Remote Web Workplace in Essential Business Server 2008 Always Prompts for Password and Never Logs In

Posted on Leave a commentPosted in 2008, ebs 2008, remote desktop, remote web workplace, sbs 2008, windows

There is a published problem with EBS 2008 where Outlook prompts for a password all the time when connected over HTTP/RPC (Outlook Anywhere) – see the Microsoft EBS Team Blog. We have found that the same problem is also exposed in the Remote Web Workplace when trying to connect over Remote Desktop to your PC or to the servers.

The problem is that the authentication for the Remote Desktop is broken because Outlook has failed to connect based on the published issue mentioned above. The failure of Outlooks authentication breaks the DefaultAppPool is IIS. Recycling the application pool fixes the issue – but only for a short while. It breaks again at the next failed Outlook login. And because the breaks in authentication are due to Outlook it is difficult to see why Remote Desktop ceases to operate.

But apply the same fixes from the above blog and Remote Desktop begins to work and stays working.

To fix, run the following four commands from an elevated command prompt on the messaging server:

  • %windir%\System32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication
  • %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/ews” -section:windowsAuthentication -useKernelMode:False /commit:apphost
  • %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/AutoDiscover” -section:windowsAuthentication -useKernelMode:False /commit:apphost
  • %windir%\System32\inetsrv\appcmd.exe set config “Default Web Site/OAB” -section:windowsAuthentication -useKernelMode:False /commit:apphost

The above commands are probably wrapped for reading on your screen – each bullet point is a single command to be entered as one line. Instructions for making changes via the GUI can be seen on the above blog post.

Log On To Restrictions in Essential Business Server

Posted on Leave a commentPosted in ebs 2008, sbs 2008, windows

Thirty days after installing Essential Business Server 2008 your licence restrictions take effect. This means that users are shown as unlicenced in the EBS Management Console will only be able to log into licenced devices (as shown in the EBS Management Console as well). Only licenced users will be able to log into any computer on the network (unless group policy restrictions so limit them).

The licencing enforcement is implemented by the Log On To restriction on the user account. This restriction (on the Account tab of the users object in Active Directory Users and Computers administration program) lists the workstations, by NetBIOS name, that the user can log into and all unlicenced users will have a list of device licenced machines. All licenced users will be set to allow them to log into any workstation. This list is reset at a regular basis each day, but if you are approaching 30 days since installation get your user and device licences correct, don’t miss anyone or any shared device off the list or they will not be able to login or the shared computer will not be accessable to any of the unlicenced users.

OWA Login Issues With RWW in SBS and WEBS

Posted on 3 CommentsPosted in ebs 2008, rww, sbs 2008

Remote Web Workplace (RWW) is a feature of Windows Essential Business Server 2008 (WEBS) and Small Business Server 2008 (SBS). Both of these operating systems provide a web portal to view internal resources such as Outlook Web Access (OWA), SharePoint and Remote Desktop to your own PC.

I have noticed on a number of installations the following error:

There is a problem in Remote Web Workplace. A logon error occurred: There is a problem communicating with the Outlook Web Access server.

There are two reasons for this that I know about. The outcome of this for the user is a popup with the above error in it when clicking the E-Mail or SharePoint link within RWW.

The first is if you have changed the URL of your RWW site then the Single Sign-On (SSO) functionality is configured to connect to the old URL and so fails. The second reason is if the external URL for RWW is not accessible internally (for example if the internal Active Directory DNS name is the same internally and externally and the internal DNS zone does not have an A record for the RWW URL).

To fix the first issue you need to make a backup of the web.config file located in “c:\program files\Windows Essential Business Server\Bin\webapp\Remote” and then edit this file (using Notepad or the like) so that the ssoApplications node reads as follows:

Where the serverName value is correct for your environment. Note also that if SharePoint is installed and the Company Web link appears on RWW, this XML node will contain some Sharepoint information that will need changing too.

To fix the second issue you need to add an A record to your internal DNS that points to your RWW site and to use the external IP address of this site. If your internal AD/DNS zone is the same as your external zone (i.e. fabrikam.com in the above example) then create a new A record for remote.fabrikam.com on an internal DNS server that has the external IP address of the site as IP address. If you internal and external DNS zones are separate ensure that the SBS server or the WEBS Messaging Server resolve the external value correctly.

If neither of these solve your problems with RWW then the place to look is the RWW debug log file. This is located in “c:\program files\Windows Essential Business Server\Logs\WebWorkplace\w3wp” and you need to read the bottom of the file to find the most recent login error (search the file from the bottom upwards for the word “error”).

