redir.asp IIS change password issue

We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS clients
and as such we develped a simple application to notify users via email about
their password expiration a number of days before the actual expiration.
It happens that in our test, when the application sends out the email
notification message to the users with the link
https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get to the
page fine, but OWA users get an HTTP 403 error when OWA tries to redirect the
browser to
https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
using redir.asp. Would anyone have any suggestions on how to make this work
for the OWA users? Thanks!

Chris
Fri Aug 26 13:04:25 CDT 2005

Is there a sub code to the HTTP 403 error?

Check your IIS log files for the sub status code as this will let you know
where the problem may be.

403 - Forbidden. IIS defines a number of different 403 errors that indicate
a more specific cause of the error: . 403.1 - Execute access forbidden.
. 403.2 - Read access forbidden.
. 403.3 - Write access forbidden.
. 403.4 - SSL required.
. 403.5 - SSL 128 required.
. 403.6 - IP address rejected.
. 403.7 - Client certificate required.
. 403.8 - Site access denied.
. 403.9 - Too many users.
. 403.10 - Invalid configuration.
. 403.11 - Password change.
. 403.12 - Mapper denied access.
. 403.13 - Client certificate revoked.
. 403.14 - Directory listing denied.
. 403.15 - Client Access Licenses exceeded.
. 403.16 - Client certificate is untrusted or invalid.
. 403.17 - Client certificate has expired or is not yet valid.
. 403.18 - Cannot execute requested URL in the current application
pool. This error code is specific to IIS 6.0.
. 403.19 - Cannot execute CGIs for the client in this application
pool. This error code is specific to IIS 6.0.
. 403.20 - Passport logon failed. This error code is specific to IIS
6.0.




--
Cheers

Chris

Chris Crowe [IIS MVP]
http://blog.crowe.co.nz


"Marco" <Marco@discussions.microsoft.com> wrote in message
news:810ECB0F-4D92-423B-91A6-CE1EB136ABAB@microsoft.com...
> We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS clients
> and as such we develped a simple application to notify users via email
> about
> their password expiration a number of days before the actual expiration.
> It happens that in our test, when the application sends out the email
> notification message to the users with the link
> https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get to the
> page fine, but OWA users get an HTTP 403 error when OWA tries to redirect
> the
> browser to
> https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
> using redir.asp. Would anyone have any suggestions on how to make this
> work
> for the OWA users? Thanks!
>

Marco
Fri Aug 26 13:38:42 CDT 2005

2005-08-26 18:31:46 10.6.4.100 GET /exchweb/bin/redir.asp
URL=https://SERVER.DOMAIN.COM/iisadmpwd/aexp2b.asp 443 DOMAIN\ACCOUNT
10.6.4.3
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 403 0 0

"Chris Crowe [MVP]" wrote:

> Is there a sub code to the HTTP 403 error?
>
> Check your IIS log files for the sub status code as this will let you know
> where the problem may be.
>
> 403 - Forbidden. IIS defines a number of different 403 errors that indicate
> a more specific cause of the error: . 403.1 - Execute access forbidden.
> . 403.2 - Read access forbidden.
> . 403.3 - Write access forbidden.
> . 403.4 - SSL required.
> . 403.5 - SSL 128 required.
> . 403.6 - IP address rejected.
> . 403.7 - Client certificate required.
> . 403.8 - Site access denied.
> . 403.9 - Too many users.
> . 403.10 - Invalid configuration.
> . 403.11 - Password change.
> . 403.12 - Mapper denied access.
> . 403.13 - Client certificate revoked.
> . 403.14 - Directory listing denied.
> . 403.15 - Client Access Licenses exceeded.
> . 403.16 - Client certificate is untrusted or invalid.
> . 403.17 - Client certificate has expired or is not yet valid.
> . 403.18 - Cannot execute requested URL in the current application
> pool. This error code is specific to IIS 6.0.
> . 403.19 - Cannot execute CGIs for the client in this application
> pool. This error code is specific to IIS 6.0.
> . 403.20 - Passport logon failed. This error code is specific to IIS
> 6.0.
>
>
>
>
> --
> Cheers
>
> Chris
>
> Chris Crowe [IIS MVP]
> http://blog.crowe.co.nz
>
>
> "Marco" <Marco@discussions.microsoft.com> wrote in message
> news:810ECB0F-4D92-423B-91A6-CE1EB136ABAB@microsoft.com...
> > We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS clients
> > and as such we develped a simple application to notify users via email
> > about
> > their password expiration a number of days before the actual expiration.
> > It happens that in our test, when the application sends out the email
> > notification message to the users with the link
> > https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get to the
> > page fine, but OWA users get an HTTP 403 error when OWA tries to redirect
> > the
> > browser to
> > https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
> > using redir.asp. Would anyone have any suggestions on how to make this
> > work
> > for the OWA users? Thanks!
> >
>
>
>

