cancel
Showing results for 
Search instead for 
Did you mean: 

owauser.wsf switches

Tobbe
Level 5
Hi.
I'm setting up a few new Exchange 2007 servers that will be archived using the same EV 2007 servers that currently are handling the existing Exchange 2000 servers. Both Exchange environments will coexist for a while which means that both archiving are retrieval must work from both worlds.
My concern now is from a OWA perspective. Currently I have two domain accounts that are being used as the anonymous account when a request is made through the 2000 OWA. Now, I'm wondering if I can reuse these accounts for the 2007 OWA functionality? In essence, what difference does the /2000 and /2003 switch really make during the preparation using owauser.wsf?
The install and configure guide tells me that if I'm upgrading my OWA extensions I can reuse the same account, but I'm not upgrading the extensions - I'm adding new ones so the anonymous account will be used from both a 2000 perspective and a 2007 perspective.
 
Anyone that can help me out?
 
Cheers,
/Tobbe
12 REPLIES 12

jimbo2
Level 6
Partner
I believe it has something to do with the way it configures th EVANON virtual directory. The 2003 switch may have more metadata in the virtual directory. I am not 100 percent sure so do this:
 
Post the owauser.wsf script and I will see if I can make sense of what the switch is doing in the script.
 
Also,
 
You will use the /2003 for 2007.
 
Jim S.

Tobbe
Level 5
Thanks alot for your response Jim.
 
That response was quite an eye opener. A 2000 OWA does not make use of a EVanon directory at all. Rather it uses a file named owardr.asp. That should mean that the owauser.wsf script actually targets the evanon directory when used with /2003 and the owardr.asp file when used with /2000. Perhaps there are more to it than this but at least that is a pretty obvious difference.
 
This means that the question has evolved to this: Are there any known issues with accessing the vault servers from both 2000 and 2007 OWA's and thereby having both the evanon directory AND the owardr.asp?
 
I've pasted the entire content of the script below for what's it worth, sorry for the length that it brings this post to.
 
Also, for other people that might be reading this, the /2003 switch will not be needed for 2003 and 2007 OWA if your EV servers are at 2007 SP1. The only switch that's needed then is /2000 if you're implementing support for Exchange 2000 OWA.
 
/Tobbe
 
<!--
'
' Copyright © 2006 Symantec Corporation. All rights reserved.
'
' THIS SOFTWARE CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SYMANTEC
' CORPORATION. USE, DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR
' EXPRESS WRITTEN PERMISSION OF SYMANTEC CORPORATION.
'
' The Licensed Software and Documentation are deemed to be "commercial
' computer software" and "commercial computer software documentation" as
' defined in FAR Sections 12.212 and DFARS Section 227.7202.
'
-->
<job>
 <runtime>
  <description>
This script is used to configure the Enterprise Vault Server for OWA access.
It must be run under the context of the Enterprise Vault Service Account.
  </description>
  <example>
Example:
cscript owauser.wsf /domain:myDomain /user:evowausr /password:P5ssword /exch2003
  </example>
  <named name="user" type="string" required="true" helpstring="User name without domain." />
  <named name="domain" type="string" required="true" helpstring="Domain for user." />
  <named name="password" type="string" required="true" helpstring="Password for user" />
  <named name="exch2000" type="simple" required="false" helpstring="Configure for Exchange 2000.  If this isn't specified, then /exch2003 must be specified." />
  <named name="exch2003" type="simple" required="false" helpstring="Configure for Exchange 2003.  If this isn't specified, then /exch2000 must be specified." />
  <named name="alias" type="string" required="false" helpstring="Alias of the virtual directory to create.  Only applies for Exchange 2003." />
  <named name="skipverify" type="simple" required="false" helpstring="Don't verify the supplied user credentials" />
 </runtime>
 <script language="VBScript">
  Option Explicit
  Dim oInfoNT, sComputerName 'WinNT variables
  Dim oNamedArgs, oArgs, sArg, aArg, i
  Dim sUserDom, sUserName, sUserPass, sEVAnonAlias, bExch2003, bSkipVerify 'Command line variables
  Dim WShell, oUser, oDomain, retCode, sWebAppVbs, bBadArgs, sAdminServiceAccount 'Others
  Const ADS_NAME_INITTYPE_GC = 3
  Const ADS_NAME_TYPE_NT4 = 3
  Const ADS_NAME_TYPE_1779 = 1
  Set WShell = WScript.CreateObject("WScript.Shell")
  Dim s64Bit, UserRegKey, AliasRegKey, VaultAdminRegKey
  If WShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%") <> "x86" Then
   s64Bit = "Wow6432Node\"
  Else
   s64Bit = ""
  End If
  UserRegKey = "HKCU\Software\KVS\Enterprise Vault\AnonymousUser"
  AliasRegKey = "HKLM\Software\" & s64Bit& "KVS\Enterprise Vault\Install\OwaWebAppAlias"
  VaultAdminRegKey = "HKLM\System\CurrentControlSet\Services\EnterpriseVaultAdminService\ObjectName"
  'Initialise required arguments from command line
  
