Outlook Web Access and Exchange ActiveSync
If you are a sometime reader of this blog you may remember a recent post concerning Outlook Web Access not working correctly for non-administrative users. Feeling somewhat at a loose end on Friday evening I decided to try resolving this issue and, after spending a large chunk of the weekend on it, I've now got Outlook Web Access and Exchange ActiveSync working correctly from inside our network.
The problem with non-administrators not being able to access Outlook Web Access (OWA) turned out to be a simple one. Our internal domain has the name internal.domain.com whereas our external domain, from which email's are sent/received, has the name domain.com. When we installed Exchange Server it did the sensible thing and configured the SMTP domain as internal.domain.com and user's primary SMTP addresses as user@internal.domain.com. However this was not what we wanted, and not being very knowledgeable in Exchange, we just used Active Directory to change the user's email address to user@domain.com. This allowed us to send/receive email correctly but this is what was preventing users from accessing OWA. Basically when logging in through OWA, infromation is retrieved from AD and matched against known recipients in Exchange; because user's primary AD email addresses (user@domain.com) did not match the Exchange SMTP domain (internal.domain.com) it would not allow the user access.
In my naiviety I did not know about recipient policies in Exchange. The solution to my problem was simple; modify the default recipient policy so that default user addresses are of the form user@domain.com. This sets the primary addresses in AD as desired and hey presto - everything now matches when users connect via OWA and access to email is allowed. So why did the Administrator account work all along? Because that was the only account for which I hadn't modified the primary email address information in AD so everything worked as it should have done.
Having got OWA working fairly quickly I also wanted to get Exchange ActiveSync going too. This proved to be more problematic. I set an SSL certificate on the server for the Exchange virtual directory, set up a Pocket PC and described in the documentation and promptly got an HTTP_403 error. This appears to be a well known issue and the solution is to follow method 2 in this KB article (KB817379: Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003) to set up an alternative Exchange virtual directory which does not use SSL as is accessible only from the server itself. This changed the situation as I now got an HTTP_500 error everytime I tried to sync with the server. Again this was caused by a mismatch between SMTP addresses; perhaps this was because I (briefly) successfully set up Exchange ActiveSync on the PocketPC when the SMTP addresses where stil set as users@internal.domain.com and this info was cached in the device leading to a subsequent mismatch when I changed the addresses to the proper external address. Anyway, the solution was found in another KB article (KB886346: You receive an HTTP_500 error message when you synchronize your mobile device with Microsoft Exchange Server 2003). The solution was to add an SMTPProxy registry key for internal.domain.com, then to add a secondary email address of the form user@internal.domain.com to each user in AD. This immediately solved the problem and allowed the PocketPC to sync correctly with the server and it has been working flawlessly ever since. Setting the SMTPProxy to any other (valid) SMTP domain known ot the Exchange server did not work though.
Anyway, I got it going which pleases me greatly. All I need to do now is get OWA and Exchange ActiveSync working properly through our firewall and we'll have email access on the move from wherever we happen to be. Isn't the modern information age wonderful!!
------
David
del.ico.us | 
Digg It | 
Technorati | 
StumbleUpon | 
Furl | 
reddit