The above two problems where solved based on the errors found in this debug log file.

Account Rename and Essential Business Server 2008 Installation Failure

Posted on 1 CommentPosted in 2008, ebs 2008, windows

The error “cannot find the specified active directory object: winnt:///,user” and “program file folder creation or environment variables setting did not finish successfully” appears during the installation of Essential Business Server 2008 on the Security Server if a group policy exists in your current environment that renames the local administrator account name.

The GPO setting under “Windows Settings\Security Settings\Security Options” called “Accounts:Rename administrator account” that enforces this must be turned off for the domain, because at the time of the EBS installation the security server is located in the Computers container.

Unfortunatly, by the time this error occurs you can do nothing about it apart from format the hard disks and reinstall the server!!!

Running Schema Upgrade Tool When You Have No DVD Drive on Infrastructure Master

Posted on Leave a commentPosted in 2008, ebs 2008, windows

The Essential Business Server installation steps for the Management Server might require you to insert the Prerequisite Planning Tools DVD into the Infrastructure Master to run schemaupgradetool.exe. What if you do not have a DVD drive on the current infrastructure master?

Then copy over the network the SCHEMAUPGRADETOOL.EXE, MMSNETWORKINGNATIVE.DLL and the entire ADPREP folder. Then run SCHEMAUPGRADETOOL from the command line on the infrastructure master.

This takes no paramaters to run, and takes a few seconds to start up. Though when I ran it on a Windows Server 2003 SP2 infrastructure master it popped up an empty dialog box with an OK button and nothing else – this though seems to indicate success and the Management Server installation can now continue.

SBS and WEBS 2008 Backup Fails to Backup Exchange Server

Posted on Leave a commentPosted in backup, ebs 2008, exchange, sbs 2008, windows

The following errors are reported in the Event Log Windows Logs/Application when you run the built-in backup that is part of Small Business Server 2008 (SBS) or Windows Essential Business Server 2008 (WEBS):

Event ID 565 – Consistency check for component StorageGroup-GUID\’Microsoft Exchange Server\Microsoft Information Store\SERVER’ failed. Application ‘Exchange’ will not be avaliable in the backup done at time ‘date time’

The Event Viewer log at Application and Services Logs/Microsoft/Windows/Backup/Operational shows that everything completed fine but the Windows Server Backup administrative tool says backup completed with warnings. Double-clicking the backup record shows:

Application will not be available for recovery from this backup. Consistency
check failed for component Microsoft Exchange Server\Microsoft Information
Store\Server-Name\Store-GUID

This seems to be related to having enabled Local Continous Replication (LCR) on the Exchange mailbox database. This is unfortunate as LCR is such a useful tool in recovery for Exchange Servers that I would want to enable it as a matter of course, and spec my SBS servers to have enough disk space to store LCR copies. Note that the actual Exchange databases and log files are backed up as part of the volume backup, just not as part of the application aware backup and that might result in invalid restores as the volume level backup is not Exchange aware.

Please Microsoft, will you make the VSS backup for Exchange 2007 that is included in SBS and WEBS LCR aware. Thanks.

Remote Web Workplace not operating in SBS 2008 or EBS 2008

Posted on Leave a commentPosted in ebs 2008, rww, sbs 2008

If when you log into Remote Web Workplace on Small Business Server 2008 or Essential Business Server 2008 as a non-administrator user you get the following error messages:

Cannot connect to the Remote Web Workplace site. To continue, contact your network administrator.

Event Viewer/Application Log/ASP.NET 2 Warning: Event ID 1309
ArgumentOutOfRangeException “Index was out of range. Must be non-negative and less than the size of the collection.” Request URL: https://server:443/remote/menu.aspx

You need to do the following to fix this error. On the server you need to modify the permissions of the RWWConfig.xml file. This file is located in “C:\Program Files\Windows Small Business Server\Data” or “C:\Program Files\Windows Essential Business Server\Data” depending upon the product that you are running.

  1. Ensure the permissions on the above file are
    Authenticated Users – Read (not inherited)
    NETWORK SERVICE – Read (not inherited)
    SYSTEM – Full Control (inherited from parent folder)
    Administrators – Full Control (inherited from parent folder)
  2. Make sure the Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group.
  3. Run iisreset from the command line on the server
  4. Attempt the login again, but first close any copy of Internet Explorer that was running (or attempting to run) RWW.