Chris
Fri Aug 26 14:20:02 CDT 2005

Can you include the bit from the log file that contains the #Fields:

It defines what I am looking at.

I see the 403 and I am not sure if the Sub Status is 0 or maybe not being
logged.

Is the next log entry also related to the same URL?

--
Cheers

Chris

Chris Crowe [IIS MVP]
http://blog.crowe.co.nz


"Marco" <Marco@discussions.microsoft.com> wrote in message
news:3FBA4C24-50B6-4173-ACC2-7F640C80F588@microsoft.com...
> 2005-08-26 18:31:46 10.6.4.100 GET /exchweb/bin/redir.asp
> URL=https://SERVER.DOMAIN.COM/iisadmpwd/aexp2b.asp 443 DOMAIN\ACCOUNT
> 10.6.4.3
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322)
> 403 0 0
>
> "Chris Crowe [MVP]" wrote:
>
>> Is there a sub code to the HTTP 403 error?
>>
>> Check your IIS log files for the sub status code as this will let you
>> know
>> where the problem may be.
>>
>> 403 - Forbidden. IIS defines a number of different 403 errors that
>> indicate
>> a more specific cause of the error: . 403.1 - Execute access forbidden.
>> . 403.2 - Read access forbidden.
>> . 403.3 - Write access forbidden.
>> . 403.4 - SSL required.
>> . 403.5 - SSL 128 required.
>> . 403.6 - IP address rejected.
>> . 403.7 - Client certificate required.
>> . 403.8 - Site access denied.
>> . 403.9 - Too many users.
>> . 403.10 - Invalid configuration.
>> . 403.11 - Password change.
>> . 403.12 - Mapper denied access.
>> . 403.13 - Client certificate revoked.
>> . 403.14 - Directory listing denied.
>> . 403.15 - Client Access Licenses exceeded.
>> . 403.16 - Client certificate is untrusted or invalid.
>> . 403.17 - Client certificate has expired or is not yet valid.
>> . 403.18 - Cannot execute requested URL in the current application
>> pool. This error code is specific to IIS 6.0.
>> . 403.19 - Cannot execute CGIs for the client in this application
>> pool. This error code is specific to IIS 6.0.
>> . 403.20 - Passport logon failed. This error code is specific to
>> IIS
>> 6.0.
>>
>>
>>
>>
>> --
>> Cheers
>>
>> Chris
>>
>> Chris Crowe [IIS MVP]
>> http://blog.crowe.co.nz
>>
>>
>> "Marco" <Marco@discussions.microsoft.com> wrote in message
>> news:810ECB0F-4D92-423B-91A6-CE1EB136ABAB@microsoft.com...
>> > We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS
>> > clients
>> > and as such we develped a simple application to notify users via email
>> > about
>> > their password expiration a number of days before the actual
>> > expiration.
>> > It happens that in our test, when the application sends out the email
>> > notification message to the users with the link
>> > https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get to
>> > the
>> > page fine, but OWA users get an HTTP 403 error when OWA tries to
>> > redirect
>> > the
>> > browser to
>> > https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
>> > using redir.asp. Would anyone have any suggestions on how to make this
>> > work
>> > for the OWA users? Thanks!
>> >
>>
>>
>>

Ken
Sat Aug 27 01:46:09 CDT 2005

Hi,

This issue is caused by code in the redir.asp page itself. It checks to see
if the URL being redirected to includes the protocol (http:// or https://),
and if so, checks to see whether the hostname is the same as the current
host. If so, then it programmatically sets a 403 HTTP status. Check the
redir.asp file for comments explaining why this is done.

