Re: Permanently turn off Integrated Windows Authentication?

From: Ben Winzenz (benwinzenz_at_NOSPAM.gardnerwhite.com)
Date: 12/30/03 

Date: Tue, 30 Dec 2003 11:35:49 -0500

Go into Exchange System Manager and drill down to the http - Exchange
Virtual Server. Exchange and Public directories. Note that you cannot
modify the properties of the Exchange Virtual server itself - those must be
managed by IIS. However, if you are going to make authentication settings
changes, such as on the Exchange and Public virtual directories, you want to
do them here, not in IIS. Exchange will periodically refresh the IIS
Metabase with it's settings. If you set the authentication in IIS, rather
than in ESM, it will quite likely be overwritten by Exchange the next time
the settings are refreshed. 

-- 
Ben Winzenz
Network Engineer
Gardner & White
Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm
Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:eOkMD8uzDHA.536@tk2msftngp13.phx.gbl...
> We haven't been able to determine if and where Exchange might be setting
> Integrated Windows Authentication on other than in IIS.  Does anyone know
IF
> Exchange is doing this, and if so, how to prevent it?  Thanks!
>
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:ORA1MwpzDHA.560@TK2MSFTNGP11.phx.gbl...
> > If that's the case, then your problem is not the setting being lost.  It
> > sounds like something elsewhere is intentionally turning it back on
> > (probably Exchange), so you want to configure Exchange (or however it
> wants
> > you to configure it) to not use Integrated Windows Authentication.
> >
> > -- 
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
message
> > news:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl...
> > Okay, we've tried what you suggested, making the change to the virtual
> > directory and unchecking the "Integrated Windows Authentication" box,
and
> > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it
> > successfully stops the service and all other dependant Exchange
services.
> > We start all of the services back up and the box remains unchecked.  It
> > remained uncheck for the next 2 days, but then on the 3rd day it was
> checked
> > again automatically.  Just a reminder, this is a Member Server running
> > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange
> and
> > IIS services every night for offline backups.  We are attempting to
change
> > this on a Virtual Directory, not the top level of the website.  Is there
> > something we are missing?  Thank you for your help.
> >
> >
> >
> >
> > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl...
> > > Ok, I've described basically the same solution as Karl.  Only
difference
> > is
> > > that I *know* that stopping IISADMIN will trigger the metabase flush.
> > >
> > > I'll describe what's going on.
> > >
> > > The basic problem is this:
> > > 1. When you make a configuration change to IIS via the UI, it is kept
in
> > > memory (since IIS will frequently take the change live) and NOT
> > immediately
> > > written to disk.
> > > 2. Later, IIS attempts to write the change to disk using an algorithm
to
> > > determine "idleness".
> > > 3. I've seen instances where "idleness" doesn't happen, so the changes
> are
> > > not written to disk after a given time period.  This isn't exactly bad
> > since
> > > IIS will eventually write the change to disk when you stop the
IISADMIN
> > > service... but it's bad news if #4 happens...
> > > 4. Something manages to kill the IISADMIN service before IIS writes
the
> > > change.  This can be an inproc ISAPI crashing, or using IISRESET and
IIS
> > > takes >30 seconds to restart (probably likely with Exchange as a
> > > dependency).  When this happens, the unwritten changes are lost, and
> upon
> > > restart, you get the old settings.
> > >
> > > What you're describing is that somehow, #4 is happening prior to your
> > change
> > > being flushed to disk.  Thus, you're losing your change.  The way you
> work
> > > around this is to basically make the change and IMMEDIATELY cause a
> > metabase
> > > flush to disk to happen.  Stopping the IISADMIN service is one way,
but
> > NOT
> > > using IISRESET.  The sure way to do this is to type:
> > > NET STOP /y IISADMIN  on the commandline
> > >
> > > With IIS6, what we changed was:
> > > 1. Give you a menu option to immediately save all configuration to
disk.
> > > 2. When you exit the UI, automatically initiate a flush to disk.
> > >
> > > We will probably never change this behavior on prior IIS versions
since
> > the
> > > change can be dangerous and cause other potential unknown problems.
> It's
> > > better to have a known problem and workaround than an unknown problem
> with
> > > an unknown workaround.
> > >
> > > -- 
> > > //David
> > > IIS
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > //
> > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
> message
> > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl...
> > > Yes, I believe this is a bug as well, I have seen several posts in
this
> > > newsgroup over the last several months with others having the same
> issue.
> > > Could the MS guy elaborate of what might be wrong or where to look for
> the
> > > source of the problem, what to fix?
> > >
> > > Our issue has been very inconsistent, we stop all web services during
> our
> > > offline Exchange backup every night.  And even though we have
unchecked
> > the
> > > box for "Integreated Windows Authentication" it will sometimes stay
> > > unchecked when the web services are restarted but most of the time the
> box
> > > is rechecked automatically.
> > >
> > > Thanks Karl, I try what you have suggested.
> > >
> > >
> > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > This has been happening to me ever since 2001.  I believe it's a
known
> > > bug,
> > > > possibly where the IIS Metabase isn't properly being saved on exit.
> > What
> > > I
> > > > was able to do is make that change AND ONLY that one change in one
> > place,
> > > > and then right-click to stop and restart the web server instance
> [and/or
> > > > stop and restart the WWW service in Windows].  Then immediately go
> back
> > > into
> > > > IIS and confirm that the setting is still there.  If it is, you
should
> > be
> > > > OK.
> > > >
> > > >
> > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in
> > message
> > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl...
> > > > > Is there a way to permanently turn off Integrated Windows
> > Authentication
> > > > on
> > > > > Windows 2000 SP4 IIS 5.0?
> > > > >
> > > > >
> > > > >
> > > > > We know that you can uncheck the box for it on the Properties for
> that
> > > > > specific virtual directory under Authentication Methods, but every
> > time
> > > > the
> > > > > server is rebooted or if the IIS Admin Service is restarted it
> > > > automatically
> > > > > checks that box back on.
> > > > >
> > > > >
> > > > >
> > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and
we
> > > don't
> > > > > want the Domain field box showing up for clients logging into OWA.
> We
> > > > only
> > > > > want Basic Authentication over forced SSL (which we have
configured
> > and
> > > > > working fine).  We've noticed that down-level clients for some
home
> > > users
> > > > > can't login IF Integrated Windows Authentication is checked on.
> > > > >
> > > > >
> > > > >
> > > > > Is there a registry setting to disable this or a script that will
> > > disable
> > > > it
> > > > > that we could run at machine start up?  Thanks for any ideas or
> > > > suggestions.
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>

