Thanks for that answer.
gratefully received.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:ej9gXt3uFHA.3588@tk2msftngp13.phx.gbl...
> No such configuration on IIS exists for your theory.
>
> My guess is that you have some DENY ACL against a group that the
> Administrator is in but NOT against the group the normal user is in.
> Remember, giving access is not about just having permission; it is also
> about not being denied permission.
>
> --
> //David
> IIS
>
http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Dave Williams" <davewilliams29@yahoo.com> wrote in message
> news:%236EUc9quFHA.3152@TK2MSFTNGP12.phx.gbl...
> Hi all, I have an odd issue...
>
> I have an IIS 6 server (actually running Exchange OWA) and two users, one
> of
> whom is allowed full access and the other is denied all access. The denied
> user is a member of domains admins and exchange admins, and can log onto a
> mailbox fine using Outlook but not with OWA, the allowed user is just a
> normal domain user but can access their mailbox in OWA no problem.
>
> Looking through the AD properties of the two users, I found the only
> distinction (apart from one being more administrative) is that the allowed
> user has a 'userPrincipalName' set whereas the failing user doesn't. Is
> there any configuration setting that might be in force on IIS that might
> cause this to happen?
>
> I'm aware that userPrincipalName is used for Kerberos authentication, but
> not sure what happens if a user doesn't have one (I've done the same thing
> in other environments for users without a userPrincipalName many times).
> Could it be that the IIS/OWA configuration is disallowing NTLM as its
> 'integrated' authentication method, so forcing Kerberos and that's
> failing?
>
> I've looked around the other configuration options, and can see nothing
> that
> would explain why one user would connect and the other be refused.
>
> Any ideas?
> Thanks,
> Dave
>
>
>
