YES YES YES YES It is working, the thing is working!! The only problem is I did so many changes that now I'm not really sure which combination of changes made the trick :( So I will try one more time from the scratch, to be sure what really did, but basically is a cookies settings in RSA on the CAS side and the same on the ISA listener. By that way the user is being challenged just 1 time on the ISA. Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, February 07, 2008 2:56 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OWA 2007 with RSA Is that true? Did MS make an official statement regarding no support for CAS in a DMZ? What happend to SD3+C One of those D's is Secure in Deployment. Not supporting the CAS in the DMZ violates the third D. Thomas W Shinder, M.D. Site: www.isaserver.org<http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Thursday, February 07, 2008 1:51 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OWA 2007 with RSA It is really different RSA on ISA2004 and ISA2006, is still a thing that I hate but my taste about technology is not open to discussion :( I was thinking to have a CAS on my DMZ and have that one published directly to internet (by that way I will have RSA just one time), but Microsoft doesn't support CAS on the DMZ, that is why I'm trying to have it working with ISA asking the RSA credentials and passing it to the CAS, which is already protected with RSA. Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, February 07, 2008 12:31 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: OWA 2007 with RSA If RSA works with ISA Server 2006 the same way it does with ISA Server 2004, it won't work like it does when the RSA Agent sits on the OWA server (or in this case the CAS server). This has to do with RSA not providing the appropriate API calls (the ones the RSA Agent makes) in the SDK given to Microsoft when it was used to incorporate RSA at the ISA Server 2004 level. I had to work through this one a couple of years ago when we were trying to get true two-factor authentication working with OWA but were doing RSA authentication at the ISA Server. The information above came directly from RSA. Again, I'm not sure this still applies to ISA Server 2006 and Exchange 2007 but I think the best you might be able to hope for if you implement RSA at the ISA Server is a single web page for RSA authentication at the ISA Server and then a FBA page for OWA on the CAS server. You will probably also run into the issue that the RSA hook in ISA Server does not check to make sure that the RSA credentials and OWA credentials belong to the same person (i.e., User A can authenticate to RSA and User B can authenticate to OWA). On 2/7/08, Thomas W Shinder <tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote: http://www.ISAserver.org ------------------------------------------------------- Bridge or delegate? Thomas W Shinder, M.D. Site: www.isaserver.org<http://www.isaserver.org> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> > [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On > Behalf Of Jim Harrison > Sent: Thursday, February 07, 2008 10:36 AM > To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> > Subject: [isalist] Re: OWA 2007 with RSA > > http://www.ISAserver.org > ------------------------------------------------------- > > You can't bridge RSA auth. > IOW, you can have it at ISA or you can have it at the CAS, > but not both. > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> > [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On > Behalf Of D > PIETRUSZKA USWRN INTERLINK INFRA ASST MGR > Sent: Thursday, February 07, 2008 7:30 AM > To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> > Subject: [isalist] OWA 2007 with RSA > > Hello all, this is already driving me crazy. Did anybody > publish OWA 2007 with RSA authentication? > > It is pretty easy to have the forms asking you for the token, > but my problem is that our users are using just RSA to login, > there is no password for them (well there is but they don't know it). > > The point is: ISA should authenticate the user using RSA and > then pass the credentials to the CAS server, so when the user > reach the CAS this one already have the token and authorize > the user to see his/her mailbox. > > > > Today I have the form asking for passcode, then the CAS > asking for the passcode again (which is pretty crappy). > > I can publish the CAS directly on Internet, so the users will > be asked just once for the passcode but I would like to have > ISA stopping the users and asking for authentication. > > > > Anybody? > > > > > > Regards > > Diego R. Pietruszka > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer