Problemi con gli aggiornamenti automatici o windows update

Al seguente link ho trovato una guida davvero ben fatta che riporto integralmente in seguito.
http://wsus.editme.com/TroubleshootingClientSetup

Troubleshooting Client Setup


In some cases, AU clients do not show up in WSUS Administration console, and thus never receive updates from WSUS. There are several reasons why this can happen.

The first thing to establish is the settings that the client is using. To do this, run the following command:

Reg query “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /s

Ensure server and port number shown in the output exist and are correct. Typos in these settings can be the cause of your problem.

Next check whether WSUS is installed on Default Website. If client policies point to the default web site for updating, check that WUS is also installed in Default Website. If you have installed WUS on a different port run the script %Program Files%\MicrosoftWindowsUpdate\Services\”SetupInstallSelfupdateOnPort80.vbs.

Also, use the clientdiag tool from the RC (download this from the WSUS Beta Site) to see what other errors there might be.


If other computers are checking in fine but you have one or more that aren’t, check a couple relevant text logs for clues. There’s the main windows update log at %systemroot%\WindowsUpdate.log (WindowsUpdate all one word) and another log covering individual component updates at %systemroot%\SoftwareDistribution\ReportingEvents.log I found a handy page that has a list of error messages with some plain english messages. You’ll want to check that out at http://perso.wanadoo.fr/doc.jm/WU5-ERR.htm

I had one computer not checking in and found errors like this in the ReportingEvents.log:

Windows failed to install the following update with error 0x800703e3: Automatic Updates.

and in WindowsUpdate.log I saw:

start delayed initialization of WU client
Loading inf file D:\WINDOWS\SoftwareDistribution\SelfUpdate\wusetup.inf
.
.
.
Required Version for binary D:\WINDOWS\system32\cdm.dll is: 5,8,0,2339
Binary: D:\WINDOWS\system32\cdm.dll: Target version: 5.5.3790.2182 Required: 5.8.0.2339
Required Version for binary D:\WINDOWS\system32\iuengine.dll is: 5,8,0,2339
Binary: D:\WINDOWS\system32\iuengine.dll: Target version: 5.4.3790.2182 Required: 5.8.0.2339
.
.
.
WU client failed Searching for update with error 0x8024001b
ISusInternal API CClientCallRecorder::DisconnectCall succeeds
Starting File operations for section cdm
InstallUpdatedBinaries failed with error 0x800703e3

A quick visit to the beta v6 windowsupdate site updated the WU client and everything just started working from my local WSUS after that. You can force the client to restart the AU process by doing:

pskill wuauclt [or use task manager; I’m unsure if this step is neccesary or good]
net stop “Automatic Updates”
net start “Automatic Updates”
wuauclt /detectnow

If client machines do not have web access, download the full file Windows Update Client agent Agent from
http://go.microsoft.com/fwlink/?LinkId=43264

WindowsUpdateAgent20-x86.exe /wuforce /quiet to install it remotely.

Add /norestart if you’re doing it during the day (my clients didn’t need a reboot, but ya never know).

 


 

If you’re seeing error 0x8024400A and are running WSUS on Win2K3 SP1 it might be an IIS bug that’s causing it.  A hotfix is available.  See: http://support.microsoft.com/Default.aspx?id=898708  

I personally had success via a “shotgun” aproach suggested by ctobio on the wsus.info forums.  I’ve consolidated the operations into a batch file form here, suitable for running remotely:

REM Stop the Automatic Updates service
net stop wuauserv

REM Stop the Windows Management Instrumentation service
net stop winmgmt

REM Backup ReportingEvents.log.  Then, delete the contents of
REM  %systemroot%\SoftwareDistribution and
REM  %systemroot%\system32\WBEM\Repository
copy %systemroot%\softwaredistribution\reportingevents.log %homedrive%\
del /f /q %systemroot%\softwaredistribution\*.*
move %homedrive%\reportingevents.log %systemroot%\softwaredistribution

REM Delete SusClientID and AccountDomainSid keys from
REM  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
SET WU_KEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
reg delete %WU_KEY% /v SusClientID
reg delete %WU_KEY% /v AccountDomainSid
SET WU_KEY=

REM Start the Automatic Updates service
net start wuauserv

REM Start the Windows Management Instrumentation service
net start winmgmt

REM Force a group policy update
gpupdate /force

REM Roll the WU Client…
wuauclt /resetauthorization /detectnow

After you do this, you will have to delete the old and now spurious computer account in the WSUS admin interface.  Delete the old computer that shows a status of not having checked in for so many days.  Leave the account that’s never checked in.  This new account will be checking in and that should be reflected after a little while in the admin interface.  You’ll also have to move the new account into the proper group where the old one was.  Monitor the WindowsUpdate.log in %systemroot% on that client machine to ensure that it’s grabbing updates again.

 


If a client appears in the admin console but all the updates are flagged “unknown” the system cannot determine which updates are needed or installed. Multiple errors similar to the following may appear in the client’s Application event log:

Event Type: Error
Event Source: ESENT
Event Category: General
Event ID: 427
Date: 5/17/2005
Time: 10:51:44 AM
User: N/A
Computer: [computername]
Description:
wuaueng.dll (1280) The database engine could not access the file called C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log.

Additionally the following error may appear once around the time of the first occurrence of the above error:

Event Type: Error
Event Source: ESENT
Event Category: Logging/Recovery
Event ID: 413
Date: 5/12/2005
Time: 2:46:16 PM
User: N/A
Computer: [computername]
Description:
wuaueng.dll (1280) Unable to create the log. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032.

To resolve this problem, stop the Automatic Updates service on the affected client, delete %windir%\SoftwareDistribution\DataStore\Logs\edb.log and restart the service.

[I couldn’t find any record of this error at Microsoft or anywhere else.]


