I have confirmed it is an authentication issue. On our IIS server we have hundreds of entries in a row from my iphone at the time I tried to log on. Each entry returns HTTP 401 which is authentication failed. Safari seems to be stuck in some sort of loop.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Can anyone access exchange via OWA?
- Thread starter UltraDean
- Start date
- Sort by reaction score
Owa
Marcomullet -
Any ideas for a fix. I am stuck and obviously much less tech. qualified than you. This is a real downer as I can't keep the phone w/o some sort of access to office email.
Thanks,
Leonard
Marcomullet -
Any ideas for a fix. I am stuck and obviously much less tech. qualified than you. This is a real downer as I can't keep the phone w/o some sort of access to office email.
Thanks,
Leonard
OK I was able to work around this but I'm not sure if it's going to be available in large enterprises.
The solution is to only allow basic auth to OWA. If NTLM auth is enabled along with basic auth, then apparently the iPhone safari browser doesnt handle it well and it gets caught in a loop.
As soon as I check that I only want to allow basic auth I can authenticate an use OWA over SSL.
Note I don't condone any of the security ramifications associated with this change. I'm just merely reporting my results.
The solution is to only allow basic auth to OWA. If NTLM auth is enabled along with basic auth, then apparently the iPhone safari browser doesnt handle it well and it gets caught in a loop.
As soon as I check that I only want to allow basic auth I can authenticate an use OWA over SSL.
Note I don't condone any of the security ramifications associated with this change. I'm just merely reporting my results.
I believe you can also enable "Light Mode", for non-IE browsers which don't support seamless NTLM auth. This is what we do at Microsoft, anyway... when I use IE i get a "rich" client, and when using Safari or FF I get the "light client" which I prefer anyway. The light client works fine for my iphone.
One other thing I noticed, when typing, if you use autocomplete and a space gets added at the end of the username, OWA reports a bad username/password!
One other thing I noticed, when typing, if you use autocomplete and a space gets added at the end of the username, OWA reports a bad username/password!
That should be fine, as long as all authentication is happening over SSL. I don't believe browsers running on OS X that are able to talk to exchange can use NTLM anyway - and would be reverting to basic.
I could be wrong though.
Leonard,
You have to make this change on the IIS server that hosts OWA. I'd ask your admin about it as the instructions might be quite lengthy. I really cant recommend doing this however as further testing has shown that this prevents ActiveSync clients from being able to synchronize. A guy in my office uses ActiveSync with windows mobile 6.0 and after I turned off NTLM he couldnt sync his Exchange emails, so I was forced to turn it back on. It's really a browser issue.
As for the light mode. We have that enabled i think because that's what I get when I use firefox on the PC and firefox/safari on OS X. Still, I cant even get to that with NTLM enabled, but again, I cant disable NTLM because it messes up our ActiveSync clients it seems.
Catch-22
You have to make this change on the IIS server that hosts OWA. I'd ask your admin about it as the instructions might be quite lengthy. I really cant recommend doing this however as further testing has shown that this prevents ActiveSync clients from being able to synchronize. A guy in my office uses ActiveSync with windows mobile 6.0 and after I turned off NTLM he couldnt sync his Exchange emails, so I was forced to turn it back on. It's really a browser issue.
As for the light mode. We have that enabled i think because that's what I get when I use firefox on the PC and firefox/safari on OS X. Still, I cant even get to that with NTLM enabled, but again, I cant disable NTLM because it messes up our ActiveSync clients it seems.
Catch-22
I disabled NTLM on our exchange/OWA server. Active Sync clients seem to be unaffected (so far) - and my iphone safari client is now able to connect to webmail - so thanks for looking into this.
-Paul
There must be a solution to that, because our mail server still supports activesync AND the iPhone. So does our client whom I access via OWA. So it is possible, you just need to figure out how.
I don't admin our exchange box. In fact, I'm not even in IT. So I'm afraid I can't help much there except ask them on Thurs.
I'll continue to investigate. I actually have a PocketPC with ActiveSync that I'm replacing (hence my desire to have this work also so I can do some testing on my own late at night.