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
news:uuRjnMnqFHA.3352@TK2MSFTNGP14.phx.gbl...
: Can you include the bit from the log file that contains the #Fields:
:
: It defines what I am looking at.
:
: I see the 403 and I am not sure if the Sub Status is 0 or maybe not being
: logged.
:
: Is the next log entry also related to the same URL?
:
: --
: Cheers
:
: Chris
:
: Chris Crowe [IIS MVP]
: http://blog.crowe.co.nz
:
:
: "Marco" <Marco@discussions.microsoft.com> wrote in message
: news:3FBA4C24-50B6-4173-ACC2-7F640C80F588@microsoft.com...
: > 2005-08-26 18:31:46 10.6.4.100 GET /exchweb/bin/redir.asp
: > URL=https://SERVER.DOMAIN.COM/iisadmpwd/aexp2b.asp 443 DOMAIN\ACCOUNT
: > 10.6.4.3
: >
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322)
: > 403 0 0
: >
: > "Chris Crowe [MVP]" wrote:
: >
: >> Is there a sub code to the HTTP 403 error?
: >>
: >> Check your IIS log files for the sub status code as this will let you
: >> know
: >> where the problem may be.
: >>
: >> 403 - Forbidden. IIS defines a number of different 403 errors that
: >> indicate
: >> a more specific cause of the error: . 403.1 - Execute access forbidden.
: >> . 403.2 - Read access forbidden.
: >> . 403.3 - Write access forbidden.
: >> . 403.4 - SSL required.
: >> . 403.5 - SSL 128 required.
: >> . 403.6 - IP address rejected.
: >> . 403.7 - Client certificate required.
: >> . 403.8 - Site access denied.
: >> . 403.9 - Too many users.
: >> . 403.10 - Invalid configuration.
: >> . 403.11 - Password change.
: >> . 403.12 - Mapper denied access.
: >> . 403.13 - Client certificate revoked.
: >> . 403.14 - Directory listing denied.
: >> . 403.15 - Client Access Licenses exceeded.
: >> . 403.16 - Client certificate is untrusted or invalid.
: >> . 403.17 - Client certificate has expired or is not yet valid.
: >> . 403.18 - Cannot execute requested URL in the current
application
: >> pool. This error code is specific to IIS 6.0.
: >> . 403.19 - Cannot execute CGIs for the client in this application
: >> pool. This error code is specific to IIS 6.0.
: >> . 403.20 - Passport logon failed. This error code is specific to
: >> IIS
: >> 6.0.
: >>
: >>
: >>
: >>
: >> --
: >> Cheers
: >>
: >> Chris
: >>
: >> Chris Crowe [IIS MVP]
: >> http://blog.crowe.co.nz
: >>
: >>
: >> "Marco" <Marco@discussions.microsoft.com> wrote in message
: >> news:810ECB0F-4D92-423B-91A6-CE1EB136ABAB@microsoft.com...
: >> > We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS
: >> > clients
: >> > and as such we develped a simple application to notify users via
email
: >> > about
: >> > their password expiration a number of days before the actual
: >> > expiration.
: >> > It happens that in our test, when the application sends out the email
: >> > notification message to the users with the link
: >> > https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get
to
: >> > the
: >> > page fine, but OWA users get an HTTP 403 error when OWA tries to
: >> > redirect
: >> > the
: >> > browser to
: >> >
https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
: >> > using redir.asp. Would anyone have any suggestions on how to make
this
: >> > work
: >> > for the OWA users? Thanks!
: >> >
: >>
: >>
: >>
:
:

David
Sat Aug 27 06:16:10 CDT 2005

Yeah, the clue to me is that no user code on IIS can set a sub-status code
in the IIS log file.

ISAPI Extension can set the status code on the ECB and indirectly by sending
a 401 response (results in 401.5)
ISAPI Filter can set the status code in the LOG event and indirectly by
sending a 401 response (results in 401.4)

Only an ISAPI Extension on IIS6 can call HSE_REQ_SEND_CUSTOM_ERROR to send
any configured custom error page, but it still cannot control the status
code that gets logged (so an ISAPI Extension can send the custom error page
for 404.2 and tell IIS to log a 401)...