The following registry location can be useful to see what state the client is in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUState  This will have one of the following values   
  • 0—initial 24-hour timeout (Automatic Updates doesn’t run until 24 hours after it first detects an Internet connection.)
  • 1—waiting for the user to run Automatic Updates
  • 2—detection pending
  • 3—download pending (Automatic Updates is waiting for the user to accept the predownloaded prompt.)
  • 4—download in progress
  • 5—install pending
  • 6—install complete
  • 7—disabled
  • 8—reboot pending (Updates that require a reboot were installed, but the reboot was declined. Automatic Updates won’t do anything until this value is cleared and a reboot occurs.)
 

 


Name Version Size Date User
Wsus error.txt 1 1574 27/10/06 3.28 praveenr
Wsus error

Comments:

From karmacop – 29/03/05 8.10

Hi

WUS is all working fine, but i accidentally removed all my clients ffrom the ‘All Computers’ Group. Is there a way to get the computers back or do i need to re-install WUS?

From ipelivan – 20/04/05 15.07

Hi! I have simillar problem. I removed one client computer from computer group. How to get it back?

From jahovabob – 07/07/05 9.48

clientdiag can also be downloaded here.

From helsby – 06/10/05 8.45

You are better going to http://www.microsoft.com/windowsserversystem/updateservices/support/default.mspx for the client diag download as this also has links to the readme. There are also server diag tools from this link too.

From rpaz – 08/01/06 17.42

 

I’m a little bit confused.

Can the AUState registry key be used to check WSUS Status? Or this key is only used by SUS?

 

From rpaz – 08/01/06 17.46

 

For those that accidentally removed All The Clients, don’t worry to much they will get back on next cycle

I made the same mistake Wink

From rpaz – 08/01/06 18.00

 

For those that accidentally removed All The Clients, don’t worry to much they will get back on next cycle

I made the same mistake Wink

From rpaz – 08/01/06 18.00

 

For those that accidentally removed All The Clients, don’t worry to much they will get back on next cycle

I made the same mistake Wink

From rpaz – 08/01/06 18.13

Sorry about the duplicated comments. Dam reload!

From giadzich – 22/02/06 12.16

It will take a while for client to report back to WSUS server after you delete it.
I hate to see those little icons saying the computer not report in xx days.  I decided to delete them all.  No harm.

From weeble – 27/02/06 1.47

This may not apply to everybody but I’ve got around 40 Windows 2000 machines that are not checking into my WSUS Server.

So far, the solution that I’ve found to get them all to start checking in is as follows:

Download and install the following:

  • Windows installer 3.1 (don’t restart, just install the next item)
  • BITS Update for Windows 2000 (KB842773) (don’t restart, just install the next item)
  • MDAC Update (if prompted to re-start, do the next step before clicking restart)
  • Once I’ve done that, I have to then copy over the latest WUAUENG.DLL file renaming the old one to WUAUENG.DLL.OLD (or whatever you choose).
  • Restart your computer (cross your fingers)

Once I’ve restarted the computer, it will then check in with my WSUS server and start the updating process.

I’ve found that in some remote cases, I’ve also had to export the REGKEYS from a working machine and them import them into a machine that isn’t working after I’ve done all the updates.

If you’re having problems, and you’ve checked everything else, try this … it may work and you’ve obviously got nothing else to loose. So far, it’s worked without fail for me.

From laurin1 – 21/06/06 13.27

I had it working fine, but now it’s broke. None of my clients show up in the Console and all log Event ID 16.

From geraghty – 11/05/07 6.39

I spent days trying to work out why none of my clients were connecting to WSUS – finally realised the problem was that the IUSER account was disabled! I’d disabled it ages ago to increase the security of the server…


Last Modified 11/04/06 22.39

Q10064 – HOWTO: Reset Cache Mode in Outlook

thanks
http://www.lanlogic.net/support/docs/article.aspx?id=10064

You may need to turn off cache mode and turn it back on if your Outlook
client is running slow, or if you are suddenly unable to send or receive
emails. Going through the steps will essentially remove the Outlook
cache from your computer, and then rebuild it. The cache is the local
copies of your emails.

1. Turn Off Cache Mode

1. Open Outlook
2. Tools
3. Email Accounts
4. Select View or change existing e-mail accounts
5. Next
6. With "Microsoft Exchange Server" selected, Click "Change"
7. Uncheck the box for "Use Cached Exchange Mode"
8. Next
9. In the box that pops up, click on OK
10. Click Finish

2. Close Outlook
1. File
2. Exit

3. Delete OST files from hard drive
1. Start
2. Search
3. For Files or folders
4. All files and Folders
5. Expand "More Advanced Options"
6. Check the box next to "Search hidden files and folders"
7. Leave the other options at default
8. In the top box for "All or part of the file name", type in
"*.ost"
9. Look in should be "Local Hard Drives"
10. Click Search
11. It'll find files such as outlook.ost, outlook001.ost, etc.
Select all the files it finds and select delete. This will
delete all the offline emails from your computer, but they
are still on the server so you won't lose anything.

4. Turn On Cache Mode

1. Open Outlook
2. Tools
3. Email Accounts
4. Select View or change existing e-mail accounts
5. Next
6. With "Microsoft Exchange Server" selected, Click "Change"
7. Check the box for "Use Cached Exchange Mode"
8. Next
9. In the box that pops up, click on OK
10. Click Finish

5. Restart Outlook

Once Outlook is restarted, all of your emails will download to your
computer again. It may take awhile, depending on the number of emails
you have. You can watch the progress in the lower right corner of your
Outlook screen… it will show the folders as they update.

Outlook (xp or 2003) slow to open mails

thanks to http://www.brichet.be/?p=139

Try first to launch Outlook in safe mode (Outlook /safe).
If the problem disappear in safe mode, try first disabling add ins and
then try renaming cache files (source : newsgroups)

Locate and rename the Outlook cache files
(frmcache.dat,outcmd.dat,extend.dat) one by one.
————————————————–

1. Quit Outlook.
2. Click Start -> Search -> For Files and folders
3. Click Tools -> Folder Options.
4. Select View tab, select Show hidden files and folders, uncheck Hide
extensions for known file types, and click OK.
5. Click All files and folders.
6. Type "frmcache.dat,outcmd.dat,extend.dat,views.dat" (without the
quotation marks) in the filename box, and then select Local Hard Drives.
7. Click More advanced options, check Search hidden files and
folders, and
click Search.
8. After the search has finished, renames files in .old
NOTE: We may find multiple files for each name. Please rename them all.
9. Restart Outlook.