Relevant Pages

  • Re: Permanently turn off Integrated Windows Authentication?
    ... (probably Exchange), so you want to configure Exchange (or however it wants ... IIS services every night for offline backups. ... IIS attempts to write the change to disk using an algorithm to ... > restart, ...
    (microsoft.public.inetserver.iis.security)
  • RE: OWA Not working Page not Found
    ... you reset the Exchange OWA virtual directories on SBS: ... How to reset the default virtual directories that are required to provide ... Outlook Web Access, Exchange ActiveSync, and Outlook Mobile Access services ... your screen until you reach the Setup Type page of the IIS 6.0 Resource Kit ...
    (microsoft.public.windows.server.sbs)
  • Re: public folders snap-in is hanging mmc.exe
    ... there are the following Exchange related Virtual Directories ... Exadmin virtual root (the default Web site is "Default Web Site"). ... Restart IIS Admin Service. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 PDA Sync Problem - Error 0x85010014
    ... Export all mails in Mailbox as .PST file. ... Remove the Exchange Attribute for problematic user with corrupt Exchange ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.backoffice.smallbiz)
  • RE: no OWA
    ... Once you do that and restart IIS you should see the ASP.NET tab and it had ... the Exchange related VDs in IIS. ... To restart the Microsoft Exchange System Attendant service, ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)