We are using Exchange 2003 SP2 BTW. It might be good to know what versions of Exchange others are using.
We are using Exchange 2003 SP2 BTW. It might be good to know what versions of Exchange others are using.
As long as you have only Basic authentication set for the "Exchange" directory on the web server, but have NTLM (and Basic) set for the Exchange-OMA & Microsoft-Server-ActiveSync objects, you should find that ActiveSync will continue to work along with iPhone Safari connectivity.
Other combinations will cause one or the other to function but not both at the same time.
-Paul
I'll look into that. I disabled NTLM just on exchange, but I haven't verified that it is enabled on the other virtual directories.
I'll try it as soon as I can and let you know the results.
I'll try it as soon as I can and let you know the results.
Strictly a lay guy who can get web mail from my office exchange on my MacBook, Windows machine, local coffee shop, the guys computer next door, my current PDA, but not on the Iphone via Safari.
Leonard
And every one of those things, that are working for you now, probably did not work at some point in time. Maybe when you 'drove up' thing were working. But, few technological advances were bought without a trail of tears. It is not a perfect world in IT.
You sound like someone who does not have appreciation for the incredible complexity of today's technology. Tens of thousands (maybe hundreds of thousands) of people worked on the array of challenges it took to put email in the little device you have in your hand. All it takes is one small error, omission, or admin's checkbox and you are 'singing the blues'.
Others have reported that they are using this function successfully. So, it is probably not an issue with the phone. Have your IT department work the issue. That is what they are paid for.
When you get this resolved, always remember, there is a lot of blood spilled on the cutting edge. If you do not have the patience for it, wait awhile. My God, the thing have only been out for about four days. The 'underground how-to' is just getting started.
I am trying to get my wife's to work with Exchange as well. What does OWA stand for? Online Web Access?
paulpet,
Have you confirmed that is how your environment is configured? As soon as I turn off NTLM nothing will sync.
Here is what we have in our environment when it works:
OMA - Basic Only
Microsoft-Server-ActiveSync - Basic Only
Exchange - NTLM and Basic
I tried changing it to what you suggested
OMA - Basic and NTLM
Microsoft-Server-ActiveSync - Basic and NTLM
Exchange - Basic only
And activesync immediately stopped working on my PPC6300 device running windows mobile 5.0. As soon as I enabled NTLM again on the exchange things started working.
The documentation from this Exchange MVP and every other ActiveSync configuration documentation I've found says that NTLM is needed on the Exchange virtual dir:
http://www.shijaz.com/exchange/Exchange_ActiveSync_Windows_Mobile.htm
He says:
"Windows Integrated Authentication should be enabled on the Exchange virtual directory on the Exchange server."
At this point I'm really interested to know how you have it working cause turning off NTLM definitely grinds things to a halt on my server.
Thanks for your help in resolving this with me.
Have you confirmed that is how your environment is configured? As soon as I turn off NTLM nothing will sync.
Here is what we have in our environment when it works:
OMA - Basic Only
Microsoft-Server-ActiveSync - Basic Only
Exchange - NTLM and Basic
I tried changing it to what you suggested
OMA - Basic and NTLM
Microsoft-Server-ActiveSync - Basic and NTLM
Exchange - Basic only
And activesync immediately stopped working on my PPC6300 device running windows mobile 5.0. As soon as I enabled NTLM again on the exchange things started working.
The documentation from this Exchange MVP and every other ActiveSync configuration documentation I've found says that NTLM is needed on the Exchange virtual dir:
http://www.shijaz.com/exchange/Exchange_ActiveSync_Windows_Mobile.htm
He says:
"Windows Integrated Authentication should be enabled on the Exchange virtual directory on the Exchange server."
At this point I'm really interested to know how you have it working cause turning off NTLM definitely grinds things to a halt on my server.
Thanks for your help in resolving this with me.
OWA is Outlook Web Access.