DRIVER_IRQL_NOT_LESS_OR_EQUAL error

DRIVER_IRQL_NOT_LESS_OR_EQUAL:
chissà a quanti di voi sarà capitato di vedere improvvisamente questa
schermata blu con riportato in cima questa scritta, beh la soluzione è
alquanto semplice, generalmente il problema è causato dalla RAM che è o
difettosa o incompatibile con la scheda madre, oppure sono impostati dei
timings troppo aggressivi per cui bisogna alzarli.

In caso invece vi fossero problemi hardware di altra natura, consiglio
la consultazione delle seguenti pagine Microsoft:

Hardware and Software Third-Party Vendor Contact List, A-K
<http://support.microsoft.com/?kbid=65416>
Hardware and Software Third-Party Vendor Contact List, L-P
<http://support.microsoft.com/?kbid=60781>
Hardware and Software Third-Party Vendor Contact List, Q-Z
<http://support.microsoft.com/?kbid=60782>

In qualche altra circostanza la causa del problema potrebbe dipendere
dal file di paginazione, e visto che non costa nulla, provare questa
procedura:

1. destro mouse su risorse del PC / proprietà /avanzate / impostazioni e
cliccare sul pulsante prestazioni / avanzate / memoria virtuale / cambia
/ qui selezionare nessun file di paging e cliccare su imposta / OK / OK
e riavviare

2. una volta riavviato destro mouse su risorse del PC / proprietà
/avanzate / impostazioni e cliccare sul pulsante prestazioni / avanzate
/ memoria virtuale / e selezionare Dimensioni gestite dal Sistema
cliccare Imposta / Ok / Ok e riavviare.

Se con questa procedura non compare più l'errore
DRIVER_IRQL_NOT_LESS_OR_EQUAL allora siamo stati fortunati, se invece
compare ancora e pure frequentemente, allora meglio focalizzare
l'attenzione sulla RAM.

fonte jsi

GPO – Group Policy – Installazione Software – OpenOffice e JRE

GPO – Group Policy – Installazione Software

OpenOffice e JRE

thanks to
http://openofficetechnology.com/OpenOffice-Enterprise/Desktop_Installation

Desktop Software Installation

These instructions describe the steps needed to perform a network
installation of the OpenOffice.org office suite and the
OpenOffice-Enterprise client software using Windows Group Policy.

These instructions are copyright Open Office Technology. They may be
linked to but not copied. Their permanent location is

http://OpenOfficeTechnology.com/OpenOffice-Enterprise/Desktop_Installation

<http://openofficetechnology.com/OpenOffice-Enterprise/Desktop_Installation>

* Overview <http://openofficetechnology.com/node/24>
* Package Installation Order <http://openofficetechnology.com/node/30>
* Step 1 – Download Software Packages
<http://openofficetechnology.com/node/25>
* Step 2 – Create Network Installation Images
<http://openofficetechnology.com/node/26>
* Step 3 – Create Installation Group Policy Object
<http://openofficetechnology.com/node/27>
* Step 4 – Set Policy Scope and Link to Domain
<http://openofficetechnology.com/node/28>
* Upgrading OpenOffice-Enterprise
<http://openofficetechnology.com/OpenOffice-Enterprise/Desktop_Installation/Upgrading_OpenOffice-Enterprise>
* Upgrading OpenOffice
<http://openofficetechnology.com/OpenOffice-Enterprise/Desktop_Installation/Upgrading_OpenOffice>
* Installation Troubleshooting <http://openofficetechnology.com/node/29>

Overview

The three software packages discussed in these instructions are:

1. The OpenOffice.org office suite. Installation of this package on
each client is required.
2. The OpenOffice-Enterprise client software. Provides Group Policy
management for the OpenOffice.org office suite. Installation of
this package on each managed client is required.
3. Sun's Java runtime environment (JRE). Certain functions in the
OpenOffice suite depend on the Java runtime, such as the database
application, mail merge and the document wizards in Writer. (For a
more complete list, see Java and OpenOffice.org
<http://wiki.services.openoffice.org/wiki/Java_and_OpenOffice.org#OpenOffice.org_2.0_Functionality_depending_on_Java>).
If these features are not required, the JRE does not need to be
installed. Full functionality requires the JRE or JDK version
1.4.0_02 or newer, or version 1.4.1_01 or newer. Limited
functionality is available with version 1.3.1 or higher. (Source:

http://www.openoffice.org/dev_docs/source/sys_reqs_20.html)

These instructions describe the installation procedure using the most
recent application versions as of the date these instructions were
written. The OpenOffice suite and Java JRE are not distributed by Open
Office Technology, and the information related to these packages may
change from time to time. If you find any discrepancies in these
instructions, please let us know <http://openofficetechnology.com/contact>.

Package Installation Order

The three packages must be installed in the following order:

1. Optionally, if required, the Java JRE.
2. The OpenOffice.org office suite.
3. The OpenOffice-Enterprise client software.

The installation of one or more of these packages can be combined into a
single Group Policy operation.

These instructions describe the process of installing all three packages
in one operation. If one or more are already installed, simply skip the
corresponding steps. To install one or more of the packages separately,
create separate Group Policy objects these packages.

Step 1 – Download Software Packages

The first step in the installation process is to download the software
packages.

