SSL is enabled on the ExchWeb virtual directory

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2010-04-01

The Microsoft Exchange Best Practices Analyzer examines the components that are enabled in Internet Information Services (IIS) on Microsoft Exchange 2003 and Microsoft Exchange 2000 back-end servers. During this examination, the Best Practices Analyzer determines whether the following conditions are both true:

  • An Exchange 2003 front-end server or an Exchange 2007 Client Access server is configured to connect to the back-end server.

  • The Exchange 2003 or Exchange 2000 back-end server has Secure Sockets Layer (SSL) enabled on the /ExchWeb virtual directory.

If these conditions are both true, the Best Practices Analyzer generates the following warning message:

'Require secure channel (SSL)' is enabled for virtual directory 'ExchWeb' on the Exchange 2000 or Exchange 2003 back-end server <ServerName>. This may cause Outlook Web Access (OWA) access to fail. Please follow the steps listed in to disable 'Require secure channel (SSL)' for the virtual directory 'ExchWeb'.

This message indicates that the /ExchWeb virtual directory on the back-end server may be configured incorrectly. If a user's mailbox is hosted on a back-end server that is running Exchange 2003 or Exchange 2000 and if SSL is enabled on the /ExchWeb virtual directory, the user cannot use Outlook Web Access to connect to the mailbox through a front-end server.


If the user's mailbox is hosted on an Exchange 2007 server, the user can access the mailbox successfully.

In this scenario, users can log on to Exchange from Outlook Web Access, as expected. However, after the users log on, the Outlook Web Access page appears corrupted. No messages appear in the details pane in Outlook Web Access, and red Xs appear over mailbox folders. such as Inbox, Calendar, and other folders.

The /Exchweb virtual directory provides access to the folder that contains images and controls that are used by Outlook Web Access. By default, this folder is %ProgramFiles%\Exchsrvr\ExchWeb. For Exchange 2003 and Exchange 2000 Outlook Web Access, the /ExchWeb virtual directory is configured for anonymous access. Additionally, SSL should not be enabled on this virtual directory.

To address this issue, turn off SSL for the /ExchWeb virtual directory on the Exchange 2003 or Exchange 2000 back-end server.

To turn off SSL on the ExchWeb virtual directory

  1. Start the Internet Information Services (IIS) Manager MMC snap-in.

  2. Expand the server name, expand Web Sites, expand Default Web Site, right-click the ExchWeb, and then click Properties.

  3. Click the Directory Security tab, and then click Edit under Secure communications.

  4. Click to clear the Require secure channel (SSL) check box, and then click OK.

  5. Click Edit under Authentication and access control.

  6. Click to select the Enable anonymous access check box, click to clear all the check boxes under Authenticated access, and then click OK two times.

  7. In the navigation pane, right-click Default Web Site, and then click Stop.

  8. Right-click Default Web Site, and then click Start.

For More Information

For more information about how to troubleshoot this issue, see Microsoft Knowledge Base article 280823, Troubleshooting OWA when the contents frame displays “Loading.”