locked
440 Login Timeout with OWA after running DCPROMO RRS feed

  • Question

  • Transitioning from Exchange 2003 to 2007 and everything running fine until I ran dcpromo on the new Exchange 2007 box. After that OWA failed with a "Error 440 Login Timeout" message.

    Switching to non forms based authorisation solves the problem but that's no ideal. I removed and then reinstalled the CAS Role but still the same issue.

    Finally tried demoting the server by running dcpromo again and after a reboot the forms authorisation starts to work again.

    Reading the posts on Exchange 2003 it seems to be a virtual directory permissions problem, has anyone any idea how I should start to resolve this?

     

    Monday, January 15, 2007 11:21 AM

All replies

  • Did anyone get a resolution for this?

    1. Install a new domain, Server 2003 R2 x64, make it a DC, install Exchange 2007 ... all OK
    2. Enable Outlook Anywhere [using default OWA settings, ie  'Use forms-based authentication'] and OWA fails with 440 !!!

    Note: The event "MSExchange RPC over HTTP Autoconfig Event ID: 3002" was observed and the server was restarted, but the 440 error continues.

    Seems to be a number people experiencing this but no resloution!!!!

    Wednesday, February 28, 2007 12:25 AM
  • Help, I have the same issue.

     

    Started when I installed rpc over http, and it broke forms authentication, back on windows popup authentication, and i can fix it, did make it worse trying things off forums, but managed to get it back to this now.

     

    Exchange 2007

    Windows 2003 R2 SP1 [ not going to sp2 yet ]

     

    PLEASE HELP

    From a Exchange newbie

     

    Wednesday, March 21, 2007 3:03 PM
  • Does this error occur instantly? I have found that it happens when using forms authentication, but writing code to use windows authentication. You will need to modify the code to work with forms authentication.
    Friday, March 23, 2007 2:02 PM
  • Yes.  Instantly.  I am also getting it the certsrv site.  DC is on.
    Tuesday, March 27, 2007 3:43 AM
  • Bump. Seeing the same problem after a fresh install on 64-bit and enabling outlook anywhere. Switching to popup works temporarily, but login timeout still persists.
    Sunday, April 8, 2007 8:51 PM
  • running dcpromo after Exchange is installed is not supperted

     

    Monday, April 9, 2007 8:42 AM
  • I am running into the same issue as well, except I am on 2003 x64 R2, DCPROMO'd then installed Exchange 2007 with all roles.
    Wednesday, April 11, 2007 3:30 PM
  • As far as I can tell it isn't possible to have a box running Exchange 2007 as a Domain Controller. I've tried clean installations having run dcpromo both before and after installing Exchange 2007 and it always hits the same problem.

     

    That said I've given up on Exchange 2007 for now due to the issue on this thread

     

    http://forums.msexchange.org/m_1800413006/mpage_1/tm.htm#1800433695

     

    I've wasted too much time on this already and will look again when SP1 is released.

    Wednesday, April 11, 2007 3:46 PM
  • IIS get screwed up by running DCpromo more than Exchange does. Its mostly related to permission on filesystem and in IIS

     

    Wednesday, April 11, 2007 4:46 PM
  • Guys,

     

    It's perfectly possible running Exchange 2007 on a Win 2k3 DC. Actually that's the configuration I use today (although it's not recommended becaouse of security issues, etc, etc). BUT you have to run Dcpromo BEFORE Exch2k7 installation, of course...

     

    Regards,

     

    Jairo

    Monday, May 28, 2007 12:05 PM
  • has anyone got an solution for the 440 error?

    Im having to same problems when trying to use form based authentication.  Works fine with windows Authentication but I would like to use form based for extra security.

    Im pretty sure its an IIS problem, it is possible to reset IIS to its defaults or does anyone know the default settings for OWA in IIS?

    thanks.
    Thursday, July 5, 2007 6:41 AM
  • I found this solution on http://msmvps.com/blogs/cgross/archive/2004/08/08/11472.aspx

     

    Hopefully it works for you. It worked for me.

     

    OWA 440 Authentication Timeout

    As I mentioned in my earlier post today, I migrated my server here at home this weekend.  Well, once the new server was online, the only hiccup I discovered was that I couln't access OWA.  I kept getting this bloody '440 Authentication Timeout' page in IE.  And I would get it instantly, so there was no way it was actually timing out.  A quick google on this error returned a half dozen pages of threads, with no resolutions.  As a result, I figured I'd better blog this for future reference . . .

