locked
Forms based Authentication over trusted domains RRS feed

  • Question

  • All my users reside in Domain A, my exchange server is in Domain B. All mailboxes are cofigured to allow users from Domain A to access their mail in Domain B.

    Most of my users use outlook and have no problem accessing their email.  All of my OWA users were also able to access their email until a few days ago.  I have no idea what happened but they can no loger access their mailboxes using OWA.  My Outlook users have no issues.  If I turn off FBA the OWA user is able to log on with no problem. Once FBA is enabled they cannot log on. The only error message is "You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.

    If the user account is enabled in DomainA the user can log on with no issue.  I have no idea what could be wrong, no event logs messages, trusts relationships working don't know what else to check.  Please assist

    Sunday, May 22, 2011 6:49 PM

All replies

  • Can you try to modify in sing-in property in form base page to "User" mode and then tet it. You can configure the forms-based authentication sign-in page to prompt users to provide their sign-in information in the format domain\user name. However, a user can also enter his or her user principal name (UPN) and the sign-in will be successful.

    See the section "Configuring the Sign-in Prompt Used by Forms-Based Authentication"

    http://technet.microsoft.com/en-us/library/bb123719.aspx

     


    Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2011, My Blog : http://messagingschool.wordpress.com
    Monday, May 23, 2011 3:21 AM
  • Thanks Anil,

    I will take a closer look at the article you suggested, however, I have made changes to the from so that the domain is supplied and the user only has to enter their user name and this still did not work. The user is in Domain A and the Emil in Domain B and they sign in as DOMAINA\Username however the page simply sends the message listed above.  If the user logs in DOMAINB\username they will be successful, however we do not want the users to have to log into this domain.

    Another thing I've noticed is that if I try to log in and type an incorrect password, my account does get locked out in the correct domain, so the communication across domains is occurring, but for some reason, FBA is not allowing the users in. If I disable FBA the user gets in. I need FBA on for security reasons. Any other suggestions are very much welcome.

     

    Monday, May 23, 2011 5:17 AM
  • Hi,

    1. Try to clean the cookie of IE in your client side.

    2. Do IISREST and restart the system attendant services enabled FBA.

    3. Run Test-OwaConnectivity -URL:https://mail.contoso.com/owa -MailboxCredential:(get-credential contoso\kweku) to test OWA connection


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 24, 2011 3:38 AM
  • Hi Jason,

    Thanks for responding.  I have cleaned cookies and I have reset iis and turned FBA on and off.  With no success. The thing is only users who are trying to log on to the trusted domain have the problem.  Users in the "Email" domain can log on with no issue.

    The Test-Owa connectivity program, does that run on Exchange 2003, because I'm basically seeing it referencing Exchange 2007 in everything I've read.

    Tuesday, May 24, 2011 12:24 PM
  • It might help to see the IIS logs from the mailbox server.  If a username is listed, then the credentials have been accepted, but denied access.  If no usernames are listed, the credentials have not even been accepted.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 24, 2011 12:37 PM
  • Are you using any reverse proxy in front of your OWA? From research it could also be due to your reverse proxy isa\uag configured to only authenticate domainB users.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Tuesday, May 24, 2011 1:24 PM
  • Hi Lee,

    Thanks for the tip.  The username and domain is listed with the following

    10.1.1.1 GET /owa+-MailboxCredential:(get-credential+domainname/kroach) - 443 - 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 404 0 2

    I'm seeing the 443 and 404 I'll check these out.  What are your thoughts?

     

    Tuesday, May 24, 2011 1:47 PM
  • I assumed from one of your other answers that you had E2003.  If that's correct, then any iis log entry showing a request for /owa can be ignored, since you don't have a directory named /owa (that's why the result is 404 - Not Found).  I think that what you found there is the result of you trying to run test-owaconnectivity.  But if it got that far, then maybe you do have E2007 or E2010?  So, I ought to ask you which version of Exchange you actually have.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 24, 2011 1:54 PM
  • Hi Jason,

    I am not running reverse proxy.  Lee, I am running Exchange 2003.  All of my users are in a Windows 2000 domain.  All of my outlook users have no problem, only my OWA users.  If I turn off FBA  all the OWA users can get in without issue.  The problem of not getting in only occurs when FBA is turned on.  Everything worked well until a few days ago, then it just stopped working.  No errors in the logs that I can see. Just the following error: "You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again."

     

    Tuesday, May 24, 2011 2:43 PM
  • Hi Everyone I really appreciate the assistance.  Just to breakdown exactly what's happening

    1) Exchange 2003 is installed on Domain A on a Windows 2003 Domain Controller

    2) All users are located in Domain B. All Trusts are in place and working.

