How to Troubleshoot the 440 Login Timeout Error Message in Outlook Web Access

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

This topic provides information about how to troubleshoot a "440 Login Timeout" error message. A Microsoft Office Outlook Web Access user may receive this error when trying to log on to Microsoft Exchange Server 2007.

This error may occur if any one of the following conditions is true:

  • A permissions issue exists in Internet Information Services (IIS).

  • An authentication issue exists in IIS.

  • A permissions issue exists in the IIS metabase.

  • An authentication issue exists in the IIS metabase.

  • The Guests group was added to the "Deny log on locally" Local Security Policy on the Exchange server. The IUSR_ComputerName account belongs to the Guests group and inherits the denied access.

  • The Guests group was added to the "Deny access to this computer from network" Local Security Policy on the Exchange server. The IUSR_ComputerName account belongs to the Guests group and inherits the denied access.

To resolve this problem, follow these procedures in order. After each procedure, determine whether the problem is resolved. If the problem persists, continue to the next procedure.

Procedure

Step One: Delete and then re-create the Outlook Web Access-related virtual directories

  1. Start the Exchange Management Shell.

  2. Type the following commands. These commands are case-sensitive. Press ENTER after you type each command.

    • Remove-OwaVirtualDirectory "exchange (default web site)"

    • Remove-OwaVirtualDirectory "public (default web site)"

    • Remove-OwaVirtualDirectory "exchweb (default web site)"

    • Remove-OwaVirtualDirectory "owa (default web site)"

  3. Type the following commands. Press ENTER after you type each command.

    • New-OwaVirtualDirectory "exchange" -OwaVersion Exchange2003or2000 -VirtualDirectoryType Mailboxes -WebSiteName "Default Web Site"

    • New-OwaVirtualDirectory "public" -OwaVersion Exchange2003or2000 -VirtualDirectoryType PublicFolders -WebSiteName "Default Web Site"

    • New-OwaVirtualDirectory "exchweb" -OwaVersion Exchange2003or2000 -VirtualDirectoryType Exchweb -WebSiteName "Default Web Site"

    • New-OwaVirtualDirectory -name "owa" -OwaVersion Exchange2007 -WebSiteName "Default Web Site"

Step Two: Resynchronize the passwords in the metabase and in the Active Directory directory service for the IUSR_ComputerName and IWAM_ComputerName accounts

  1. At a command prompt, use the cd command to move to the C:\Inetpub\Adminscripts directory.

  2. Type the following command, and then press ENTER:

    notepad adsutil.vbs
    
  3. Locate the following code:

    If (Attribute = True) then
    IsSecureProperty = True
    Else
    IsSecureProperty = False
    End If
    
  4. In this code, change the value for IsSecureProperty from True to False, save the changes, and then close the file.

  5. At the command prompt, type the following command, and then press ENTER:

    cscript adsutil.vbs get w3svc1\anonymoususerpass
    

    The following message is displayed:

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

    anonymoususerpass: (STRING) "HtV9o2w.18)@SY"

    If you receive error code -2147024893 when you run this command, the Anonymoususerpass property is set at the w3svc level for all Web sites but not at this particular Web site level (w3svc1). In this scenario, use the get command to specify the w3svc level. To do this, type the following command, and then press ENTER:

    cscript adsutil.vbs get w3svc\anonymoususerpass 
    
  6. Copy the password that is displayed between the quotation marks in the returned results, and then use this password to reset the password for the IUSR_ComputerName account.

  7. At the command prompt, type the following command, and then press ENTER:

    cscript adsutil.vbs get w3svc1\wamuserpass
    

    The following message is displayed:

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

    wamsuserpass : (STRING) "Tl&b9^1n9`7g*9"

    If you receive error code -2147024893 when you run this command, type the following command, and then press ENTER:

    cscript adsutil.vbs get w3svc\wamuserpass
    
  8. Copy the password that is displayed between the quotation marks in the message, and then use the password to reset the password for the IWAM_ComputerName account.

  9. Repeat steps 1 through 3 to view the IsSecureProperty entry in the Adsutil.vbs file. Revert the value of the first IsSecureProperty entry to True, and then save the changes to the file.

