-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 09:41 PM 5/14/2002, you wrote: >http://www.ISAserver.org > > >If I can get round this without giving users 'log on locally' rights to my >Exchange server(also a DC!) then I'll be happier. > >The fact that basic authentication works for clients external to my LAN >makes me think that this can't just be a 'log on locally' issue. I had it the other way around... I didn't catch that part- however, I was experiencing the exact same thing- admin could log on a single time (mine was over HTTPS), but regular users could not; they had to continually enter credentials for each element. In the event log, I saw the "user not granted appropriate rights" or whatever the exact message was, and knew right away it was a LoL issue- I gave that group LoL rights, and it worked perfectly at once. For IIS, the logon type 2 is considered "local"- it is the way IIS does it. But, if your external people are accessing it, they probably already have that right. A regular server has the local "users" group included in the "Log on locally" policy by default, but a domain controller does not. When a member server joins the domain, the local "users" group has the domain's "domain users" group added to it. It would be interesting to know exactly how you currently have it set. I don't have the original message anymore- how are you publishing the OWA site? And is basic authentication the only method selected or do you have NT Integrated checked as well? I assume you have a default domain selected under the Basic Authentication properties... Thanks! -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPOH084hsmyD15h5gEQJEJQCdFQr06suiOlDC0NgbJGgBGqAPBP8An3vM efxGNwYY80O+2Uhtg9XlTj2O =Jxr+ -----END PGP SIGNATURE-----