A. Optionally, download the Java JRE *offline* installation package for
Windows. As of the date of these instructions:

* Most recent version of the JRE: Version 6.0
* Installation package file name: jre-6-windows-i586.exe
* Download location: http://java.sun.com/javase/downloads/

(Click to download "Java Runtime Environment (JRE) 6", click to
accept license agreement, then click on "Windows Offline
Installation, Multi-language")
* Other versions: http://java.sun.com/javase/downloads/previous.jsp

B. If OpenOffice is not already installed on the client machines,
download the OpenOffice installer for Windows without the JRE bundled.
As of the date of these instructions:

* Most recent version of the OpenOffice suite: Version 2.1
* Installation package file name: OOo_2.1.0_Win32Intel_install_en-US.exe
* Download location: http://download.openoffice.org/

* Other versions at: http://distribution.openoffice.org/mirrors/

<http://distribution.openoffice.org/mirrors/index.html#mirrors>

C. Download the OpenOffice-Enterprise client software installer. As of
the date of these instructions:

* Most recent version of OpenOffice-Enterprise client software:
Build 450
* Corresponding package file name: ooewin-450.msi
* Download location: http://OpenOfficeTechnology.com/download

<http://openofficetechnology.com/download>

Step 2 – Create Network Installation Images

The next step is to create network installation images for each of the
software packages. This places the installation images on a network file
server that is accessible to the client computers. To complete this
process, you must have write access to this location. The client
computer should have read-only access.

A. Extract the Java JRE msi file:

1. Run the JRE installation executable file, jre-6-windows-i586.exe.
The License Agreement screen will appear. Do not click either
"Decline" or "Accept".
2. The installer executable will have placed a file called
"jre1.6.0.msi" into the directory "C:\Documents and Settings\<your
username>\Application Data\Sun\Java\jre1.6.0". Copy the .msi file
to a network installation point, which is a location on the
network accessible to the client computers, such as
|
\\fileserver\net_install_images\jre-1_6_0\
|
Note 1: Earlier versions of JRE installation executable placed the
.msi file into a subdirectory such as "C:\Documents and
Settings\<your username>\Local Settings\Application
Data\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}", where the name of
the subdirectory depends on the JRE version. The .msi file
corresponding to the JRE version can be located by looking in all
subdirectories with names matching this pattern.
Note 2: Neither the Java installer executable nor the .msi file
support the "/a" administrative installation option.
3. Returning to the License Agreement screen, click "Decline". The
installer will delete the Application Data\Sun\Java directory and
its .msi file, then terminate.

B. Perform an administrative installation of the OpenOffice suite:

1. Run the OpenOffice installer,
OOo_2.1.0_Win32Intel_install_en-US.exe, with no parameters.
2. When prompted, enter a location to unpack the installation files,
such as a subdirectory called Ooo_installer_files in your current
working directory.
3. When the next stage of the installer runs ("Welcome to the
Installation Wizard for OpenOffice.org 2.1"), click "Cancel" and
abort the installation.
4. The OpenOffice installer should have unpacked several executable
and data files into the directory you selected. From the command
prompt, launch the setup file using the following command line:
|
setup /a
|
When prompted, enter a network installation point such as
|
\\fileserver\net_install_images\OpenOffice-2.1\
|
and then click "Install". The installer will create the directory
you specified, if it doesn't already exist, and then unpack the
file "openofficeorg21.msi" along with a handful of subdirectories
into this location.

C. Perform an administrative installation of the OpenOffice-Enterprise
client software:

1. From the command prompt, launch the installer file using the
following command line:
|
msiexec /a ooewin-450.msi
|
When prompted, enter a network installation point such as
|
\\fileserver\net_install_images\ooewin-450\
|
and then click "Next" twice. The installer will copy the .msi file
to this folder and unpack several files and one subdirectory.

Before continuing, ensure that the client computers have read-only
access to the network installation points that you used above.

Step 3 – Create Installation Group Policy Object

This step creates a Group Policy Object or "GPO" that will install the
software packages.

1. Launch the Group Policy Management console on your administrative
workstation. Expand the tree for your domain, then right-click on
"Group Policy Objects" and select "New". Enter a name such as
"OpenOffice-Enterprise Installation". Your new Group Policy Object
will appear in the tree under "Group Policy Objects". Right-click
on its name and select "Edit…". This will open the Group Policy
Object Editor.
2. In the Group Policy Object Editor, under "Computer Configuration",
expand "Software Settings", right-click on "Software Installation"
and select "New –> Package…".
3. Click on "My Network Places". (Note: This is a required step. You
must select the package to install from a network location rather
than a local location. If you do not first click on "My Network
Places", the selection of a package to install will not be accepted.)
4. Navigate to the network location where you placed the Java JRE
install file "jre1.6.0.msi" and double-click on this file. If you
are not installing Java, skip this step and move down to the first
package you are installing.
5. For the deployment method, select "Assigned". The JRE install file
should appear in the view pane.
6. Right-click on "Software Installation" and select "New –>
Package…" again.
7. Navigate to the network location containing your OpenOffice suite
administrative install, and double-click on the .msi file
"openofficeorg21.msi".
8. Several installation transform files are available here
<http://openofficetechnology.com/OpenOffice_Installation_Transforms>.
If you do not want to use any transforms, select "Assigned" as the
deployment method and click "OK". The install file for OpenOffice
should appear in the view pane. Otherwise, to install OpenOffice
with one or more transforms, download the transform (.mst) files
and add them to the directory that contains the OpenOffice
installation file openofficeorg21.msi. Then for "Deployment
Method" select "Advanced" and click "OK". After a short pause, the
Properties dialog should appear. Under the "Modifications" tab,
add the transform file you wish to apply, then click "OK".
9. Right-click on "Software Installation" and select "New –>
Package…" again.
10. Navigate to the network location containing your
OpenOffice-Enterprise administrative install, and double-click on
the .msi file "ooewin-450.msi". For the deployment method, select
"Assigned". The OpenOffice-Enterprise install file should appear
in the view pane.

IMPORTANT: You must add the .msi files in the indicated order:
Java JRE, then OpenOffice.org suite, then OpenOffice-Enterprise.
The packages will appear in the view pane in alphabetical order,
but they will be installed in the order they were selected. The
indicated installation order is mandatory in order for all three
packages to be installed successfully.

11. To set additional options, double-click on each package name in
the view pane. For example, selecting "Uninstall this application
when it falls out of the scope of management" will cause the
applications to be automatically uninstalled if this group policy
object is deleted or unlinked. (Alternately, the software can be
uninstalled later by right-clicking on each package name and
selecting "All Tasks" -> "Remove…"). Any options selected must
be set for each package individually, so be certain to
double-click on each package name in succession and set the
desired options.
12. When done, double check your selections and close the Group Policy
Object Editor.

