can i say...

pQd
  • 29,981
  • 6
  • 66
  • 109