Hey Tim, I have the Domain Users with the Logon Locally Right enabled on all Exchange Servers running OWA. I figured this isn't an issue since these users don't have any other rights on the server that could get me in trouble. They don't have access to shares they're not supposed to access (admin shares disabled), Terminal Services only allow admins, and most of the other cool stuff noted in the Hacking Exposed Windows 2000 has been implemented. So, I don't *think* allowing domain users the log on locally right should be a problem. Heck if inet_user can, surely the domain users can :-) Thanks! Tom -----Original Message----- From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx] Sent: Wednesday, May 15, 2002 9:58 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Outlook Web Access through ISA on internal- - LAN http://www.ISAserver.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:15 AM 5/15/2002, you wrote: >Just a little more info: The Exchange 2000 box generates the following >error in the system log during these multiple authentication errors when >accessing OWA internally via ISA: > >The server was unable to logon the Windows NT account 'test05' due to the >following error: Logon failure: the user has not been granted the >requested logon type at this computer. The data is the error code. > >What is odd is that no such error is generated by external clients (using >the same logon credentials) throug ISA to OWA. OK- so it works internally from \\exchserver\exchange, but not www.you.com\exchange... Does it ask for authentication when they use the local NetBIOS name? If not (and you indeed want to use the NT Integrated you have selected) you probably need to add the www.you.com domain to the intranet sites in IE and ensure that auto-logon only in Intranet is selected under security settings. And just for a test (you can easily revoke it) give your "domain users" log on locally rights and try it. Just for fun. Let me know what that does. Let me know what each does, and I'll go back and look at the exact same config I have on a test network (Ex2k on DC behind ISA). However, I am using Server Publishing, not Web Publishing- I wonder if that is why... Let me know. Thanks! -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPOJ3cIhsmyD15h5gEQIJOwCgr2MAb85v+8D3e8Ubb/Aw61qsvkcAn1rT C1V6e2DMUg8BV3bZm+gfE4Sb =9WnH -----END PGP SIGNATURE----- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')