Step 4 – Set Policy Scope and Link to Domain

This final step selects the computers on which the software will be
installed. This involves designating a group or list of computers, along
with one or more domains or organizational units. The software will be
installed on a computer if it is both in the group that you designated
/and/ in one of the domains or organizational units you select.

The default is to "assign" the installation to all users which will
ultimately cause the software to be installed on all computers in the
selected domains, including servers and domain controllers. This is
probably not what you want.

A typical configuration will only install this software on desktop
workstations, not on domain controllers. Here are instructions to
accomplish this:

1. Back in the Group Policy Management console, click on the name of
your Group Policy Object (e.g., "OpenOffice-Enterprise
Installation" or whatever name you previously chose). In the pane
on the right, under "Security Filtering" in the "Scope" tab,
select "Authenticated Users" and click on "Remove".
2. Click "Add…", and in the dialog box that appears, under "Enter
the object name to select", type "domain computers" and click OK.
"Domain Computers" refers to all workstations in your domain; it
does not include domain controllers. It may however include
servers, so you should check the members of this group. In the
Group Policy Management view pane, click on the word "Domain
Computers", then click "Properties". In the Properties dialog,
select the "Members" tab. This brings up a list of the computers
in the "Domain Computers" group. If this group includes more
computers than desired, you can "Remove" this group and then
"Add…" computers individually, or you can create a custom group
using Active Directory Users and Computers. You can also select
computers using WMI filters, but this is beyond the scope of this
document.
3. When you are finished selecting computers, click on the name of
your Group Policy Object in the tree view again, and without
releasing the mouse button, drag the pointer to the name of the
domain or organization unit in which to install the software. The
pointer will change shape to a pointer with a "+". Release the
mouse button and click OK to link your Group Policy Object to this
domain. Repeat this process for any additional domains or
organizational units.

The Group Policy Object will begin to propagate and will be applied on
each selected computer in the domain(s) within approx. 90 minutes
(depending on how Group Policy is configured). To apply the GPO
immediately on a particular computer, go to that computer and run
"gpupdate" from a command prompt. Once the Group Policy Object is
applied, the software will be installed the next time the computer is
rebooted. The installation process will take several minutes.

Upgrading OpenOffice-Enterprise

The following instructions describe how to upgrade an existing Group
Policy installation to a new version of the OpenOffice-Enterprise client
software.

1. Download the new release of the OpenOffice-Enterprise client
software, as described in Step C of Download Software Packages
<http://openofficetechnology.com/node/25>.
2. Perform an administrative installation of the new release, as
described in Step C of Create Network Installation Images
<http://openofficetechnology.com/node/26>. CAUTION: Do not
overwrite the previous version; install the new release in a
different directory. Do not delete the previous version until you
are certain all desktops have been upgraded.
3. Launch the Group Policy Management console on your administrative
workstation. Expand the tree for your domain, then expand the tree
for "Group Policy Objects". Right-click on the Group Policy Object
used to install the previous version of OpenOffice, then select
"Edit…". This will open the Group Policy Object Editor.
4. In the Group Policy Object Editor, under "Computer Configuration",
expand "Software Settings", right-click on "Software Installation"
and select "New –> Package…".
5. Click on "My Network Places". (Note: This is a required step. You
must select the package to install from a network location rather
than a local location. If you do not first click on "My Network
Places", the selection of a package to install will not be accepted.)
6. Navigate to the network location containing the administrative
installation of the new version of the OpenOffice-Enterprise
client software and and double-click on the .msi file
"ooewin-450.msi".
7. Select "Advanced" as the deployment method and click "OK". After a
short pause, the Properties dialog should appear.
8. Under the "Upgrade" tab, click "Add…" and under "Package to
upgrade", select "OpenOffice-Enterprise" and click "OK". The
properties dialog will display the text "Replace
OpenOffice-Enterprise".
9. The option "Uninstall this application when it falls out of the
scope of management" can be set under the "Deployment" tab. This
option will cause the application to be automatically uninstalled
if this group policy object is deleted or unlinked. Alternately,
the application can be uninstalled later by right-clicking on its
package name and selecting "All Tasks" -> "Remove…"
10. When all of the installation properties look correct, click "OK"
to accept the properties, then close the Group Policy Object Editor.

The Group Policy Object will begin to propagate and will be applied on
each selected computer in the domain(s) within approx. 90 minutes
(depending on how Group Policy is configured). To apply the GPO
immediately on a particular computer, go to that computer and run
"gpupdate" from a command prompt. Once the Group Policy Object is
applied, the new version of the OpenOffice-Enterprise client software
will be installed the next time the computer is rebooted. The
installation process will take only a few seconds.

Upgrading OpenOffice

The following instructions describe how to upgrade an existing Group
Policy installation to a new version of the OpenOffice.org office suite.

IMPORTANT: If you are upgrading to the latest v2.1 release of
OpenOffice, you must first upgrade to the latest release of the
OpenOffice-Enterprise client software, ooewin-450.msi. Prior releases of
the OpenOffice-Enterprise client software are not compatible with
OpenOffice v2.1.

1. Download the new release of OpenOffice, as described in Step B of
Download Software Packages <http://openofficetechnology.com/node/25>.
2. Perform an administrative installation of the new release, as
described in Step B of Create Network Installation Images
<http://openofficetechnology.com/node/26>. CAUTION: Do not
overwrite the previous version; install the new release in a
different directory. Do not delete the previous version until you
are certain all desktops have been upgraded.
3. Download the file Check_OOE.mst
<http://openofficetechnology.com/system/files?file=Check_OOE.mst>
and add it to the network installation directory.
4. Download any additional installation transform (.mst) files
<http://openofficetechnology.com/OpenOffice_Installation_Transforms>
you would like to use, and add them to the network installation
directory.
5. Launch the Group Policy Management console on your administrative
workstation. Expand the tree for your domain, then expand the tree
for "Group Policy Objects". Right-click on the Group Policy Object
used to install the previous version of OpenOffice, then select
"Edit…". This will open the Group Policy Object Editor.
6. In the Group Policy Object Editor, under "Computer Configuration",
expand "Software Settings", right-click on "Software Installation"
and select "New –> Package…".
7. Click on "My Network Places". (Note: This is a required step. You
must select the package to install from a network location rather
than a local location. If you do not first click on "My Network
Places", the selection of a package to install will not be accepted.)
8. Navigate to the network location containing the administrative
installation of the new version of OpenOffice and and double-click
on the .msi file "openofficeorg21.msi".
9. Select "Advanced" as the deployment method and click "OK". After a
short pause, the Properties dialog should appear.
10. Under the "Upgrade" tab, click "Add…" and under "Package to
upgrade", select "OpenOffice.org 2.0" and click "OK". The
properties dialog will display the text "Replace OpenOffice.org 2.0".
11. Under the "Modifications" tab, add Check_OOE.mst and the other
transforms you downloaded earlier (if any), then click "OK". The
selected transforms will appear in the properties dialog.
12. The option "Uninstall this application when it falls out of the
scope of management" can be set under the "Deployment" tab. This
option will cause the application to be automatically uninstalled
if this group policy object is deleted or unlinked. Alternately,
the application can be uninstalled later by right-clicking on its
package name and selecting "All Tasks" -> "Remove…"
13. When all of the installation properties look correct, click "OK"
to accept the properties, then close the Group Policy Object Editor.

The Group Policy Object will begin to propagate and will be applied on
each selected computer in the domain(s) within approx. 90 minutes
(depending on how Group Policy is configured). To apply the GPO
immediately on a particular computer, go to that computer and run
"gpupdate" from a command prompt. Once the Group Policy Object is
applied, the new version of OpenOffice will be installed the next time
the computer is rebooted. The installation process will take several
minutes.

Installation Troubleshooting

There a several methods to obtain information about the installation
process:

1. Installation failure and success messages are logged in each
computer's Application Event Log.
2. Group Policy and software installation operations can also be
logged. For more information, see the manual section /Logging
Group Policy and/or Software Installation/.

Eliminare chiavi di registro da file .reg

Eliminazione di chiavi e valori del Registro di sistema
Per eliminare una chiave del Registro di sistema con un file reg,
inserire un trattino (-) davanti al PercorsoRegistrodisistema nel file
reg. Per eliminare ad esempio la sottochiave Test dalla seguente chiave
del Registro di sistema:
HKEY_LOCAL_MACHINE\Software
inserire un trattino davanti alla seguente chiave nel file reg:
HKEY_LOCAL_MACHINE\Software\Test
L'esempio riportato di seguito corrisponde a un file reg che consente di
eseguire questa operazione.
[-HKEY_LOCAL_MACHINE\Software\Test]
Per eliminare un valore del Registro di sistema con un file reg,
inserire un trattino (-) dopo il segno di uguale (=) che segue il
NomeElementoDati nel file reg. Per eliminare ad esempio la sottochiave
TestValue dalla seguente chiave:
HKEY_LOCAL_MACHINE\Software\Test
inserire un trattino dopo "TestValue"= nel file reg. L'esempio riportato
di seguito corrisponde a un file reg che consente di eseguire questa
operazione.
HKEY_LOCAL_MACHINE\Software\Test
"TestValue"=-
Per creare il file reg, utilizzare Regedit.exe per esportare la chiave
del Registro di sistema che si desidera eliminare, quindi utilizzare il
Blocco note per modificare il file reg e inserire il trattino.

Outlook Web Access (OWA): Dividere Front-end (su internet) da Back-end (in LAN): Aumentare la sicurezza di OWA

Hardware & Software utilizzati:

Server con installato Windows 2000 server e Microsoft Exchange 5.5 e
Outlook Web Access che gestisce le caselle di posta di tutti gli utenti
della rete.
Server Pentium II 300 MHz con installato Slackware.

Disinstallo apache mysql php openssl e scarico i seguenti sorgenti:

[mysql-standard-4.1.14-pc-linux-gnu-i686-glibc23.tar.gz]
openssl-0.9.7h.tar.gz
openssh
php-4.4.0.tar.gz
httpd-2.0.54.tar.gz

X installare openssl:
./config shared
make
make test
make install

X installare openssh:
./configure
make
make install

X installare httpd2+php+mysql:
httpd2:
./configure –enable-so –enable-cgi –enable-info –enable-rewrite –enable-speling –enable-usertrack –enable-deflate  –enable-ssl –enable-mime-magic –enable-ext-filter –enable-proxy –enable-proxy-connect –enable-proxy-ftp –enable-proxy-http –enable-modules=all
make
make install

cd ../php-NN
./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/mysql
make
make install

A questo punto creo un certificato self-signed x iis
come descritto nel seguente link:
http://dejavu.mu.nu/archives/080563.php

che riporto di seguito:

######################################################################################################
May 10, 2005
Self-Signed IIS SSL Certificates using OpenSSL

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

1. Set up your CA (you only have to do this once)
ON THE LINUX BOX…
* Create a private key

openssl genrsa -des3 -out CA.key 1024

(You’ll need to supply a passphrase. DON’T FORGET THIS!!)

* Set this to read-only for root for security

chmod 400 CA.key

* Create the CA certificate

openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

(Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)

* Set the certificate to read-only for root for security

chmod 400 CA.crt

2. Obtain a CSR
ON THE IIS BOX…
* Open the Internet Manager
* Select the site for which you want to create a key
* Right-click and choose Properties
* Select the “Directory Security” tab
* Click the “Server Certificate” button
* Follow the prompts to create a CSR
* Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we’ll refer to your CSR as “new.csr”)

3. Sign the CSR
ON THE LINUX BOX…
* Sign the CSR (all of this on one line)

openssl x509 -req -days 365 -in new.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out new.crt

* Transfer the new.crt file back to the IIS box

4. Install self-signed certificate
ON THE IIS BOX…
* Open the Internet Manager
* Select the site to install the key
* Right-click and choose properties
* Select the “Directory Security” tab
* Click the “Server Certificate” button
* Specify that you want to complete the pending request
* Select the .crt file that you just transferred

That’s it!