    3) All Mailboxes are configured to allow access to all Domain B users

    4) All users who use Outlook have no issue sending or receiving email.

    5) If FBA is enabled the users of the Trusted Domain (Domain B) cannot log on using OWA.

    6) If FBA is turned off, users can type DomainName\Username and access their mailbox without issue.

    7) If the user account is enabled on Domain A the user can use OWA with no problem. E.g. the user types DomainB\username and access to the mailbox is granted.

    8) If the user on the Trusted Domain (Domain B) tries to log on to OWA and types the wrong password  will be locked out as per network policy. This shows that the user is being validated in the correct domain.

    The issue seems to lie with FBA simply not allowing access to the users from the Trusted Domain and I just can't figure out why.

     

    Tuesday, May 24, 2011 2:57 PM
  • Okay, for the IIS logs you are only interested in requests for /Exchange.  Note that the times in those logs are in GMT.  Have another attempt at logging in, just to create some log entries.  Wait a few minutes (so that iis can flush the cached entries from memory into the log file), and let us know what is logged.  If anything.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 24, 2011 2:59 PM
  • FBA adds another layer of complication to iis authentication.  The fact that your users can access the mailboxes if you disable FBA means that this isn't really an Exchange issue, but an IIS one, insofar as the FBA mechanism is one of Exchange's extensions to IIS.  If no usernames are present in the iis logs when FBA is enabled, then FBA just isn't working at all.  Maybe owaauth.dll (the dll that does the actual FBA authentication) isn't allowing iis to execute it.  Maybe you have decided to block cookies in IE (FBA is a cookie-based authentication scheme) using group policy?  Lots of things to check when you use FBA.

    Anyway, first place to look is the iis logs, to see if any usernames are being recorded for the /Exchange requests.


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 24, 2011 3:29 PM
  • Hi Again,

    Usernames are being recorded for the /Exchange requests, I know it's not an individual browsers/cookie thing because no one can logon, so unless it's some universal cookie setting that I can check.

    In the meantime The iis log shows:

    GET /exchange - 443 DomainName\KROACH 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398

    Tuesday, May 24, 2011 4:22 PM
  • OK hold on, let me insure that that GET /exchange was for the correct user.
    Tuesday, May 24, 2011 4:27 PM
  • Yes is it getting the GET /Exchange for the Trusted Domain.
    Tuesday, May 24, 2011 4:31 PM
  • Could this be a certificate issue? This is the only thing that I have not redone.  I have a home-grown cert.
    Tuesday, May 24, 2011 5:14 PM
  • Okay, so FBA itself appears to be working.  Also, I can't imagine that SSL would cause any problem that would only appear when you use FBA.  The only way to check is to turn off the requirement for SSL and try again.  The trouble is, without SSL you won't see the FBA login screen any more, and it will just fall back to something else, probably Basic auth.

    See if you can work out what the direct URL for the user's mailbox would be.  It's usually based on their primary SMTP address, so it might be something like https://server/exchange/kroach@yourdomain.com , although if you want to be sure, without trying a few guesses, you'll have to check the iis log again, and look for the URLs from a successful session (when you weren't using FBA).  Then, try typing in the direct URL, and see if it works any better than just typing https://server/Exchange .


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 24, 2011 6:47 PM
  • I did as u suggested. The user is able to log on if FBA is turned off.  I need it on.
    Wednesday, May 25, 2011 3:54 PM
  • Do you have any mailboxes for users in domain B, rather than in domain A?  If not can you try creating a test user in domain B, so that you can see if a user in domain B can log on?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Wednesday, May 25, 2011 4:07 PM
  • All My DomainA users have accounts in DomainB.  That's by design so that I could of created the new Exchange mailboxes.  The exchange mailboxes in Domain A grants the users of Domain A access.

    If I enable the user account in Domain B the user has no problem logging in using FBA. E.g

    using this login: 

    All Trusted users LOCATION DomainA

    All Mailboxes Location DomainB

    Logon from: DOMAINB\JSMITH Access Granted

    Logon: DOMAINA\JSMITH Error message: "You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again."

    I am really stumped here.

    Thursday, May 26, 2011 1:26 PM
  • Yes, it's very odd.  The iis log entry you have earlier:

    GET /exchange - 443 DomainName\KROACH 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398

    shows that FBA has accepted the credentials (otherwise there wouldn't be any logged).  Are there any other exchange-related log entries immediately after this (i.e. showing the same time, and therefore definitely part of the same logon attempt)?  What does a log entry for a successful logon look like?  Is anything different?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, May 26, 2011 1:42 PM
  • Hi Lee,

    Thanks for sticking with me on this i really appreciate it. Here's what you requested. The first result is when I try to log on using the Trusted domain username and password.

    iis logs show:

    GET /exchange - 443 DOMAINA\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 401 1 1398

     

    Successful login to actual email domain using domain credentials

    2011-05-26 13:42:42 W3SVC1 128.1.1.251 GET /exchange - 443 DOMAINB\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 302 0 0
    2011-05-26 13:42:42 W3SVC1 128.1.1.251 GET /exchange/ - 443 DOMAINB\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 200 0 0
    2011-05-26 13:42:42 W3SVC1 128.1.1.251 GET /exchange/KROACH/ Cmd=navbar 443 DOMAINB\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 200 0 0
    2011-05-26 13:42:42 W3SVC1 128.1.1.251 GET /exchange/KROACH/Inbox/ Cmd=contents 443 DOMAINB\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 200 0 0
    2011-05-26 13:42:45 W3SVC1 128.1.1.251 GET /exchange/KROACH/ Cmd=logoff 443 DOMAINB\KROACH 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 302 0 0
    2011-05-26 13:42:45 W3SVC1 128.1.1.251 GET /exchweb/bin/auth/owalogon.asp url=https://128.1.1.251/exchange/&reason=1 443 - 10.1.1.32 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.19)+Gecko/20110420+Firefox/3.5.19+(.NET+CLR+3.5.30729) 200 0 0

    GET /exchange - 443 DomainName\KROACH 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 1398

     

    Don't know if this helps

    Thursday, May 26, 2011 2:43 PM
  • Sorry, I didn't explain myself enough.  I was looking for successful logons for DOMAINA\KROACH .  I know you won't find any where FBA is enabled, but I think you said it worked if FBA was turned off.  Can you find any of those in your older logs?  Or temporarily turn off FBA to create some new log entries?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, May 26, 2011 2:49 PM
  • Here are the entries when FBA is turned off. I hope you see something cause I can't  :-)

    2011-05-26 21:24:22 W3SVC1 10.1.1.32 GET /exchange/KROACH/Inbox/ Cmd=contents 443 - 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 2 2148074254
    2011-05-26 21:24:22 W3SVC1 10.1.1.32 GET /exchange/KROACH/ Cmd=navbar 443 DomainA\kroach 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0
    2011-05-26 21:24:22 W3SVC1 10.1.1.32 GET /exchange/KROACH/Inbox/ Cmd=contents 443 - 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0
    2011-05-26 21:24:22 W3SVC1 10.1.1.32 GET /exchange/KROACH/Inbox/ Cmd=contents 443 DomainA\kroach 10.1.1.32 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0

    Thursday, May 26, 2011 9:40 PM
  • Do you see an entry that just says

      GET /exchange

    for DomainA/KROACH ?

    Also, I suppose it's possible that domain A users don't have permission to execute the FBA plugins on the server, although I'm not sure if server would try to do that using the user's credentials, or using its own SYSTEM account.  I don't have an E2003 server in front of me today, so I can't tell you what to check, but can you have a look at the ISAPI filters installed on your default web site, and give me a list of the names?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, May 27, 2011 12:57 PM
  • The only filters listed are

    ASP.NET_2.0.50727.0

    and OWaLogon

    Friday, May 27, 2011 2:05 PM
  • OwaLogon is probably the FBA mechanism.  See if you can find out which dll it points to, then check the NTFS permissions on it.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, May 27, 2011 2:09 PM
  • The permissions are

    Read and Read & Execute

    Friday, May 27, 2011 3:23 PM
  • Who has those permissions?  Do you see any group that is likely to contain the users from DomainA?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, May 27, 2011 4:32 PM
  • The Authenticated users group has the access described, no specific user from DomainA
    Sunday, May 29, 2011 12:06 AM
  • Authenticated Users in that location presumably refers only to users in domain B.  That will probably include the account that IIS uses (IUSR_Servername); but I once a user is authenticated I'm not sure that that account plays any part in the process.  Is the SYSTEM account listed?  On my server it has Full Control permisions on that dll.  If the server is a member server, try adding (at least temporarily) the Everyone group, with Read and Execute permissions.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, May 31, 2011 1:35 PM
  • My SYSTEM account has full access too.   The computer is the Domain controler on the that Domain so I can't add the users group from another Domain, however I tried adding my account from the trusted domain to the security tab and giving my account full access. This still did not work ;-(

     

     


