How to spend a few hours fighting with a new server. Thought I’d post this to help out any other poor soul that’s stuck with the same problem.
Exchange Server 2007 SP1 running on Windows Server 2008, and having users trying to run Outlook Web Access (OWA).
Only users that are members of the Administrators group can connect to OWA successfully.
Ensure that all users that need to use OWA are at least members of the Builtin\Users group.
Sounds simple right! Well for some reason, Microsoft have kindly changed the default permissions on the %windir% directory on Server 2008 so that "Authenticated Users" no longer have Read access as they used to on Server 2003. This means that anyone not in any of the other groups that has access by default can no longer read the ASP.Net ISAPI filters; so when the user logs in, IIS responds with a 401.3 to say Unauthorized: Access is denied due to an ACL. "Domain Users" do not have any permissions on the directory either, so newly created users in an AD domain will not have access by default (if OWA is running on a domain controller; hopefully they’ll get this right when SBS 2008 finally comes out later in the year).