    The root cause of this is the IUSR_<servername> and IWAM_<servername> accounts' passwords being out of sync (between AD & IIS).  Here's the steps necessary to fix this.  (And make sure to verify that neither of these accounts are locked out in AD!  I missed that the first time around and spent an extra hour and a half trying to figure out why it wasn't working! [:^)]

    1)  Open AD Users & Computers.  Expand the Users OU, right-click on the IUSR_<servername> account and select 'Reset password'  Reset the password to anything you want (however, it can't be blank).


    2)  Open this User Account's properties and verify that the account is not locked out  [:^)]  Also, make sure that 'Password never expires' and 'User cannot change password' are selected.

    3)  Repeat steps 1 & 2 for the IWAM_<servername> account.  Close AD Users & Computers.


    4)  Open Internet Information Services  (Start | Administrative Tools)

    5)  Expand <servername> | Web Sites

    6)  Right-click on 'Default Web Site' and select Properties.

    7)  Go to the 'Directory Security' tab and click the Edit button under 'Authentication & Access Control'

    8)  Enter the new password for the IUSR_<servername> account and click OK.

    9)  Enter the password again to confirm and click OK.

    10) Click OK.

    11)  Open a command prompt and enter  iisreset

    12)  At the command prompt, enter the following commands:
            cd c:\inetpub\adminscripts
            adsutil SET w3svc/WAMUserPass <password>    (Where <password> = the password you entered for the IWAM_<servername> account in AD Users & Computers)
            c:\windows\system32\cscript.exe "c:\inetpub\adminscripts\synciwam.vbs" -v
            iisreset

    Voila!  That should fix you right up . . .    [:^)]

    Wednesday, September 19, 2007 4:25 PM
  • thank goodness.  i'd run into this before, but i was never able to fix it without a removal and install of e2k7 which isn't an option this time due to the fact that smart phone certificates would have to be reinstalled.  that would probably get me fired. 

     

    reason i ran a dcpromo was to turn my file share witness / CA HT server into a DC and GC for my cluster.  turns out you can't install clustered mailbox on a DC.  wasted days and wasted nights.

     

    thanks again.

     

    Saturday, November 3, 2007 8:21 PM
  •  Michael

    Thanks a lot.

    Luchero

    Thursday, November 8, 2007 12:31 AM
  • thanks michael, this was exactly right

    cheers
    Monday, January 28, 2008 4:09 PM
  •  

    Cool....it worked for me...Michael.
    Saturday, April 5, 2008 6:58 PM
  • Hello Micheal,

     

    Wonderful ! It was out of reach for me to figure this out myself ! But despite some error messages, OWA works again with this solution.

    By the way, in my case after adding ftp service tot a working SBS2003 server I immediately got this failure, and ONLY for the OWA website, curieus. Perhaps some service installs change the default passwords ?

     

    Leonard, Netherlands

     

    Thursday, April 17, 2008 8:31 AM
  •  

    In my case, users IUSR_SERVERNAME and IWAM_SERVERNAME after exchange 2007 scheme&domain preparation was simply restricted in AD to login only on one computer, other then SERVERNAME. For some unknown for me reason (may it be aliens x-rays from Mars?) duplicate with one of workstations GUID was generated for exchange server during dcpromo, and AD preparation fixed it as it can.

    Monday, June 16, 2008 7:51 AM
  • Michael Benadiba said:

    I found this solution on http://msmvps.com/blogs/cgross/archive/2004/08/08/11472.aspx

     

    Hopefully it works for you. It worked for me.

     

    OWA 440 Authentication Timeout

    As I mentioned in my earlier post today, I migrated my server here at home this weekend.  Well, once the new server was online, the only hiccup I discovered was that I couln't access OWA.  I kept getting this bloody '440 Authentication Timeout' page in IE.  And I would get it instantly, so there was no way it was actually timing out.  A quick google on this error returned a half dozen pages of threads, with no resolutions.  As a result, I figured I'd better blog this for future reference . . .

    The root cause of this is the IUSR_<servername> and IWAM_<servername> accounts' passwords being out of sync (between AD & IIS).  Here's the steps necessary to fix this.  (And make sure to verify that neither of these accounts are locked out in AD!  I missed that the first time around and spent an extra hour and a half trying to figure out why it wasn't working! [:^)]

    1)  Open AD Users & Computers.  Expand the Users OU, right-click on the IUSR_<servername> account and select 'Reset password'  Reset the password to anything you want (however, it can't be blank).


    2)  Open this User Account's properties and verify that the account is not locked out  [:^)]  Also, make sure that 'Password never expires' and 'User cannot change password' are selected.

    3)  Repeat steps 1 & 2 for the IWAM_<servername> account.  Close AD Users & Computers.


    4)  Open Internet Information Services  (Start | Administrative Tools)

    5)  Expand <servername> | Web Sites

    6)  Right-click on 'Default Web Site' and select Properties.