So, the 403 0 0 tells me to go look at the redir.asp itself for clues. :-)

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23iuWRLtqFHA.3060@TK2MSFTNGP09.phx.gbl...
Hi,

This issue is caused by code in the redir.asp page itself. It checks to see
if the URL being redirected to includes the protocol (http:// or https://),
and if so, checks to see whether the hostname is the same as the current
host. If so, then it programmatically sets a 403 HTTP status. Check the
redir.asp file for comments explaining why this is done.

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
news:uuRjnMnqFHA.3352@TK2MSFTNGP14.phx.gbl...
: Can you include the bit from the log file that contains the #Fields:
:
: It defines what I am looking at.
:
: I see the 403 and I am not sure if the Sub Status is 0 or maybe not being
: logged.
:
: Is the next log entry also related to the same URL?
:
: --
: Cheers
:
: Chris
:
: Chris Crowe [IIS MVP]
: http://blog.crowe.co.nz
:
:
: "Marco" <Marco@discussions.microsoft.com> wrote in message
: news:3FBA4C24-50B6-4173-ACC2-7F640C80F588@microsoft.com...
: > 2005-08-26 18:31:46 10.6.4.100 GET /exchweb/bin/redir.asp
: > URL=https://SERVER.DOMAIN.COM/iisadmpwd/aexp2b.asp 443 DOMAIN\ACCOUNT
: > 10.6.4.3
: >
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.0.3705;+.
NET+CLR+1.1.4322)
: > 403 0 0
: >
: > "Chris Crowe [MVP]" wrote:
: >
: >> Is there a sub code to the HTTP 403 error?
: >>
: >> Check your IIS log files for the sub status code as this will let you
: >> know
: >> where the problem may be.
: >>
: >> 403 - Forbidden. IIS defines a number of different 403 errors that
: >> indicate
: >> a more specific cause of the error: . 403.1 - Execute access forbidden.
: >> . 403.2 - Read access forbidden.
: >> . 403.3 - Write access forbidden.
: >> . 403.4 - SSL required.
: >> . 403.5 - SSL 128 required.
: >> . 403.6 - IP address rejected.
: >> . 403.7 - Client certificate required.
: >> . 403.8 - Site access denied.
: >> . 403.9 - Too many users.
: >> . 403.10 - Invalid configuration.
: >> . 403.11 - Password change.
: >> . 403.12 - Mapper denied access.
: >> . 403.13 - Client certificate revoked.
: >> . 403.14 - Directory listing denied.
: >> . 403.15 - Client Access Licenses exceeded.
: >> . 403.16 - Client certificate is untrusted or invalid.
: >> . 403.17 - Client certificate has expired or is not yet valid.
: >> . 403.18 - Cannot execute requested URL in the current
application
: >> pool. This error code is specific to IIS 6.0.
: >> . 403.19 - Cannot execute CGIs for the client in this application
: >> pool. This error code is specific to IIS 6.0.
: >> . 403.20 - Passport logon failed. This error code is specific to
: >> IIS
: >> 6.0.
: >>
: >>
: >>
: >>
: >> --
: >> Cheers
: >>
: >> Chris
: >>
: >> Chris Crowe [IIS MVP]
: >> http://blog.crowe.co.nz
: >>
: >>
: >> "Marco" <Marco@discussions.microsoft.com> wrote in message
: >> news:810ECB0F-4D92-423B-91A6-CE1EB136ABAB@microsoft.com...
: >> > We have a hosted E2K3 SP1 environment with OWA and O2K3 RPC/HTTPS
: >> > clients
: >> > and as such we develped a simple application to notify users via
email
: >> > about
: >> > their password expiration a number of days before the actual
: >> > expiration.
: >> > It happens that in our test, when the application sends out the email
: >> > notification message to the users with the link
: >> > https://server.domain.com/iisadmpwd/aexp2b.asp), O2K3 users can get
to
: >> > the
: >> > page fine, but OWA users get an HTTP 403 error when OWA tries to
: >> > redirect
: >> > the
: >> > browser to
: >> >
https://server.domain.com/exchweb/bin/redir.asp?URL=https://server.domain.com/iisadmpwd/aexp2b.asp
: >> > using redir.asp. Would anyone have any suggestions on how to make
this
: >> > work
: >> > for the OWA users? Thanks!
: >> >
: >>
: >>
: >>
:
: