Configuring an on-premise Exchange 2016 OWA with SecurEnvoy for 2fa causes webpage to load with the error: “HTTP Error 403.18 – Forbidden”

Problem

You’ve downloaded the latest SecurEnvoy Version 9.1.501 package as of May 2018 from:

https://www.securenvoy.com/support/downloads.shtm

Then used the following guide to configure your on-premise Exchange 2016 OWA access for 2FA:

Microsoft Outlook Web Access 2013 – SecurEnvoy
https://www.securenvoy.com/IntegrationGuides/Microsoft/Outlook-Web-Access-2013.pdf

… but receive the following error when attempting to access the Outlook Web App page after enabling SecurEnvoy 2FA:

HTTP Error 403.18 – Forbidden
The specified request cannot be processed in the application pool that is configured for this resource on the Web server.
Most likely causes:

· An ISAPI filter or custom module changed the URL to run in a different application pool than the original URL.

· An ISAPI extension (or custom module) used ExecuteURL (or ExecuteRequest) to run in a different application pool than the original URL.

· You have a custom error page that is located in one application pool but is referenced by a Web site in another application pool. When the URL is processed, it is determined by IIS that that it should have been processed in the first application pool, not the other pool.

· The Web site has multiple applications configured. The application this request is configured to run in is set to run in an application pool that does not exist.

Things you can try:

· If you have an application that is trying to process a URL in another application pool (such as trying to process a custom error), ensure that they both run in the same application pool if appropriate.

· If you are trying to process a custom error URL that is located in another application pool, enable the custom errors Redirect feature.

· Verify that the application pool for the application exists.

· Create a tracing rule to track failed requests for this HTTP status code and see if ExecuteURL is being called. For more information about creating a tracing rule for failed requests, click here.

Detailed Error Information:

Module

   IIS Web Core

Notification

   BeginRequest

Handler

   SecurEnvoy MS Server Agent

Error Code

   0x00000000

Requested URL

   https://<webmailURL>:443/securenvoyauth/webauth.exe?action=auth&dir=WEBAUTHTEMPLATE&ip=7C91BFF7D8EBAB9B9879278A1F44F11D92&redirect=https://tmrbmexmb02/owa/

Physical Path

   C:Program Files (x86)SecurEnvoyMicrosoft Server AgentWEBwebauth.exe

Logon Method

   Not yet determined

Logon User

   Not yet determined

More Information:

This error occurs if the application pool for the request does not exist, or if an ISAPI filter, ISAPI extension or HTTP module calls the ExecuteURL server support function (or ExecuteRequest) with a URL that is configured in a different application pool. Due to security reasons, a Web site in one application pool cannot make ExecuteURL requests against a URL in another application pool. If you have an application that is trying to process a URL in another application pool, ensure that they both run in the same application pool if appropriate.

View more information »

image

Server Error

403 – Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

image

Solution

One of the possible causes of this error is if the MSExchangeOWAAppPool for the IIS server on the Exchange 2016 server is configured incorrectly. I’ve only configured SecurEnvoy 2FA with OWA 2016 once so I am unsure as to whether this is a common issue because the deployment guide (https://www.securenvoy.com/IntegrationGuides/Microsoft/Outlook-Web-Access-2013.pdf) does indicate this as a requirement but it is labeled as a note:

image

To verify that the parameter is configured correctly, launch the Internet Information (IIS) Manager on the Exchange server, navigate to the SecurEnvoyAuth virtual directory:

image

Right click on the SecurEnvoyAuth node, navigate to Manage Application and then select Advance Settings…:

image

If the Application Pool is configured as DefaultAppPool then change it to MSExchangeOWAAppPool:

image

imageimageimage

The page should now load with the SecurEnvoy customizations:

image

Note that the above screenshot shows that the images are missing, which is another issue I will blog about in another post.