    7)  Go to the 'Directory Security' tab and click the Edit button under 'Authentication & Access Control'

    8)  Enter the new password for the IUSR_<servername> account and click OK.

    9)  Enter the password again to confirm and click OK.

    10) Click OK.

    11)  Open a command prompt and enter  iisreset

    12)  At the command prompt, enter the following commands:
            cd c:\inetpub\adminscripts
            adsutil SET w3svc/WAMUserPass <password>    (Where <password> = the password you entered for the IWAM_<servername> account in AD Users & Computers)
            c:\windows\system32\cscript.exe "c:\inetpub\adminscripts\synciwam.vbs" -v
            iisreset

    Voila!  That should fix you right up . . .    [:^)]



    Hi All,

    I'm stuck into this problem as well and after following those steps the problem still exist as the following:

    First Error:
    C
    :\Program Files\Support Tools>iisreset /noforce
     
    Attempting stop...
    Restart attempt failed.
    The service did not respond to the start or control request in a timely fashion.
    ================================================================
    Second Error:
     
    C
    :\Program Files\Support Tools>iisreset
     
    Attempting stop...
    Internet services successfully stopped
    Attempting start...
    Internet services successfully restarted
     
    C
    :\Program Files\Support Tools>cd\
     
    C
    :\>cd Inetpub
     
    C
    :\Inetpub>cd AdminScripts
     
    C
    :\Inetpub\AdminScripts>adsutil.vbs SET w3svc/WAMUserPass mynewpasssword
     
    C
    :\Inetpub\AdminScripts>adsutil.vbs SET w3svc/WAMUserPass mynewpasssword
    WAMUserPass                     : (STRING) "**********"
     
    C
    :\Inetpub\AdminScripts>cd\
     
    C
    :\>c:\WINDOWS\system32\cscript.exe "c:\Inetpub\AdminScripts\synciwam.vbs" -v iisreset
    Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
     
    IIS
    Applications Defined:
    Name, AppIsolated, Package ID
    ROOT
    , 2,
    atedja
    , 2,
    Autodiscover, 2,
    CertSrv, 0,
    download
    , 2,
    EWS
    , 2,
    Exadmin, 2,
    Exchange, 2,
    Exchweb, 2,
    Microsoft-Server-ActiveSync, 2,
    owa
    , 2,
    Public, 2,
    UnifiedMessaging, 2,
     
    Out of process applications defined:
    Count: 1
    {3D14228D-FBE1-11d0-995D-00C04FD919C1}
     
    Updating Applications:
    Name: IIS Out-Of-Process Pooled Applications Key: {3D14228D-FBE1-11D0-995D-00C04FD919C1}

    /* Support Engineer */
    Wednesday, March 25, 2009 12:08 AM
  • Finally,
    the problem solved after following "some" of the steps above.
    in fact i don't need to do the whole lot, only removing the OWA VD.

    a) In the Exchange management console, I made a note of all the settings for OWA.
    Go to "server configuration\ClientAccess", then pick the correct server, then "OWA" tab, right click owa (default web site): properties (Make a note of all the settings for your environment, you will need to restore these settings manually.

    b) use the Exchange Management shell and run the following:
    (please refer to http://technet.microsoft.com/en-us/library/aa998624.aspx for details)
    1) Get-OwaVirtualDirectory -Server  to check the settings
    2) Remove-OwaVirtualDirectory -Identity  to remove the existing virtual dir (only owa in this case, I didn't touch the others)
    3) New-OWAVirtualDirectory -Name "owa" (I only used the -name parameter, that worked for me)

    c)Go back to the management console and restore properties of owa.

    d) restart IIS via command iisreset /noforce


    I even doing it during the working hour without affecting email flows.
    /* Support Engineer */
    Wednesday, March 25, 2009 9:54 PM
  • Hello,

    I had this "Error 440 Login Timeout" message after using IIS and checked "Integrated Windows authentication" on OWA Virtual Directory Security.
    After having done this enormous error (Do not use IIS to change Authenticated access with Exchange 2007!!!!) it was impossible for me to get the "forms-based authentication" working again.

    Albert Widjaja gave me the only working solution: Remove OWA Virtual Directory and recreate it.

    Thank's a lot Albert!
    Friday, May 15, 2009 5:41 PM
  • Ah glad to hear that Joasis.

    have great day with OWA 2007 :-)

    Cheers.

    /* Windows Infrastructure Support Engineer */
    Monday, May 18, 2009 11:25 AM
  • Thank you Albert,

     I have not tried your solution yet, but sure I like it. Your solution is simple and more importantly it won't stop mail flowing.

