Re: Outlook Web Access through ISA on internal- - LAN
- From: "JD" <jgd@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 15 May 2002 03:15:14 -0600
> > At 09:41 PM 5/14/2002, you wrote:
> > >http://www.ISAserver.org
> > >
> > >
> > >If I can get round this without giving users 'log on locally' rights to my
> > >Exchange server(also a DC!) then I'll be happier.
> > >
> > >The fact that basic authentication works for clients external to my LAN
> > >makes me think that this can't just be a 'log on locally' issue.
> >
> >
> > I had it the other way around... I didn't catch that part- however, I was
> > experiencing the exact same thing- admin could log on a single time (mine
> > was over HTTPS), but regular users could not; they had to continually enter
> > credentials for each element. In the event log, I saw the "user not
> > granted appropriate rights" or whatever the exact message was, and knew
> > right away it was a LoL issue- I gave that group LoL rights, and it worked
> > perfectly at once. For IIS, the logon type 2 is considered "local"- it is
> > the way IIS does it.
> >
> > But, if your external people are accessing it, they probably already have
> > that right. A regular server has the local "users" group included in the
> > "Log on locally" policy by default, but a domain controller does not. When
> > a member server joins the domain, the local "users" group has the domain's
> > "domain users" group added to it. It would be interesting to know exactly
> > how you currently have it set.
> >
> > I don't have the original message anymore- how are you publishing the OWA
> > site? And is basic authentication the only method selected or do you have
> > NT Integrated checked as well? I assume you have a default domain selected
> > under the Basic Authentication properties...
> >
> > Thanks!
>
> Here's the situation:
> MS Exchange 2000 server (also a DC) delivering OWA internally. Users
> don't have LoL permissions on this server but OWA works fine if accessed
> directly from internal LAN (ie using \\servername\exchange). Both Basic
> (with default domain specified) and Integrated Windows Authentication
> selected - basic for external web access and Integrated Windows for
> internal LAN clients.
>
> ISA Server (member server) has a publishing rule for the Exchange server
> which redirects requests for the OWA box to the internal server,
> preserving original host headers. Users do have LoL permissions on this
> server but Domain Users are not in the membership of the local Users
> group- only Authenticated Users (which I assume is a change which ISA
> makes when installed as I haven't done it). Incoming Web requests are not
> set to ask unauthenticated users for authentication (so that the
> authentication only happens on the Exchange box). Users using
> www.ourdomainname.com/exchange can access OWA with no problems - just a
> single authentication dialogue. However, internal LAN users browsing to
> our OWA site using www.ourdomainname.com/exchange can't access it because
> they keep getting asked for repeated authentication. The only exception
> is users who are in the Local admin group on the ISA server (these aren't
> domain admins).
>
> Thanks for your help on this one!
Just a little more info: The Exchange 2000 box generates the following
error in the system log during these multiple authentication errors when
accessing OWA internally via ISA:
The server was unable to logon the Windows NT account 'test05' due to the
following error: Logon failure: the user has not been granted the
requested logon type at this computer. The data is the error code.
What is odd is that no such error is generated by external clients (using
the same logon credentials) throug ISA to OWA.
Other related posts:
