Exchange Server 2003 and Outlook Web Access Issue

Published: November 25, 2003

Microsoft has received reports of an issue affecting Exchange Server 2003 and Microsoft Office Outlook Web Access. The problem occurs when a user installs Microsoft Windows SharePoint Services 2.0 on a computer running both Exchange Server 2003 and Microsoft Windows Server 2003. The deployment causes Kerberos authentication to be disabled in Internet Information Services (IIS) and can result in incorrect handling of Outlook Web Access requests to a server running Exchange.

Important: To help ensure your messaging infrastructure is secure, review the Q&A section on this page, or visit the Microsoft Help and Support site to get the details and step-by-step instructions provided in the following Microsoft Knowledge Base Articles, Article 832769: How to Configure Windows SharePoint Services to Use Kerberos Authentication and Article 832749: How to Disable HTTP Connection Reuse on an Exchange Server 2003 Front-End Server.

Issue Q&A

What system configuration is potentially affected?

The only operating environments that may be affected are those with front-end servers running Exchange Server 2003 and separate back-end servers running Exchange Server 2003, Windows Server 2003, and Windows SharePoint Services 2.0.

Is Microsoft Windows Small Business Server 2003 affected?

No. Windows Small Business Server is by default a single server setup with Outlook Web Access and the Exchange Server 2003 information store on the same server.

Are all versions of Exchange Server and Outlook Web Access affected by this issue?

No. The only affected version is Outlook Web Access in Exchange Server 2003.

Can this occur if I did not change my default Exchange Server 2003 settings?

Yes. If a person has installed Windows SharePoint Services 2.0 on an Exchange Server 2003 back-end server.

How can I check to see if my system is affected?

1.	Check to see if Windows SharePoint Services 2.0 has been installed on your back-end servers running Exchange Server 2003 and Windows Server 2003 through Add/Remove Programs, or the presence of the following registry key: HKLM \ Software \ Microsoft \ Shared Tools \ Web Server Extensions \ 6.0 \ Sharepoint = "Installed"
2.	It is possible to check for the incorrectly configured IIS authentication setting, where Kerberos is explicitly disabled, by inspecting the IIS metabase on the Exchange Server back-end server, by using: cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs get w3svc/NTAuthenticationProviders - or - cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs get w3svc/1/root/NTAuthenticationProviders If the value returned is only "NTLM" instead of the correct value of "Negotiate, NTLM" or the default setting of "The parameter "NTAuthenticationProviders" is not set at this node.", then this may cause the problem. The term "Negotiate" is used to describe Kerberos authentication over HTTP. See the "How do I fix the problem?" section on this page for a description of how to fix this problem.
3.	It is important to note that falling back to NTLM does not cause this problem unless Kerberos is explicitly disabled on the Windows Server 2003 back-end. To identify which Exchange Server back-end servers might be affected, check for the presence of this problem by looking at the application Event Log on front-end servers, where EXPROX event # 1000 will appear: MessageId=1000 Severity=Warning Facility=Application Microsoft Exchange Server has detected that NTLM-based authentication is presently being used between this server and server 'BACK_END_SERVER_NAME'. NTLM is still a secure authentication mechanism and protects users' credentials. However, this indicates that there may be a configuration issue preventing the use of Kerberos authentication. If this condition persists, please verify that both this server and server 'BACK_END_SERVER_NAME' are properly configured to use Kerberos authentication. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers.

How do I fix the problem?

Uninstalling Windows SharePoint Services 2.0 alone will not fix the problem. To return IIS on Exchange Server back-end servers to a default state, you must re-enable and properly configure Kerberos authentication in IIS. For details on how to re-enable Kerberos authentication after installing Windows SharePoint Services 2.0, read HOW TO: Configure Windows SharePoint Services to Use Kerberos Authentication on the Help and Support site.

It is also possible to address the connection re-use problem by temporarily disabling connection re-use from the Exchange Server 2003 front-end server to the Exchange Server 2003 back-end server. Read How to Disable HTTP Connection Reuse on an Exchange Server 2003 Front-End Server on the Help and Support site for details.

Q.
A.

Background Information

Q.	What is Outlook Web Access?
A.	Outlook Web Access is a service of Exchange Server that enables users to access their Exchange Server mailboxes through a Web browser. By using Outlook Web Access, a server that is running Exchange Server can also function as a Web site that enables authorized users to read or send e-mail messages, manage their calendar, or perform other e-mail functions over the Internet. Outlook Web Access can be deployed in an Exchange Server front-end/back-end server deployment.
Q.	What are front-end and back-end Exchange servers?
A.	Exchange Server can be deployed in a front-end and back-end server configuration where the front-end component that serves to authenticate and proxy HTTP requests is deployed on an Exchange front-end server separate from an Exchange back-end server holding the Exchange Server Outlook Web Access functionality and information store, meaning the users' mailboxes and public folders, among other things.
Q.	What are Kerberos and NTLM?
A.	Kerberos and NTLM are two different authentication protocols. Kerberos is the preferred Windows authentication protocol used whenever possible and is the default protocol used by Exchange Server 2003 between front-end and back-end Exchange servers for Outlook Web Access. If for some reason Kerberos authentication would fail or is disabled, Outlook Web Access would fall back to using NTLM between the front-end and back-end Exchange servers. Note that Kerberos is called "Negotiate" when used over HTTP.
Q. A.

Top of page