Fix 'Service unavailable' errors and other common OWA login problems

Common Outlook Web Access (OWA) logon errors involve unavailable service or inheritance errors. Causes for these errors can range from the use of mismatched ASP.NET versions on an OWA Server to incorrect user permissions. This tip explains why users might receive these error messages and how to prevent them.

When logging onto Outlook Web Access (OWA), users can encounter common error messages such as "Service unavailable"...

or "A problem occurred while trying to use your mailbox." This tip from Microsoft Exchange expert Brien Posey reveals what causes these OWA logon errors, how to fix them and how to prevent these errors from happening in your Exchange Server 2007 organization.

One common OWA logon error message that users encounter is "Service Unavailable." This problem often occurs when the OWA Server runs two conflicting versions of ASP.NET.

Exchange 2007 must run on a 64-bit version of Windows. OWA needs IIS to run. IIS in turn, requires ASP.NET. Although IIS is a 64-bit application, it runs either the 32-bit or 64-bit version of ASP.NET.

Keep in mind, though, that IIS can run either the 32-bit version of ASP.NET or the 64-bit version -- but not both versions simultaneously. This can be troublesome since ASP.NET version 1.1 is available in the 32-bit version, while ASP.NET 2.0 is available in 32-bit and 64-bit versions. Therefore, if you want to run both versions, you must operate in 32-bit mode. Otherwise, IIS will generate the "Service Unavailable" error when users attempt to connect to OWA.

For more information on this topic, check out the TechNet article on how to switch between the 32-bit versions of ASP.NET 1.1 and the 64-bit version of ASP.NET 2.0 on a 64-bit version of Windows.

Inheritance issues when logging onto OWA

Windows Access Control Lists (ACLs) give an object the same permissions as its parent object, unless specific permissions were applied. This type of security model generally works well for most users; however, some administrators may disable inherited permissions for some parts of their networks in an effort to directly control security.

More OWA resources:
How to improve Outlook Web Access (OWA) security

Create a secure Microsoft Outlook Web Access (OWA) redirect page 

Customize OWA authentication logon in Exchange 2003

Although this seem like a logical step for security-conscious administrators, it's important to remember that your applications -- including Exchange -- expect certain permissions to be in place. The assumption is that if permissions aren't set correctly, problems will show up immediately. But this isn't necessarily the case.

For example, Exchange Server assumes that the Exchange Servers group will have write access to the msExchUserCulture attribute for user objects within Active Directory (AD). If this permission is removed, there usually aren't any immediate side effects. However, if you create a new Exchange Server 2007 mailbox or migrate a mailbox from Exchange 2003, the user of that mailbox won't be able to log into OWA.

What makes this problem tough to troubleshoot is that the authentication process acts as though it is working. When the user navigates to the OWA site, they're prompted to enter their authentication credentials. After logging in, the user is prompted to enter language preferences and the time zone. Then, the user receives an error message stating, "A problem occurred while trying to use your mailbox. Please contact technical support for your organization."

The good news is that this issue is fairly easy to correct. To do so, open the Active Directory Users and Computers console. Next, enable the console's Advanced Features option by selecting the Advanced Features command from the console's View menu.

Next, right-click on the Users container and select Properties from the menu. When Windows displays the container's properties sheet, go to the Security tab and click Advanced. Select Allow Inheritable Permissions then click OK twice to close the dialog boxes.

When the next Active Directory replication cycle completes, the problem should be fixed. However, if the Users container resides within an Organizational Unit (OU), you may have to perform these steps at the OU level as well.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

Do you have comments on this tip?  Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Outlook management