  WScript.Echo "WScript version: " & WScript.Version
  If StringToDouble(WScript.Version) >= 5.6 Then
   Set oNamedArgs = WScript.Arguments.Named
  Else
   Set oNamedArgs = CreateObject("Scripting.Dictionary")
   oNamedArgs.CompareMode = 1
   Set oArgs = WScript.Arguments
   For i = 0 to oArgs.Count - 1
    sArg = oArgs(i)
    If Left(sArg, 1) = "/" or Left(sArg, 1) = "-" Then
     sArg = Mid(sArg, 2)
    End If
    If InStr(sArg, ":") Then
     aArg = Split(sArg, ":")
     oNamedArgs.Add aArg(0), aArg(1)
    Else 
     oNamedArgs.Add sArg, ""
    End If
   Next
  End If
  If oNamedArgs.Exists("user") Then
   sUserName = oNamedArgs.Item("user")
  End If
  
  If oNamedArgs.Exists("domain") Then
   sUserDom = oNamedArgs.Item("domain")
  End If
  If oNamedArgs.Exists("password") Then
   sUserPass = oNamedArgs.Item("password")
  End If
  
  bBadArgs = false
  If oNamedArgs.Exists("Exch2003") Then
   bExch2003 = true
   WScript.Echo "Configuring for Exchange 2003"
  ElseIf oNamedArgs.Exists("Exch2000") Then
   bExch2003 = false
   WScript.Echo "Configuring for Exchange 2000"
  Else
   bBadArgs = true
  End If
  
  If bBadArgs or sUserName = "" or sUserDom = "" or sUserPass = "" Then
   WScript.Arguments.ShowUsage
   WScript.Quit 0
  End If
  'Initialise optional arguments from the command line
  If oNamedArgs.Exists("alias") Then
   sEVAnonAlias = oNamedArgs.Item("alias")
  Else
   sEVAnonAlias = "EVAnon"
  End If
  
  bSkipVerify = false
  If oNamedArgs.Exists("skipverify") Then
   bSkipVerify = true
  End If
  '
  'Spit out who we are
  '
  Set oInfoNT = CreateObject("WinNTSystemInfo")
  WScript.Echo "Running as: " & oInfoNT.DomainName & "\" & oInfoNT.UserName
  '
  'Check we're the same as the admin service account
  '
  sAdminServiceAccount = WShell.RegRead(VaultAdminRegKey)
  if LCase(sAdminServiceAccount) <> LCase(oInfoNT.DomainName & "\" & oInfoNT.UserName) then
   WScript.Echo "ERROR: This script must be run under the context of the Enterprise Vault Service Account"
   WScript.Quit 1
  end if
  