     My system is  exchange 2007 ( Enterprise)   but also a  Global catalog server.  when I first installed EX2007 I did not have other systems available so I cramped everything inside a single server. It  basically works but reboot takes long time, I got a new  dedicated Domain controller now and I made it a  GC as well ( so we have  2 GC here), I would like to  demote the exchange server to a domain member, before I dcpromo it ( a high consequence step, right?) , I'd like you to answer the following  2  questions, thank you very much in advance.

    1.  I will have to reboot the Exchange server after  DCPromo to make it use  GC from the dedicated  DC?
    2.  I have  a  third party secure certificate, do I have to re-install this certificate after  DCPromo?   we use OWA and Outlook Anywhere via this https certicate. 

    Your advice is sincerely appreicated.

    Friday, May 29, 2009 3:38 PM
  • Hi atcnf2008,

    the answer is as follows:
    1. Yes, a reboot is necessary as this is Windows:-) and you can also force Exchange Server 2007 to use a specific GC in case you need so here it is:
    Set-ExchangeServer -StaticConfigDomainController -StaticDomainController -StaticGlobalCatalog -StaticExcludedDomainControllers
    please use the necessary parameter only.

    2. a SSL certificate installed in IIS to secure OWA and https doesn't need to be reinstalled again. It won't affect your DCpromo process, the role is already separated.

    Sorry for the late reply, hope that helps.

    /* Windows Infrastructure Support Engineer */
    Wednesday, June 3, 2009 11:08 AM
  • Thank you  Albert for the  great advices and clarifications. I might be able to try this around     July   4th weekend  because we get a dozen users who are using Blackberry ( BES 4.1.6.20),

    any downtime is a serious offense to them , a couple of hours downtime can get me fired. 

     

    I do appreicate your guidance, I'll post any results here should I finally decide to go this step.

    Friday, June 12, 2009 5:07 PM
  • Thank You,  everyone,


    I  finally did the  DCpromo on exchange server  2007 on sunday. My system is like this: Dell PE 2950 with 2XQualcore , 16G RAM, windows 2003 standard X64 R2 sp2 with exchange 2007 EE SP1 .  the  DCPROMO went  flawlessly , it  says  transfer GC/Master AD roles to the other domain server, also says shutdown most exchange services, which ensures  a reboot at end of  DCPromo.

    after reboot, I started  testing exchange services,  which are working fine without any changes.  Outlook anywhere works fine, certificate is OK, there are  3 areas  needs to  be tweaked a little, I did not see 404 for OWA however.
    1.  for OWA:  still works right away, the only thing changed a little is stricter  Domain\User login, our OWA was set as  Domian\username but we got away with name only. after DCpromo,   this needs to  be exact, you have to type Domain\Username to make it  working; I changed the OWA setting  to user name only with a  default domain ( the last  option in Forms Authentication)

    2.  some of  our  outlook 2007 users can't login on on Monday, the OL2007 keeps asking for password like exchange-sername\username, I changed to  Domain Name\username and  put password there  it got working

    3. all scheduled tasks are  not working,  speciafically all our  Forefront Security for Exchange  scan engine updates are  not working, here is the link and  solution:
    http://support.microsoft.com/kb/822904


    Overall,  My experience is that  demoting Exchange server to  a  member server has not much impact on exchange server itself, but it changes security configuration and makes some other things not working, like  scheduler  and  domain login.....

    Thanks all for the good  advices and  guidance, specially to Albert.


    Monday, July 20, 2009 5:58 PM
  • I guess I'm keeping this thread alive guys.  I have a customer with an SBS 2003 SP2 server running Exchange 2003.  I migrated everything but Exchange to the new box and did a dcpromo.  Today I'm getting a 440 login timeout error.

    I tried the method above and ran into the following error::

    Out of process applications defined:
    Count: 1
    {3D14228D-FBE1-11d0-995D-00C04FD919C1}
    
    Updating Applications:
    Name: IIS Out-Of-Process Pooled Applications Key: {3D14228D-FBE1-11D0-995D-00C04
    FD919C1}
    Error: 80110414:
    

    I couldn't tell if Albert's suggestion would work for me or not.  I'm not as familiar with 2003 as with 07 and 10.  Could someone clarify what the steps would be to resolve this error or issue?

    Thanks.

     

    Thursday, September 29, 2011 6:03 PM
  • Same problem. Did you find a solutions?
    Friday, November 4, 2011 1:44 PM
  • After 5 hours on the phone with Microsoft Emergency Down tech support and nothing changing, I dcpromoed the server back up to a domain controller.  Everything works now.
    Friday, November 4, 2011 8:02 PM
  • For future reference, you'll get a better response to such questions if you post a new question rather than adding to a three-year-old thread.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, November 4, 2011 8:05 PM