    Tuesday, May 31, 2011 4:30 PM
  • In OWA 2003, each OWA directory (i.e. the /exchange directory you go to in iis) can only serve users that have email addresses in a particular smtp domain.  Have a look at the properties of the exchange virtual directory in Exchange System Manager (or, you might have to look at the exchange virtual server, I can't remember which), and you should find a property named Exchange Path.  It will either say 'default', or a particular smtp domain.  If it says Default, have a look at the Default Recipient Policy, and see which domain (there is probably only one) is listed as the primary domain.  Any user that wants to use OWA on that server must have an email address in that domain.  It doesn't have to be their main address, but it does need to be in their list of addresses.  If you are sure that none of these have been changed recently, it's unlikely to be the cause of your particular problem, but you never know.  Since you have two domains, you have an odd situation where a domainA user must have an email address in the default smtp domain for domainB in order to use OWA in domainB.  Or you should specifically configure domainB's OWA installation to server users with SMTP addresses in domainA.


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Wednesday, June 1, 2011 12:50 PM
  • Sorry, I mean that the mailboxes in domain B need to have email addresses in the SMTP domain that I asked you to look at.  This is nearly always the case, but domains that end in things like .local can have problems with OWA if the OWA directory is configured to consider that to be it's exchange path value.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Wednesday, June 1, 2011 12:53 PM
  • Hi Lee,

    The thing is that this configuration was working fine and just stopped. I have no idea what the problem is.  All my mailboxes are configured with the trusted domain user having access.  All my Outlook users are working. Users can use OWA in FBA is turned off, the only issue is turning FBA on and that what has me stumped, in essence everything actually works the way it should.  The issuse is definitely with FBA

     

     

    Wednesday, June 1, 2011 1:16 PM
  • Oh.  I forgot that the problem only appeared with FBA.  Do you know if your FBA logon will accept usernames in the UPN format?  Like user@domaina.com instead of DOMAINA\USERNAME ?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Wednesday, June 1, 2011 2:12 PM
  • At this point I would probably try recreating your Exchange virtual directories, I don't think it's a trust or port restrictions with authentication since it works with basic. Something within IIS or the binaries is probably screwed up.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Wednesday, June 1, 2011 2:14 PM
  • Thanks everyone for sticking with me..James I have recreated the directories no luck.  I did that early on when the problem started.

    Lee: Can't log in with user@domaina.com  same error

    You could not be logged on to Outlook Web Access. Make sure your domain\user name and password are correct, and then try again.

    Wednesday, June 1, 2011 7:04 PM
  • If you look at the Exchange vdir in IIS, on the authentication page, can you see the field where you can specify the default domain for Basic Authentication?  This is usually set to \ .  Does it help if you change it to DOMAINA ?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Wednesday, June 1, 2011 9:31 PM
  • Hi Lee,

    No it doesn't.  I tried that earlier on too. ;-(  Will try it again tomorrow just to see what happens

    Thursday, June 2, 2011 12:28 AM
  • Have you tried it yet?  With the default domain set to DOMAINA, try logging on a just USERNAME, instead of DOMAINA\USERNAME.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, June 3, 2011 12:33 PM
  • Yes I did and it did not work. ;-(
    Friday, June 3, 2011 1:46 PM
  • It's strange that you are getting access denied at the /exchange level without it even attempting to access the actual mailbox folder.  Maybe it is having trouble finding the correct path for logons in DomainA.  Does it make any difference if you try to go direct to

    https://servername/exchange/KROACH/

    or

    https://servername/exchange/KROACH/inbox/

    ?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, June 3, 2011 1:57 PM
  • Hi Lee, sorry for taking so long to respond I didn't realise that you answered.  Using the format above you still cannot get into the mailbox, only the page to login comes up. 

    Now if the user were to type the wrong password their AD account in the trusted domain will be locked out so there is validation in the correct domain and for the correct mailbox user, however OWA simply will not display the mailbox and this only happens to users from the trusted domain.  If I create a user in the domain where exchange is hosted everything works.

    Friday, June 10, 2011 3:57 PM
  • Well, I just don't know what else to say, I'm afraid.  If it wasn't for the fact that it once worked, I'd be thinking maybe it wasn't possible by now.  It might be worth starting a new topic for this one, and hope someone from MS picks it up (which they do, occasionally).  Or give them a call, if you can spare the money.  I only say this because I don't want to waste any more of your time, when I'd just be guessing at things.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Monday, June 13, 2011 12:24 PM
  • Thanks Lee.  You've been very helpful.  I'll let you know if I ever get it resolved.
    Monday, June 13, 2011 1:40 PM