Microsoft KB Archive/941201

= Error message when you try to log on to Exchange 2007 by using Outlook Web Access: &quot;440 Login Timeout&quot; =

Article ID: 941201

Article Last Modified on 8/15/2007

-

APPLIES TO


 * Microsoft Exchange Server 2007 Standard Edition
 * Microsoft Exchange Server 2007 Enterprise Edition

-



SYMPTOMS
When you try to log on to Microsoft Exchange Server 2007 by using Microsoft Office Outlook Web Access, you receive the following error message:

440 Login Timeout



CAUSE
This issue occurs if a permissions issue or an authentication issue exists in Internet Information Services (IIS) or in the IIS metabase.



RESOLUTION
To resolve this problem, follow these steps. After each step, determine whether the problem is solved. If the problem persists, continue to the next step.

Step 1: Delete and then re-create the Outlook Web Access-related virtual directories
To delete the Outlook Web Access-related virtual directories, follow these steps:
 * 1) Start the Exchange Management Shell.
 * 2) Type the following commands. Press ENTER after you type each command.

Note These commands are case-sensitive.
 * 1) * Remove-OwaVirtualDirectory &quot;exchange (default web site)&quot;
 * 2) * Remove-OwaVirtualDirectory &quot;public (default web site)&quot;
 * 3) * Remove-OwaVirtualDirectory &quot;exchweb (default web site)&quot;
 * 4) * Remove-OwaVirtualDirectory &quot;owa (default web site)&quot;

To re-create the Outlook Web Access-related virtual directories, type the following commands at the Exchange Management Shell. Press ENTER after you type each command:
 * New-OwaVirtualDirectory &quot;exchange&quot; -OwaVersion Exchange2003or2000 -VirtualDirectoryType Mailboxes -WebSiteName &quot;Default Web Site&quot;
 * New-OwaVirtualDirectory &quot;public&quot; -OwaVersion Exchange2003or2000 -VirtualDirectoryType PublicFolders -WebSiteName &quot;Default Web Site&quot;
 * New-OwaVirtualDirectory &quot;exchweb&quot; -OwaVersion Exchange2003or2000 -VirtualDirectoryType Exchweb -WebSiteName &quot;Default Web Site&quot;
 * New-OwaVirtualDirectory -name &quot;owa&quot; -OwaVersion Exchange2007 -WebSiteName &quot;Default Web Site&quot;

Step 2: Re-synchronize the passwords
Re-synchronize the passwords in the metabase and in the Active Directory directory service for the following accounts:
 * IUSR_
 * IWAM_

To do this, follow these steps:  Start a command prompt, and then use the cd command to change to the following directory:

c:\inetpub\adminscripts

 Type the following command, and then press ENTER:

notepad adsutil.vbs

  Locate the following code. If (Attribute = True) then IsSecureProperty = True Else IsSecureProperty = False End If  In this code, change the value for IsSecureProperty from True to False, and then save the changes to the file.

Important After you follow steps 1 through 4 to re-synchronize the passwords, you must change the first IsSecureProperty value back to True and then save the changes to the file. At the command prompt, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc1\anonymoususerpass

Results that resemble the following are returned:

Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

anonymoususerpass      : (STRING) &quot;HtV9o2w.18)@SY&quot;

Note You may receive error code -2147024893 when you run this command. This issue occurs if the Anonymoususerpass property is set at the w3svc level for all Web sites and not at the particular Web site level (w3svc1). In this scenario, modify the get command to specify the w3svc level. To do this, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc\anonymoususerpass

 Copy the password that is displayed between the quotation marks in the returned results, and then use this password to reset the password for the IUSR_ account.</li> At the command prompt, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc1\wamuserpass

Results that resemble the following are returned:

<pre class="fixed_text">Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

wamsuserpass               : (STRING) &quot;Tl&b9^1n9`7g*9&quot;

Note If you receive error code -2147024893 when you run this command, type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc\wamuserpass

</li> Copy the password that is displayed between the quotation marks in the results, and then use this password to reset the password for the IWAM_ account.</li> Follow steps 1 through 3 to view the IsSecureProperty entry in the adsutil.vbs file. Revert the value of the first IsSecureProperty entry to True, and then save the changes to the file.</li></ol>

Step 3: Remove the Anonymoususerpass property from the ROOT container in the metabase
To remove the Anonymoususerpass property from the ROOT container in the metabase, follow these steps: <ol> Start a command prompt, and then use the cd command to change to the following directory:

c:\inetpub\adminscripts

</li> Type the following command, and then press ENTER:

cscript adsutil.vbs find w3svc/anonymoususerpass

Results that resemble the following are returned:

<pre class="fixed_text">Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

Property anonymoususerpass found at: w3svc

</li> If the Anonymoususerpass property is set at w3svc and at w3svc/1/ROOT, remove the property from the ROOT level. To do this, type the following command, and then press ENTER:

cscript adsutil.vbs delete w3svc/1/ROOT/anonymoususername

</li> Reset IIS. To do this, type iisreset, and then press ENTER.

Note You may also have to restart the Client Access Server (CAS).</li></ol>

Step 4: Verify that Anonymous authentication is enabled for the controls virtual directory and for the auth virtual directory
Verify that Anonymous authentication is enabled for the controls virtual directory under the owa virtual directory in IIS. Also, verify that Anonymous authentication is enabled for the auth virtual directory under the owa virtual directory in IIS. To do this, follow these steps:
 * 1) Start the Internet Information Services (IIS) Manager Microsoft Management Console (MMC) snap-in.
 * 2) Expand the server name, expand Web Sites, expand Default Web Site, and then expand owa.
 * 3) Under owa, right-click 8.0.685.24, and then click Properties.

Note The 8.0.685.24 virtual directory may have a different version number for a name. This depends on the version of Exchange 2007 that is installed.
 * 1) Click the Directory Security tab, and then click Edit under Authentication and access control.
 * 2) Click to select the Enable Anonymous access check box, and then click to clear all the check boxes under Authenticated access.
 * 3) Click OK two times.
 * 4) Under owa, right-click auth, and then click Properties.
 * 5) Follow steps 4 through 6 to enable anonymous authentication and to disable other authentication methods for the auth virtual directory.

Step 5: Verify the IUSR_ account properties
If a domain account is used for anonymous access, examine the account properties of the IUSR_ account to verify that this account is permitted to connect to the CAS server. To do this, follow these steps:

Note To determine the account that is used for anonymous access, follow the steps in &quot;Step 4: Verify that Anonymous authentication is enabled for the controls virtual directory and the Auth virtual directory&quot; to view the contents of the Authentication Methods dialog box. <ol> Start the Active Directory Users and Computers tool.</li> Locate and right-click the IUSR_  account, and then click Properties.</li> Click the Account tab, and then click Log On To.</li> If the All computers option is selected, click Cancel, and then click OK to exit the IUSR_ Properties dialog box.</li> If the The following computers option is selected, follow these steps: <ol style="list-style-type: lower-alpha;"> Verify that the CAS server appears in the Computer name list. If the CAS server does not appear in this list, you must add it.</li> Click OK two times to save the changes and to exit the IUSR_ Properties dialog box.</li> Start a command prompt on the CAS server.</li> Type iisreset /noforce, and then press ENTER.</li></ol> </li></ol>

Additional query words: XCLN OWA

Keywords: kberrmsg kbtshoot kbprb KB941201

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.