Monday, 29 November 2010

Access denied to OWA for new user

The takeaway: Uncheck "user must change password on first login" to access Outlook Web Access.

A customer of ours had a very typical request. They would need "a user called info" to handle mails to info-at-their-domain. They would also be hiring an external person to handle the surge of Info activity they were planning for, using Outlook Web Access. Their infrastructure is Microsoft Small Business Server 2008 with the bundled Exchange 2007.

Step one in any such project-let is not to mistake customers' wants from customers' needs. What they needed was an info mailbox which given users on the inside could read from their own accounts, and a separate account for the external person, who'd have no mailbox of her own but would be allowed to access that same info box.

First things second, create the user. Usually externals would go go a separate Organizational Unit in Active Directory, but since this is a Small Business Server, things just tend to work better (or at all) if mucked about the wrong way. Thus, no extra OU. Just create a user x-username (to at least visually mark that the user is an external) and then peel off extra rights like interactive login or access to shared files. 

To create a shared mailbox, you need to use the PowerShell Exchange management console. This process is described elsewhere and i need to google it each time too. The same document will tell you the next two steps needed to allow x-username to read mail from the box and to send mail in the name of the box. I tried doing this using groups, but at least one of the steps failed. It wasn't very clear either which of the options are for the user and which for the mailbox, but in the end i got it to work. Or so i thought.

I sent the external user her credentials and URL to access the shared mailbox directly (which was news to me - https://mail.example.com/owa/info@example.com will take you there). And soon got a reply that there was a problem.

A few back-and-forths later and it turned out that she was unable to log in to OWA. I reset her password, but the problems prevailed.

After some debugging, i tried to uncheck the option in Active Directory Users and Computers where it says that the user must change her password upon first login. This is on by default, and it is a good default. Hey, presto! The account was good, i could log on with the external's credentials and was taken directly to the info mailbox.

What failage. OWA could allow the user to change the initial password. Or could inform that the password needs to be changed first on a proper Windows session. But not like this.

Well, at least i have the user on line now, doing her work, and myself another blog posting.