  WScript.Echo "User name: " & sUserName
  WScript.Echo "User domain: " & sUserDom
  If Not bSkipVerify Then
   '
   'Check supplied login credentials are correct
   '
   '1. Check that user account exists
   ' We are running as Vault Service account, which is always a domain user and local administrator.
   ' So we can perform an ADSI lookup using the current credentials to find the user.
   on error resume next
   Set oUser = GetObject("WinNT://" + sUserDom + "/" + sUserName + ",user")
   If err.number <> 0 Then
    WScript.Echo "ERROR: Specified user account does not exist"
    WScript.Quit 1
   End If
   on error goto 0
   
   '2. Check that password is correct
   ' Use authenticated ADSI lookup using supplied credentials
   ' For a domain account, the OpenDSObject call will fail if credentials are invalid
   ' For a local account, a subsequent GetObject call will fail if credentials are invalid
   on error resume next
   Const ADS_SECURE_AUTHENTICATION = 1
   Set oDomain = GetObject("WinNT:").OpenDSObject("WinNT://" & sUserDom, sUserName, sUserPass, ADS_SECURE_AUTHENTICATION)
   Set oUser = oDomain.GetObject("user", sUserName)
   If err.number <> 0 Then
    WScript.Echo "ERROR: Cannot log on to specified account"
    WScript.Quit 1
   End If
   on error goto 0
  
   '3. Warn if account is local account rather than domain account
   sComputerName = oInfoNT.ComputerName
   If LCase(sComputerName) = LCase(sUserDom) Then
    WScript.Echo "WARNING: Specified user is a local account"
   End If
  End If
  
  '
  'Assign rights for user
  '
  ' Access this computer from the network
  SetUserRight("SeNetworkLogonRight")
  ' Allow log on locally
  SetUserRight("SeInteractiveLogonRight")
  ' Log on as a batch job
  SetUserRight("SeBatchLogonRight")
  ' Bypass traverse checking
  SetUserRight("SeChangeNotifyPrivilege")
  '
  'Configure IIS
  '
  sWebAppVbs = Replace(Wscript.ScriptFullName, WScript.ScriptName, "WebApp.vbs", 1, 1, 1)
  on error resume next
  If bExch2003 Then
   retCode = WShell.Run("""" & sWebAppVbs & """ /anon2003 /a " & sEVAnonAlias & " /user " & sUserDom & "\" & sUserName & " /pass " & sUserPass, 1, true)
  Else
   retCode = WShell.Run("""" & sWebAppVbs & """ /anon2000 /user " & sUserDom & "\" & sUserName & " /pass " & sUserPass, 1, true)
  End If
  If Err.number = -2147024894 Then
   WScript.Echo "ERROR: Cannot find file: " & sWebAppVbs
   WScript.Quit 1
  ElseIf Err.number <> 0 Then
   WScript.Echo "ERROR: Failed to run Enterprise Vault web app configuration script, error: " & Err.number & " " & Err.Description
   WScript.Quit 1
  End If
  on error goto 0
  
  If retCode = 0 Then
   WScript.Echo "Configured Enterprise Vault web app"
  ElseIf retCode = 7 Then
   WScript.Echo "ERROR: ExchangeServers file does not exist. Please create the file and re-run this script"
   WScript.Quit 1
  ElseIf retCode = 8 Then
   WScript.Echo "ERROR: Couldn't open ExchangeServers file.  Please check the file and re-run this script"
   WScript.Quit 1
  ElseIf retCode = 9 Then
   WScript.Echo "ERROR: ExchangeServers file contains invalid entries.  Please check the file and re-run this script"
   WScript.Quit 1
  Else
   WScript.Echo "ERROR: Failed to configure Enterprise Vault web app, error: " & retCode
   WScript.Quit 1
  End If
  
