Re: Outlook Web Access through ISA on internal- - LAN
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 May 2002 10:12:05 -0500
Hey Tim,
I have the Domain Users with the Logon Locally Right enabled on all
Exchange Servers running OWA. I figured this isn't an issue since these
users don't have any other rights on the server that could get me in
trouble. They don't have access to shares they're not supposed to access
(admin shares disabled), Terminal Services only allow admins, and most
of the other cool stuff noted in the Hacking Exposed Windows 2000 has
been implemented.
So, I don't *think* allowing domain users the log on locally right
should be a problem. Heck if inet_user can, surely the domain users can
:-)
Thanks!
Tom
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, May 15, 2002 9:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Outlook Web Access through ISA on internal- - LAN
http://www.ISAserver.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 02:15 AM 5/15/2002, you wrote:
>Just a little more info: The Exchange 2000 box generates the
following
>error in the system log during these multiple authentication errors
when
>accessing OWA internally via ISA:
>
>The server was unable to logon the Windows NT account 'test05' due to
the
>following error: Logon failure: the user has not been granted the
>requested logon type at this computer. The data is the error code.
>
>What is odd is that no such error is generated by external clients
(using
>the same logon credentials) throug ISA to OWA.
OK- so it works internally from \\exchserver\exchange, but not
www.you.com\exchange... Does it ask for authentication when they use the
local NetBIOS name?
If not (and you indeed want to use the NT Integrated you have selected)
you
probably need to add the www.you.com domain to the intranet sites in IE
and
ensure that auto-logon only in Intranet is selected under security
settings.
And just for a test (you can easily revoke it) give your "domain users"
log
on locally rights and try it. Just for fun. Let me know what that
does.
Let me know what each does, and I'll go back and look at the exact same
config I have on a test network (Ex2k on DC behind ISA). However, I am
using Server Publishing, not Web Publishing- I wonder if that is why...
Let me know.
Thanks!
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPOJ3cIhsmyD15h5gEQIJOwCgr2MAb85v+8D3e8Ubb/Aw61qsvkcAn1rT
C1V6e2DMUg8BV3bZm+gfE4Sb
=9WnH
-----END PGP SIGNATURE-----
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