  10. At a command prompt, use the cd command to move to the C:\Inetpub\Adminscripts directory.

  11. Type the following command, and then press ENTER:

    notepad adsutil.vbs
    
  12. Locate the following code:

    If (Attribute = True) then
    IsSecureProperty = True
    Else
    IsSecureProperty = False
    End If
    
  13. In this code, change the value for IsSecureProperty from False to True, save the changes, and then close the file.

Step Three: Remove the Anonymoususerpass property from the ROOT container in the metabase

  1. At a command prompt, use the cd command to move to the following directory:

    c:\inetpub\adminscripts
    
  2. Type the following command, and then press ENTER:

    cscript adsutil.vbs find w3svc/anonymoususerpass
    

    The following message is displayed:

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft corporation 1996-2001. All rights reserved.

    Property anonymoususerpass found at:

    w3svc

  3. If the Anonymoususerpass property is set at w3svc and at w3svc/1/ROOT, remove the property from the ROOT level. To do this, type the following command, and then press ENTER:

    cscript adsutil.vbs delete w3svc/1/ROOT/anonymoususername
    
  4. Reset IIS. To do this, type iisreset, and then press ENTER. You may also have to restart the Client Access server.

Step Four: Verify that Anonymous authentication is enabled for the 8.0.685.24 virtual directory and for the auth virtual directory

  1. Start the Internet Information Services (IIS) Manager Microsoft Management Console (MMC) snap-in.

  2. Expand the server name, expand Web Sites, expand Default Web Site, and then expand owa.

  3. Under owa, right-click 8.0.685.24, and then click Properties.

    Note

    The 8.0.685.24 virtual directory may have a different version number for a name. This depends on the version of Exchange 2007 that is installed.

  4. On the Directory Security tab, click Edit in the Authentication and access control area.

  5. Click to select the Enable Anonymous access check box, and then click to clear all the check boxes under Authenticated access.

  6. Click OK two times.

  7. Under owa, right-click auth, and then click Properties.

  8. Follow steps 4 through 6 in this procedure to enable anonymous authentication and to disable other authentication methods for the auth virtual directory.

Complete the next procedure ("Step Five: Verify the IUSR_ComputerName account properties") if a domain account is used for anonymous access to the Client Access server.

Note

To determine the account that is used for anonymous access, view Authentication and access control. The Authentication and access control area is on the Directory Security tab in the Properties of 8.0.685.24 under owa in the IIS Manager MMC snap-in. Follow the steps in the "Step Four: Verify that Anonymous authentication is enabled for the 8.0.685.24 virtual directory and for the auth virtual directory" procedure to view the contents of Authentication and access control.

Step Five: Verify the IUSR_ComputerName account properties

  1. Start the Active Directory Users and Computers tool.

  2. Locate and right-click the **IUSR_**ComputerName account, and then click Properties.

  3. Click the Account tab, and then click Log On To.

  4. If the All computers option is selected, click Cancel, and then click OK to exit the **IUSR_**ComputerName Properties dialog box.

  5. If the The following computers option is selected, follow these steps:

    1. Verify that the Client Access server appears in the Computer name list. If the Client Access server does not appear in this list, you must add it.

    2. Click OK two times to save the changes and to exit the **IUSR_**ComputerName Properties dialog box.

    3. At a command prompt on the Client Access server, type iisreset /noforce, and then press ENTER.

If the Guest group was added to the Deny log on locally and Deny access to this computer from the network Local Security Policies, use one of the following options to resolve the issue.

  • Remove the Guests group from the Deny log on locally and Deny access to this computer from the network Local Security Policy.

  • Remove the IUSR**_**ComputerName account from the Guests group.

Remove the Guests group from the Local Security Policy "Deny log on locally" and "Deny access to this computer from the network"

  1. Start Local Security Policy.

  2. Expand Local Policy, and then click User Rights Assignment.

  3. In the Policy list, right-click Deny Log on locally, and then click Properties.

  4. On the Local Security Settings tab, click Guests, click Remove, and then click OK.

  5. In the Policy list, right-click Deny access to this computer from the network, and then click Properties.

  6. On the Local Security Settings tab, click Guests, click Remove, and then click OK.

  7. Close Local Security Policy.

Remove the IUSR_ComputerName account from the Guests group

  1. Start Active Directory Users and Computers.

  2. In the console tree, click Users.

  3. Double-click Domain Guests.

  4. On the Members tab, click **IUSR_**ComputerName, and then click Remove.

  5. Click OK, and then close Active Directory Users and Computers.