  '
  'Set regkeys
  '
  ' AnonymousUser
  WShell.RegWrite UserRegKey, sUserDom & "\" & sUserName, "REG_SZ"
  ' OwaWebAppAlias - Exchange 2003 only
  If bExch2003 Then
   WShell.RegWrite AliasRegKey, sEVAnonAlias, "REG_SZ"
  End If
  'Say we've finished, and that the admin must now restart the EV admin service
  WScript.Echo "Anonymous access configuration completed."
  WScript.Echo "*** You must now restart the Enterprise Vault Admin Service, and synchronize mailboxes for the settings to take effect. ***"
  Sub SetUserRight(sRight)
   Dim retCode
   on error resume next
   retCode = WShell.Run("evrights " & sUserDom & "\" & sUserName & " " & sRight, 0, true)
   If Err.number = -2147024894 Then
    WScript.Echo "ERROR: Failed to assign user right: " & sRight & "; Error: Cannot find evrights.exe"
   ElseIf retCode <> 0 Then
    WScript.Echo "ERROR: Failed to assign user right: " & sRight & "; Error: " & retCode
   Else
    WScript.Echo "Assigned user right: " & sRight
   End If
   on error goto 0
  End Sub
  Function StringToDouble(str)
   Dim integerPart : integerPart = 0
   Dim decimalPart : decimalPart = 0
   Dim digit
   Dim i
   Dim j
   For i = 1 to Len(str)
    digit = Mid(str, i, 1)
    If IsNumeric(digit) Then
     integerPart = (10 * integerPart) + CLng(digit)
    Else
     Exit For
    End If
   Next
   
   For j = Len(str) to i + 1 Step -1
    digit = Mid(str, j, 1)
    If IsNumeric(digit) Then
     decimalPart = (decimalPart + CLng(digit)) / 10
    Else
     Exit For
    End If
   Next
   StringToDouble = integerPart + decimalPart
  End Function
 </script>
</job>

jimbo2
Level 6
Partner

Your statements seems to match what I see in the script. I will not go crazy with this but one of the NOTE lines states:

 

helpstring="Alias of the virtual directory to create.  Only applies for Exchange 2003." />

 

which indicates to me that the EVAnon is only created when the OWAUSER.WSF is ran with /EXCH2003.

 

-----------------------------------------------------------------------------------------------------------------------------------

 

The below seems to be the code that corresponds to the above statement. At the botton you will notice that the sEVAnonAlias is set to EVAnon.


If bExch2003 Then
   retCode = WShell.Run("""" & sWebAppVbs & """ /anon2003 /a " &
sEVAnonAlias & " /user " & sUserDom & "\" & sUserName & " /pass " & sUserPass, 1, true)
  Else
   retCode = WShell.Run("""" & sWebAppVbs & """ /anon2000 /user " & sUserDom & "\" & sUserName & " /pass " & sUserPass, 1, true)

 

-------------------------------------------------------------------------------------------------------------------------------------

 

There seems to be two reg key created when the EXCH2003 is used.


If bExch2003 Then
   WShell.RegWrite AliasRegKey, sEVAnonAlias, "REG_SZ"
  End If

 

 

AliasRegKey = "HKLM\Software\" & s64Bit& "KVS\Enterprise Vault\Install\OwaWebAppAlias"
  VaultAdminRegKey = "HKLM\System\CurrentControlSet\Services\EnterpriseVaultAdminService\ObjectName"

 

 

The sEVAnonAlias seems to get set to EVAnon.

 

 sEVAnonAlias = oNamedArgs.Item("alias"
  Else
   sEVAnonAlias = "EVAnon"
  End If

 

 

Hope this helps

Tobbe
Level 5
Thanks again Jim.
Then I think that we could put the original question regarding what the actual switches accomplishes to rest.
 
Would you mind sharing your thoughts about accessing the EV from both 2000 and 2007 OWA clients and thereby making use of both the owardr.asp AND the evanon functionality in parallell while using the same account for the anonymous access?
 
 

jimbo2
Level 6
Partner
I would think that it would work. Do you have a test environment?
 
I would setup the W3K/2007 first with EVAnon and verify that it worked.
 
I would then move the file for 2000 to the new system. Check obvious things like:
 
Permissions on the file
Account Local Policies
 
What do you think? You are running this with 2000 and I am sure you have an idea or two?
 
Jim S. 

Tobbe
Level 5
Setting up a Exchange 2000 and 2007 system and a an archiving solution in a test environment will unfortunatly be to much of a hill and timeconsumer for us.
 
