none
OWA Error "You do not have permission to open the mailbox."

    Question

  • Hi Everybody,

    I have researched this problem and none of the solutions I have found seem to apply.

    In the process of transitioning from Exchange 2003 to Exchange 2007.  I performed all steps required for the transition, installed and configured Exchange 2007 Server with a seperate Exchange 2007 with CAS installed, all running on Windows Server 2008.  I can login to new accounts and accounts that have been moved to the new Exchange Server.  I can connect to the email account using Outlook 2003.  The problem is when I try to connect to OWA I get the error "You do not have permission to open this mailbox."  I get this on each account, new or moved, on the 2007 Exchange Server when trying to log in as the user.  I am even having this problem if I try and login to Exchange through OWA from the CAS server.  I have uninstalled IIS and CAS and reinstalled and continue to receive the error. 

    I orignally had installed and setup a single Exchange 2007 server with CAS, on the network, which functioned properly but uninstalled CAS and installed it on a seperate server.  After moving CAS to a seperate server is when the error started when using OWA.  When trying to log in I go to https://internal-ip-of-CAS/owa.

    On the 2007 Exchange Server I get Security Event ID 4625.  On the CAS server I get Security Event ID 5159 and 4776.  I do not get any Event errors on the original 2003 Exchange Server.  Thanks in advance for any advice.

    Russell

    Tuesday, October 27, 2009 8:58 PM

Answers

  • Hi,

     

    1.    First please check if “NT AUTHORITY\SELF” has been listed when we use “Manage Full Access Permission”. Also we can get-mailboxpermission |fl and then post here to check the mailbox permission.

     

     

    Error message when an account tries to open a mailbox by using Outlook Web Access or Exchange Web Services in Exchange Server 2007: "You do not have permissions to open this mailbox"

    http://support.microsoft.com/kb/940846

     

    How to Allow Mailbox Access

    http://technet.microsoft.com/en-us/library/aa996343.aspx

      

    2.    Please check local security policy to see if Everyone and Users group are under "Access this computer from the network" rights.

    a.    run “Secpol.msc” from a command prompt on exchange server

    b.    Go to Local policies --> User rights Assignment.

    c.    Right click Access this computer from the network goto properties.

    d.    Check if “Everyone”, ”Users”, ”Administrators” there.

     

    3.    Also please check the security settings on domain policy.

    4.    Please check if you have tick “Allow inheritable permission from the parent to propagate to this object and all child objects…” from User container.

     

    Note: We need to use “Advanced Features” from views and then check the settings on security tab.

     

    Regards,

    Xiu

    Thursday, October 29, 2009 6:32 AM

All replies

  • Wednesday, October 28, 2009 12:00 PM
  • When I go to the internal ip of the CAS server I get the IE Page below

     

    There is a problem with this website's security certificate.
     
      
     The security certificate presented by this website was not issued by a trusted certificate authority.
    The security certificate presented by this website was issued for a different website's address.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. 
      We recommend that you close this webpage and do not continue to this website. 
      Click here to close this webpage. 
      Continue to this website (not recommended). 
         More information


    If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
    When going to a website with an address such as
    https://example.com, try adding the 'www' to the address, https://www.example.com.
    If you choose to ignore this error and continue, do not enter private information into the website.

    For more information, see "Certificate Errors" in Internet Explorer Help.
     

    I select Continue...

    I get the Windows Login Popup where I supply User name and Password.

    I tried the add-maillboxpermission for both the "test" user account with the userid and with the network administrator account and both got the Error "You do not have permission to open this mailbox. For access or for more information, contact technical support for your organization. "

    I have tried https://10.0.0.IP/owa/test@domain.com and https://10.0.0.IP/owa as the initial url.  I get the same error with both.

    Thanks,

    Russell

    Wednesday, October 28, 2009 2:00 PM
  • Hi,

     

    1.    First please check if “NT AUTHORITY\SELF” has been listed when we use “Manage Full Access Permission”. Also we can get-mailboxpermission |fl and then post here to check the mailbox permission.

     

     

    Error message when an account tries to open a mailbox by using Outlook Web Access or Exchange Web Services in Exchange Server 2007: "You do not have permissions to open this mailbox"

    http://support.microsoft.com/kb/940846

     

    How to Allow Mailbox Access

    http://technet.microsoft.com/en-us/library/aa996343.aspx

      

    2.    Please check local security policy to see if Everyone and Users group are under "Access this computer from the network" rights.

    a.    run “Secpol.msc” from a command prompt on exchange server

    b.    Go to Local policies --> User rights Assignment.

    c.    Right click Access this computer from the network goto properties.

    d.    Check if “Everyone”, ”Users”, ”Administrators” there.

     

    3.    Also please check the security settings on domain policy.

    4.    Please check if you have tick “Allow inheritable permission from the parent to propagate to this object and all child objects…” from User container.

     

    Note: We need to use “Advanced Features” from views and then check the settings on security tab.

     

    Regards,

    Xiu

    Thursday, October 29, 2009 6:32 AM
  • I have all things above mentioned but still cannot find a resolution to this. It only happens through OWA, adding mailboxes within outlook still seems to be ok. All exchange servers within our DAG are 2007...

    Apparently Microsoft know about this issue but I cant see anywhere that they have fixed it?

    Is there any more advice out there?

    Wednesday, November 07, 2012 9:42 AM
  • Check first your net time server.

    There are different between your exchange server with AD server ?

    Solved by synchronizing the time between the AD server with Exchange server .

    Try this technet article to sync your time server.  http://support.microsoft.com/kb/314090 

    Wednesday, August 28, 2013 4:27 AM