It's essentially a fancy marketing term that means
"An Outlook style web-interface into Exchange Server"
It's essentially a fancy marketing term that means
"An Outlook style web-interface into Exchange Server"
macro,
I went through a short process of trial and error, but what I wrote earlier is definitely working for me.
I probably should say I am not an exchange administrator, I manage our IT department - but I didn't want to hassle one of my mail admins to troubleshoot this issue for the one person in our company (that I know of) that has an iphone. So I am somewhat ignorant in the underlying mechanics of the OWA server. But know just enough to cause some mischief.
Here is the definitive list of directories and objects under our Default Web Site configuration for the exchange server that have either Basic, NTLM or both authentications configured. I'm not sure what's relevant and what's not - that's why I'm listing them all.
Exadmin - NTLM only
Exchange - Basic only
Exchange-OMA - NTLM & Basic
Microsoft-Server-ActiveSync - NTLM & Basic
OMA - Basic only
Public - Basic only
I went through a short process of trial and error, but what I wrote earlier is definitely working for me.
I probably should say I am not an exchange administrator, I manage our IT department - but I didn't want to hassle one of my mail admins to troubleshoot this issue for the one person in our company (that I know of) that has an iphone. So I am somewhat ignorant in the underlying mechanics of the OWA server. But know just enough to cause some mischief.
Here is the definitive list of directories and objects under our Default Web Site configuration for the exchange server that have either Basic, NTLM or both authentications configured. I'm not sure what's relevant and what's not - that's why I'm listing them all.
Exadmin - NTLM only
Exchange - Basic only
Exchange-OMA - NTLM & Basic
Microsoft-Server-ActiveSync - NTLM & Basic
OMA - Basic only
Public - Basic only
YES! I figured this out. paulpet, thanks for the help and information on your configuration. By cross referencing your config with mine and using good ol' google I was able to find this article:
http://support.microsoft.com/kb/817379/
The key here is that you had an Exchange-OMA directory and we didn't. What Exchange allows you to do (the article above was written to address SSL requirements) is create one virtual dir for ActiveSync and another for the OWA area you would normally see over the web. Both use HTTP of course but you can create the Exchange-OWA vdir and put different restrictions/authentication types on it. Like you can say that that directory doesnt require SSL (which is a requirement for ActiveSync to work) and that it DOES require NTLM (also a requirement for ActiveSync).
By having that virtual directory, you are free to change the Exchange virtual dir to whatever you need. In our case, requiring SSL and supporting basic auth only. This actually creates a more secure configuration because it enforces SSL for users using OWA (not possible if activesync and OWA access the same vdir).
Anyway, if anyone has any questions LTM. The above article describes the process, but I definitely wouldn't attempt it unless you have rights to do so and you know what you are doing (in case it doesn't work for you).
Good luck!
http://support.microsoft.com/kb/817379/
The key here is that you had an Exchange-OMA directory and we didn't. What Exchange allows you to do (the article above was written to address SSL requirements) is create one virtual dir for ActiveSync and another for the OWA area you would normally see over the web. Both use HTTP of course but you can create the Exchange-OWA vdir and put different restrictions/authentication types on it. Like you can say that that directory doesnt require SSL (which is a requirement for ActiveSync to work) and that it DOES require NTLM (also a requirement for ActiveSync).
By having that virtual directory, you are free to change the Exchange virtual dir to whatever you need. In our case, requiring SSL and supporting basic auth only. This actually creates a more secure configuration because it enforces SSL for users using OWA (not possible if activesync and OWA access the same vdir).
Anyway, if anyone has any questions LTM. The above article describes the process, but I definitely wouldn't attempt it unless you have rights to do so and you know what you are doing (in case it doesn't work for you).
Good luck!
As far as I can tell, it only doesnt work if you have NTLM enabled and are using integrated auth.
If you use forms based auth (you type your login into a welcome screen, rather than the iPhone asking you for credentials) or have your server configured to support basic auth only, you wont run into issues.
If you use forms based auth (you type your login into a welcome screen, rather than the iPhone asking you for credentials) or have your server configured to support basic auth only, you wont run into issues.