Now…here’s the updated info, with special thanks to David MacKenzie:David’s comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable–thanks! (I found them by google.) There’s one subtlety I’d like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn’t connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I’m using Windows 2000 SP3 and Exchange 2000 SP3.

1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
ON THE IIS BOX…
* Open Internet Explorer
* Tools>Internet Options
* Content tab
* Certificates
* Import
* Next
* Browse
* Files of type: X.509 Certificate (*.cer, *.crt)
* Select CA.crt
* Open
* Next
* Next
* Finish
2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
ON THE IIS BOX…
* Open Internet Services Manager
* Right-click on exchange>Default Web Site>Exadmin
* Properties
* Directory Security tab
* Secure communications Edit
* Uncheck Require secure channel (SSL)
* OK
* OK
Posted by MoMo at May 10, 2005 11:32 AM

##################################################################################################

A questo punto iis disporrà di un certificato e quindi potrà comunicare in https

Iniziamo a configurare apache2 per funzionare come proxy
(fruttando il mod_proxy)

Prima di tutto occorre creare un certificato per il server apache come segue:
[ripresa dal sito:
http://www.vanemery.com/Linux/Apache/apache-SSL.html
]


###################################################################################################

Step 1: Setup your own CA (Certificate Authority)

In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For a commercial web site, you will probably want to purchase a certificate signed by a well-known root CA. For Intranet or special-purpose uses like this, you can be your own CA. This is done with the OpenSSL tools.

Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys:

[root]# mkdir /root/CA
[root]# chmod 0770 /root/CA
[root]# cd /root/CA

[root]# openssl genrsa -des3 -out my-ca.key 2048
Generating RSA private key, 2048 bit long modulus
……………………………………………..+++
……………………………………………+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

[root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Kentucky
Locality Name (eg, city) [Newbury]:Fayette County
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server’s hostname) []:VanEmery.Com CA
Email Address []:hostmaster@vanemery.com

[root]# openssl x509 -in my-ca.crt -text -noout

Notes:  The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime. The third command lets you view the completed certificate. Make sure that you keep the password in a safe place, you will need this every time you sign another certificate! You will probably also want to make backups of the cert and key and lock them in a safe place.

Step 2: Make a key and a certificate for the web server:

Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.

[root]# openssl genrsa -des3 -out mars-server.key 1024
Generating RSA private key, 1024 bit long modulus
….++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

You could also create a private key without file encryption:

[root]# openssl genrsa -out mars-server.key 1024

[root]# openssl req -new -key mars-server.key -out mars-server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taipei County
Locality Name (eg, city) [Newbury]:Nankang
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, your name or your server’s hostname) []:mars.vanemery.com <=== This must be the real FQDN of your server!!!
Email Address []:hostmaster@vanemery.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
Signature ok
subject=/C=TW/ST=Taipei County/L=Nankang/O=VanEmery.Com/OU=Web Services/CN=mars.vanemery.com/Email=hostmaster@vanemery.com
Getting CA Private Key
Enter PEM pass phrase:

[root]# openssl x509 -in mars-server.crt -text -noout

Make sure that your server name is the same as the FQDN that your clients will use when connecting to your site. Also, let’s get in the habit of protecting our keys with appropriate permissions:

[root]# chmod 0400 *.key

Now, we need to move the new keys and certs into the proper directories in the /etc/httpd hierarchy:

[root]# cp mars-server.crt /etc/httpd/conf/ssl.crt
[root]# cp mars-server.key /etc/httpd/conf/ssl.key
[root]# cp my-ca.crt /etc/httpd/conf/ssl.crt

######################################################################################################

La documentazione l’ho trovata nel seguente link:
http://www.sikurezza.org/ml/03_04/msg00041.html

che riporto di seguito per comodità

#####################################################################################################

How to make Apache working with OWA (OutLook web access), using mod_proxy.

Table of Content:

1. The purpose of the document
2. What we need
3. Configuration
4. TroubleShooting.

1. PURPOSE OF THE DOCUMENT

Sometimes someone ask us to make possible to access his e-mail account from
Internet. In best cases we can use a simple and powerful web-mail, but in
worst cases we MUST use OWA, AKA Outlook Web Access.

The problem is twice:

1) Using Exchange server 5.5 or 2000 in normal edition we can’t separate OWA
from the Exchange Machine.
2) Using OWA, we MUST use IIS that we know suxXXs in security.

So, to avoid these problems we can use Apache mod_proxy to:

 + Separate services to a FrontEnd <-> BackEnd scenario
 + Putting IIS in a DMZ and make that most attacks were made to the
front-end Apache (that is better).

The purpose of this document is how to install and, of course, make work
Apache mod_proxy to make possible to access OWA trought IIS.

The scenario we’ll be:

Client —-> Apache (mod_proxy) <——> IIS-Exchange

2. WHAT WE NEED

Naturally we need:

  + A Working Exchange 2000/5.5 installation
  + A Working IIS + SSL maximum patchlevel with OWA correctly installed on
the same Exchange machine
  + A working ApacheII with SSL and mod_proxy support on another Machine

3. Configuration

Ok, let’s go.

The configuration to make all these work is quite simple, but include a
work-around. OWA infact return FQDN urls to the client; so we must make that
the client always think to connect to the apache, and the Apache always
think to connect to the IIS server for the same domain name! Better
explanation will be parsing configuration files 🙂

For security reasons we’ll configure all using SSL connections, so there
will be a Secure Connection between Client and Apache, and between Apache
and IIS, so no data go on the net unencrypted.
This is important thing because as Microsoft says in Q29661 Article, only
Basic Authentication is possible between front-end back-end, also if
front-end is IIS and not Apache. By the way… using Integrated Windows
Authentication with ourconfiguration will make IE not work 🙂

We can configure our wonderful apache server machine. I suggest to use the
httpd’ latest version.
Naturally we assume that the reader has any experiences with Virtual Hosts,
normal and SSL Based, for further information please read Apache
documentation.

