OWA Logon Failure – Be Careful What You Restrict

Ran across an unusual one this week that’s worth sharing. A site had two users who could not log in to Outlook Web Access hosted on SBS 2003. All other users could log in to OWA without issue, but these two could not. The employees do shift work and sign on to a shared workstation and only access e-mail via OWA, no Outlook client was installed on the workstation. The error encountered when trying to log in was “username or password is incorrect.” The password for the accounts were changed, and the accounts were checked to make sure they were not locked out. Attempts to access OWA from any workstation failed, internally and externally.

We checked the status of the mailbox in Exchange System Manager to make sure the mailbox had not been disconnected on either account, and the mailboxes were connecting fine. We tried to access the mailbox by creating an Outlook profile on another workstation and could access the contents of the mailbox, so we knew the mailbox was not corrupt. We tried to access the user mailbox through the Administrator’s OWA logon (after granting the Administrator account full access to the user mailbox) and as soon as we attempted to open the path to the user’s mailbox, we got a login prompt instead of access to the mailbox.

We tried to access the mailbox via Outlook Mobile Access, and got an “access denied” error after three login attempts. That prompted us to go look in the Security Log on the server, and that’s where we found the clue – we got a login failure for the user on the server. We found out that the local administrator had tried to restrict the user’s ability to log in to only one workstation in their AD account properties. In the Account tab, in the Log On To button, the only machine listed was the workstation. We added the server to the list of machines the user could log into, and we were able to access the account through OWA from all workstations.

Trying to restrict the user’s ability to log in to a single workstation is a good idea. But the actual authentication for OWA/OMA actually takes place on the server, which is where the service runs to grant access to the user. If you choose to use the Log On To feature of Active Directory to limit where the user can log in, be sure to add the server as one of those machines so network services can be accessed by the user account.