When you use a Outlook Web Access client to access an Exchange Server 2003 computer, you may receive an "HTTP 403.4" error message (839913)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

When you use a Microsoft Outlook Web Access client computer to access a Microsoft Exchange Server 2003 computer that is configure for Forms Based Authentication (FBA), you may receive the following error message:
The page must be viewed over a secure channel

The page you are trying to access is secured with Secure Sockets Layer (SSL).
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
Internet Information Services (IIS)

CAUSE

This problem occurs if the OWA client accesses the Exchange 2003 computer through a third-party firewall server. For example, you use the following URL:

https://myserver/exchange

The SSL hardware accelerator that is installed in the third-party firewall decrypts the request and then passes the following URL to the Exchange 2003 computer:

http://myserver/exchange

Then, Exchange 2003 returns the following URL to the OWA client:

http://myserver/exchange

When the OWA client uses this URL to log on to the Exchange 2003 computer, you receive an "HTTP Error 403.4" error message.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Hotfix information

The hotfix for Exchange 2003 without Service Pack 1

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Microsoft Exchange Server 2003 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.File information The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
    Date         Time   Version            Size    File name
   --------------------------------------------------------------
   19-Apr-2004  06:49  6.5.6980.82        67,584  Owaauth.dll

The hotfix for Exchange 2003 Service Pack 1

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Microsoft Exchange Server 2003 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.File information The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
     Date         Time   Version            Size    File name
   --------------------------------------------------------------
   15-Jun-2004  17:07  6.5.7232.1         67,584  Owaauth.dll
You must create the SSLOffloaded registry entry for both hotfixes to work. To do this, follow these steps:
  1. Click Start, click Run, type regedt32.exe, and then click OK.
  2. Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MSExchangeWeb\OWA
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type SSLOffloaded for the name of the new registry entry.
  5. Right-click SSLOffloaded, and then click Modify.
  6. Type 1 in the Value Data box, click Decimal, and then click OK.
  7. Close Registry Editor.
If you are using front-end servers and back-end servers, you only have to add this registry entry to the front-end server. If you are using only back-end servers, you have to add this registry entry to the back-end server.

WORKAROUND

To work around this problem, manually change the URL. To do this, type https://myserver/exchange/ in the Address bar in Microsoft Internet Explorer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

If you monitor the traffic that is captured between the third-party firewall and the Exchange 2003 computer, you notice a frame that is sent from the Exchange 2003 computer to the third-party firewall. This frame contains the following information about the location of the logon.asp page: HTTP/1.1 302 Moved Temporarily Location: http://myserver/exchweb/bin/auth/owalogon.asp?url=http://myserver/exchange&reason=0
Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Connection: close
Content-Length: 0 Note This problem does not occur if Exchange 2003 is configured with Microsoft Internet Security and Acceleration (ISA) Server 2000 or with Microsoft Internet Security and Acceleration Server 2004. ISA Server can send a corrected URL back to the OWA client.

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

327800 A new option that allows Exchange and OWA to always use SSL (HTTPS)

824684 Description of the standard terminology that is used to describe Microsoft software updates

817903 New naming schema for Exchange Server software update packages

Modification Type:MajorLast Reviewed:5/15/2006
Keywords:kbQFE kbexchOWA kbfix kbbug kbHotfixServer KB839913 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.