For firts we assume that the scenario is you have a public or private
domain, (Ex. owa.myexistentdomain.com) so in your DNS you must translate
this domain to the Apache IP Address (could be public or private) .

After that you MUST put into the /etc/hosts file of the apache machine this
string:

owa.myexistentdomain.com 192.168.0.1 # substitute this ip with the IIS-OWA
internal IP address.

we make this action to make possible the apache to understand and correctly
proxy the connection because OWA sends him the FQDN as the URL to contact!!!

So in your ssl.conf:

<VirtualHost privateip:443> #substitute this IP with the address resolved by
the dns for owa.myexistentdomain.com!!!

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol +all
    SSLCipherSuite HIGH:MEDIUM

    SSLCertificateFile /apache/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /apache/conf/ssl.key/server.key

   <Files ~ “\.(cgi|shtml|phtml|php3?)$”>
    SSLOptions +StdEnvVars
   </Files>

    ServerAdmin root@xxxxxxxxxxxxxxxxxxxxxxxx
    ServerName owa.myexistentdomain.com:443

    <Location “/exchange”>

    ProxyPass https://owa.myexistentdomain.com/exchange
    ProxyPassReverse https://owa.myexistentdomain.com/exchange
    </Location>

    <Location “/exchweb”>
    ProxyPass https://owa.myexistentdomain.com/exchweb
    ProxyPassReverse https://owa.myexistentdomain.com/exchweb
    </Location>

    <Location “/public”>
    ProxyPass  https://owa.myexistentdomain.com/public
    ProxyPassReverse https://owa.myexistentdomain.com/public
    </Location>
#
    ErrorLog logs/owa_ssl_error
    CustomLog logs/owa_ssl_acces common
    CustomLog logs/ssl_owa_request_log \
          “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

    # mod_security Configuration

    SecFilterEngine On
#    SecAuditEngine On
#    SecAuditLog logs/audit_log
#    SecFilterScanPOST On
    SecFilterDefaultAction deny,log,status:409
      # Filters
      SecFilter “\.\./”
      SecFilter “<( |\n)*script”
      SecFilter “<(.|\n)+>”
      SecFilter “root.exe*”
      SecFilter “cmd.exe*”
      SecFilter “default.ida*”
      SecFilter “delete( |\n)+from”
      SecFilter “insert( |\n)+into”
      SecFilter “select( |\n)+from”

</VirtualHost>

Now, we can make a simple html or php page to put in htdocs/ that redirect
every single connection from the original site to the https:// one, a simple
php example here:

<?
header(“location: https://owa.myexistentdomain.com/“;);
?>

Now, after that we MUST correctly configure IIS to make he can response to a
connection made from the client from a different Domain Name.

So, take IIS Admin interface and put into the Virtual Domain in witch OWA
lives and into the:

Properties -> Web Site -> IP Address -> Advanced

Add the identity to the web server:

IP Address:       Put here the local ip address of the Exchange-IIS machine
TCP Port:         80 of course
Host Header Name: Here you must put owa.myexistentdomain.com

click OK and save 🙂

Naturally you must the identity also of the SSL identity in witch the port
is 443 and the ip is the same of the previus configuration (norma identity).

Click OK and save 🙂

Now, into the menu’:

Properties -> Web Site -> IP Address:

put the IP address of the IIS-Exchange machine.

now, a VERY important thing are:

+ tell IIS to refuse any NON-SSL Connection (search into “Directory
Security” and Edit certificate properties)
+ Disable Integrated Windows Authentication and Enable Basic one (search
into “Directory Security”).

Now we suggest to:

+ use IISLockdown utility to hardenize IIS configuration (is free avaiable
on microsoft site)
+ Use Apache mod_protection or mod_security to avoid attack (search
freshmeat for them)

Now all is working!!! Point our browser to
http://owa.myexistentdomain.com/exchange/ or
https://owa.myexistentdomain.com/exchange/ and go on!!!!

4. TroubleShooting.

For first thing I suggest to try different browsers instead of IE that is
buggy.
Doing this configuration I find out that forcing SSLv3 with HIGH encryption,
Netscape works but IE will NOT WORK saying the stupid error “Navigation
Cancelled” 😀 (thank you Mr. Bill… you make me happy).

After that try this:

+ Try to connect directly to IIS to ensure that is not an IIS or OWA problem
+ Pinging from a client owa.myexistentdomain.com I reach the apache IP
Address.
+ Pinging from The apache Server owa.myexistentdomain.com I reach the
Exchange-IIS IP Address.
+ Both Apache and IIS Certificates are valid and built on the
owa.myexistentdomain.com Common Name
+ Try to disable NTLM Auth, sometimes IE is more stupid that he would
appear.
+ Recontrol Apache and IIS Configuration

+ Try to sniff the traffic to manage what it is going on!!!!

Best Regards,

Federico ego_pfe@xxxxxxxxx

Credits: I must say thank to buzzzo, without him my lamerness would take
windward 😉

Il controllo degli accessi ad una macchina windows

si applica a: Windows 2000, Windows XP e (forse) Windows Vista

Allora, oggi usiamo un po’ dal seminato e parliamo (per la prima volta) di Microsoft Windows.
Ieri sera un mio caro amico (che mi ha tenuto sveglio fino alle 4… quindi se vedete una serie interminabile di lettere uguali è xchè mi sn addormentato sulla tastiera) mi ha chiesto come potesse controllare ( e loggare ) l’accesso degli utenti ad un computer (in rete oppure no).
La soluzione è facile e si chiama…..
udite udite….
“Criteri di protezione locali”.

Controllo e log degli accessi

In questa immagine ho settato alcune opzioni per aumentare il livello di log della macchina locale e fare in modo che nel “visualizzatore eventi” nella sezione “protezione” compaiano alcune entry ogni volta che effettuo un login valido (o che sbaglio password)
Ciao a tutti!!!!!
http://support.microsoft.com/kb/300549/it