The Page Must be Viewed Over a Secure Channel When Accessing a 2003 Mailbox Using a Client Access Server

 

Exchange 2003 was very different in how you access Outlook Web Access than in Exchange 2007.  In 2003, the actual back end server, and more specifically STORE.EXE, was responsible for generating the OWA view.  In 2007, the Client Access Server is responsible for it.

During your migration, you will no doubt have a point where there are Client Access Servers now serving your internal or external OWA page, with users having mailboxes on 2003 servers. If you are a smaller installation, say you only had 1 or 2 Exchange 2003 servers, you may not have had 2003 Front End servers, and this would mean users would access the server directly for OWA. 

Since you are a good admin, and you wanted to encrypt and protect your users and their data, you have enabled Forms Based Authentication, which means you have deployed SSL. 

Now, when your users attempt to log into their OWA page, after inputting their user name in password in the 2007 forms based page, they receive the following message:

ScreenHunter_01 Jan. 03 02.45

This is because you have checked on the 2003 Back End server to require SSL in IIS, you most likely did it on the properties of the Default Web Site:

ScreenHunter_01 Jan. 03 02.46

To change this behavior, you need to disable “Require Secure Channel (SSL)” on the following virtual directories:

/Exchange

/ExchWeb

/Public

This is because the Client Access Service proxies your request to the 2003 Back End server in HTTP, not HTTPS. 

After you make this change, you will be able to access the OWA page for 2003 users through the CAS servers without issue.  Also, if you enable Integrated Windows Authentication on the /Exchange directory, this will stop your passwords from being sent in plain text if they try to access the OWA page directly from the 2003 server internally.  Still keep port 80 closed externally of course!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to The Page Must be Viewed Over a Secure Channel When Accessing a 2003 Mailbox Using a Client Access Server

  1. Tom Sandoval says:

    Thank you. You solved my problem. Would you uncheck Basic Authentication on the exchange directory when you enable Integrated Windows Authentication.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s