# Solved: The server _____ at ______ requires a username and password



## TH_WIT (Dec 9, 2009)

Good afternoon,

Our office uses Outlook Web Access (OWA) that is based on our front-end exchange server and our back-end exchange server.

We can logon to OWA fine, and most of our OWA functionality is fine. However, when we open an OWA message from any browser, and then click on a web site link within the body of any OWA message, we encounter the following message:

The server communitycolleges.wy.edu at communitycolleges.wy.edu requires a username and password.

Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).

User Name: ____________
Password: _____________
​When we enter our OWA username and password in response to the message above, the username and password get rejected, and then the message above returns and reprompts and won't let us proceed. If we choose to cancel out of the message above, then we get the "Error: Access is Denied" message.

Are there server settings I can adjust to eliminate the message above?


Environment Details:

Front-End Server- commission-web.commission.wcc.edu

 Windows Server 2003 Standard Edition
 Service Pack 1

 Exchange 6.5 (Build 7638.2: Service Pack 2)

 Internet Information Services (IIS) Manager - 
 Version 6

Back-End Server- commission-wcc.commission.wcc.edu

 Windows Server 2003 R2 Enterprise Edition 
 Service Pack 2

Exchange 6.5 (Build 7638.2: Service Pack 2)

Some domain info:

An nslookup on communitycolleges.wy.edu returns the correct IP of the front-end server.

I believe communitycolleges.wy.edu is an alias setup for the front-end server. If any of you would like me to confirm this, please let me know and I can ask my name server contact.
​Thanks!


----------



## JohnWill (Oct 19, 2002)

Time to consult the IT folks I would imagine.


----------



## TH_WIT (Dec 9, 2009)

I actually am the IT person responsible for these servers. However, most of my time is spent developing applications on an HP-UX server, and not so much time is spent working with Exchange, Windows, and IIS. So I sometimes need to ask for help on matters relating to Exchange, Windows, and IIS.

Thanks.


----------



## eberlysystems (Nov 28, 2009)

Error logs show the rejection?

There's a lot of things to check, and this is a _little_ out of my experience, but I'll offer some thoughts...

Any possibility of phishing/m-i-m attacks? That's the most common routine - cron'd or triggered redirects, bogus login pages, "access denied" or other equally bogus error pages on rejection.

I realize, theoretically, yours would be a difficult situation to apply this in, BUT.. a very beneficial one for an attacker.

Logs clean, security tight? It's worth considering - the non-secured authentication request would fit.


----------



## TH_WIT (Dec 9, 2009)

Thanks for your assistance.

I'll check the logs soon. I also want to run a full scan for viruses and other threats (using Symantec) on the front-end server, but am concerned that scanning certain exchange folders/drives might cause trouble or disruption. I recall from long ago that certain exchange drives/folders should not be scanned for threats, at least several years ago. But perhaps this issue doesn't apply to Symantec AntiVirus 10.1.4.4 and MS Exchange 6.5 (Build 7638.2: Service Pack 2)?


----------



## TH_WIT (Dec 9, 2009)

I found the following application error (from event viewer) on the front-end server that appears to be linked to my original problem of this thread:

======================================================
Event Type: Error
Event Source: EXPROX
Event Category: None
Event ID: 1001
Date: 12/10/2009
Time: 8:26:11 AM
User: N/A
Computer: COMMISSION-WEB
Description:
Microsoft Exchange Server has detected that Basic Authentication is being attempted between this server and server 'COMMISSION-WCC'. This authentication mechanism is not secure and it is not supported between front-ends and back-ends. If this condition persists, please verify that server 'COMMISSION-WCC' is properly configured to use Integrated Windows Authentication for each virtual directory used by Exchange. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers. 
For more information, click http://www.microsoft.com/contentredirect.asp.
======================================================

I'm considering the prospect of following the instructions in the "User Action" section of the following technet article:

http://www.microsoft.com/technet/su...6.5.6940.0&EvtID=1001&EvtSrc=EXPROX&LCID=1033


----------



## TH_WIT (Dec 9, 2009)

I went ahead and set the back-end server to "Integrated Windows authentication", and set the front-end server to "Basic Authentication" according to recommendations of the following technet article:

http://www.microsoft.com/technet/su...6.5.6940.0&EvtID=1001&EvtSrc=EXPROX&LCID=1033

Now, I have much worse trouble. We no longer have any Outlook Web Access service at all. When trying to reach OWA at http://communitycolleges.wy.edu/exchange, I get the "HTTP Error 404 - File or directory not found." message. Get the same when trying with the https prefix. I might wind up having to contact MS support.


----------



## TH_WIT (Dec 9, 2009)

I recently contacted Microsoft technical support, and now this Outlook Web Access problem is solved. MS support guided me to make the following "Directory Security - Authentication and access control" adjustments to the following virtual directories (in IIS manager):

· Exadmin (front-end server)  Integrated Windows authentication
· Exchange (front-end server)  Basic authentication
· ExchWeb (front-end server)  Enable anonymous access

· Exadmin (back-end server)  Integrated Windows authentication

· Exchange (back-end server)  Integrated Windows authentication AND Basic authentication

· ExchWeb (back-end server)  Enable anonymous access

On both the front-end server and back-end server, the above adjustments were made by going to: IIS Manager > local computer > Web Sites > _relevant_web_site_ > _virtual_directory_ > properties > Directory Security > Authentication and access control > "Edit...".


----------



## eberlysystems (Nov 28, 2009)

Everything's taken care of then?


----------



## TH_WIT (Dec 9, 2009)

Yes, and I recently pushed the "Mark Solved" button on this.


----------