I honestly believe that since there are two different resources within IIS that are being called upon wether the request comes from a 2000 or 2007 OWA user this should really be transparent.
Also, anyone that are upgrading a older exchange installation will be facing this and since the same issue occured when upgrading from Exch 2000 to 2003 I guess I'd have found more about this if a issue really existed.
 
If I haven't found out anything groundbraking by monday I will have a go at this.

jimbo2
Level 6
Partner
Please post your results. I am sure your results will be helpful to others.
 
Jim S.

Tobbe
Level 5
OK. Feedback time.
 
I could not find anything indicating that this setup would not work so I added the new 2007 servers to the exchangeservers.txt and ran the owauser.wsf script where I reused the same anonymous account that is being used by the 2000 OWA.
Result: EVanon directory is created with the correct IP's listed as allowed hosts, the 2000 OWA is still functioning but the shortcuts in the 2007 OWA are not working.
 
I had an issue with an earlier EX/EV 2007 implementation and was told back then that EV 2007 could not handle NTLM on the owa and exchange virtual directories so I tried to use only basic authentication but the shortcuts are still dead.
In the long run though, I cannot use that setup since I have CAS servers in different sites an in order for CAS proxying to work I need to have NTLM authentication enabled or the remote users will not have any OWA access what so ever.
 
The eventlog is generating event 0 on the Exchange servers:
 
Event Type: Error
Event Source: Enterprise Vault OWA Extensions
Event Category: None
Event ID: 0
Date:  2007-12-17
Time:  16:57:45
User:  N/A
Computer: Exchange 2007 Mailbox server
Description:
An unhandled exception was caught:
Microsoft.Exchange.Clients.Owa.Core.OwaNotSupportedException: WindowsIdentity
   at Microsoft.Exchange.Clients.Owa.Core.OwaADUserIdentity.get_WindowsIdentity()
   at Symantec.EnterpriseVault.Owa.Core.OwaObjectHelper.get_MailboxSID()
   at Symantec.EnterpriseVault.Owa.Core.OwaObjectHelper.get_OWAAvailable()
   at Symantec.EnterpriseVault.Owa.Core.RequestProcessor..ctor(HttpContext oContext)
   at Symantec.EnterpriseVault.Owa.EVOwaModule.PreRequestHandlerExecute(Object objSender, EventArgs objEventArgs)

I've logged a case with the support to get some further assistance so I'll keep you posted as to how this turns out.

jimbo2
Level 6
Partner
Here was another case something like your case.
 
 
I asked if he resolved this error.
 
Jim S.

Tobbe
Level 5
This has now been resolved with the assistance of the EV support.
 
Three things needed to be adjusted:
1. The anonymous account for OWA needed to have full access permissions on the shopping folder. 
2. In the OWA part of the policy in effect, the client connection value most be set to direct and not proxy
3. In the web.config file on the CAS servers different settings are needed as mentioned in the install and configuring guide.
On CAS servers that also have the mailbox role installed nothing really needs to be done. The reference to localhost can remain and there is no need to add the "EnterpriseVault_WebDAVRequestProtocol" setting to web.config since the communications will stay local on the server and it will default to https which is fine since a certificate has been installed on the CAS server by default.
However, on dedicated CAS servers the setting that are mentioned in the install and configuring guide needs to be set as follows:

<add key="EnterpriseVault_WebDAVRequestHost" value=""/>
(the reference to localhost has been removed from the default setting since the mailbox role is not local at all)

<add key="EnterpriseVault_WebDAVRequestProtocol" value="http"/>
(This will instruct the CAS to use http when communicating with the mailbox server.)
 
Hope this helps anyone in the future.
 
Merry X-mas :)
/Tobbe

MichelZ
Level 6
Partner Accredited Certified
Thanks for this Information!
It will definitely be helpful.

Merry X-MAS!

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

jimbo2
Level 6
Partner
Excellent information
 
Thanks for posting your resolution.
 
 
Jim S.