Microsoft has received reports of a security issue affecting Exchange Server 2003 and Outlook Web Access (OWA).
 
The problem occurs when a user installs Windows SharePoint Services 2.0 on top of Exchange Server 2003 and Windows Server 2003. The deployment causes Kerberos authentication to be disabled in Internet Information Services (IIS) and can result in the incorrect handling of Outlook Web Access requests to an Exchange Server. 

 

At worst, this issue could result in access to mailboxes at  random and only to an authenticated Exchange user in the same organization on the same network.

Microsoft is working with customers to ensure their information is protected. Microsoft has published two Knowledge Base articles that detail the problem and instruct customers how to correct and avoid this issue.

Microsoft Product Support has also successfully helped and is
continuing to help customers who have problems.

 

This information is available at http://support.microsoft.com/?id=832769
and http://support.microsoft.com/?id=832749

 

As a general rule, Microsoft recommends customers run Exchange 2003 with Kerberos enabled in Internet Information Services to achieve the most secure environment and that is why Windows Server 2003 ships with Kerberos enabled by default.