Microsoft KB Archive/267936

= XIMS: Directory Service to Metabase Service May Not Replicate the Default Logon Domain for Virtual Servers =

Article ID: 267936

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q267936





SYMPTOMS
Users who attempt to log on to Microsoft Outlook Web Access (OWA) without specifying the domain may not be authenticated, even though the default domain is configured in Exchange System Manager under Authentication Methods for a Hypertext Transfer Protocol (HTTP) virtual directory.



CAUSE
This problem can occur if the Directory Service to Metabase replication service does not correctly write the default logon domain to the metabase.



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack

Under all other circumstances, make OWA virtual directory configuration changes from Exchange System Manager. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

264941 XCCC: Changes to Virtual Directory Settings Are Not Maintained

You can also resolve this problem by configuring the default domain from the Internet Services Manager:
 * 1) Open the properties of the virtual directory, click Directory Security, and then click Anonymous Access.
 * 2) Click Authentication Control, click Basic Authentication, and then set the default domain.

If you want this setting to be implemented when you gain access to OWA by using a front-end server, the respective virtual directory on your front-end server needs to be configured with the same default domain. Unfortunately, because of the nature of front-end servers, you must use the workaround that is described in the &quot;Workaround&quot; section of this article to do so.

You can use a backslash (\) as the default domain to check users' credentials against all trusted domains, instead of just a single domain that is specified. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

168908 How to Authenticate a User Against All Trusted Domains



WORKAROUND
The resolution that is described in the &quot;Resolution&quot; section of this article does not work for front-end servers because the local path for the Exchange virtual root is no longer valid from Internet Services Manager on the front-end server. When you attempt to gain access to the Directory Security tab, you receive the following error message:

The path does not exist or is not a directory.

To work around this problem, use one of the following methods:  Set the default domain for basic authentication at a higher level to force inheritance. For example, when you set the default domain at the WWW service level, or at the default website, when you apply the setting, a dialog box is displayed that states the following:

The following child nodes also define the value of the 'Default Logon Domain' property, which overrides the value you have just set. Please select from the list below those nodes which should use the new value.

Be sure to select the virtual directory that you want to modify, and the inheritance propagates the default domain to that level. Because inheritance does not always automatically propagate, after you change a property on an individual server, directory, or file, changes to the settings at the higher level might not automatically override the lower-level individual setting (see page 344 of the Internet Information Server 5.0 documentation). In this situation, you must manually make changes to the metabase:

cd :\inetpub\adminscripts adsutil set w3svc/1/root/Exchange/DefaultLogonDomain &quot; &quot;





STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.



MORE INFORMATION
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

240105 XGEN: General Information on Directory Service/Metabase Synchronization in Exchange 2000 Server

Additional query words: DS2MB FE ISM exch2kp2w

Keywords: kbbug kberrmsg kbfix KB267936

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.