ISA 2000 to 2004 OWA Authentication Issue
- From: "Mayo, Bill" <bemayo@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 4 Nov 2005 14:05:03 -0500
I previously setup OWA through our ISA 2000 server thanks to the great
tutorial by Dr. Shinder. Everything was working fine with that for a
long time. Yesterday, we upgraded this server to ISA 2004 and had to
recreate the OWA rule. Again, this seemed to be working ok in my tests,
but today I have been made aware of some issues that others are having.
It seems that people are not able to log into OWA unless they prefix the
domain name before their username. (This was not the case previously.)
Further research has indicated that some browsers request a domain name
in the authentication box and some don't. On the ones that don't, what
will happen is that putting in a username/password will result in a
re-prompting for credentials. In the re-prompt, you can see that it has
prefixed the DNS name of the OWA server in front of the username (i.e.
webmail.server.com\username). If you change that to the actual domain
name it works fine. This does not happen internally, only when going
through ISA Server.
Per the previous instructions, I had just the NetBios name for the
domain set on the Exchange IIS virtual directory, which I have currently
set as the fully-qualified internal domain name (doesn't make a
difference how this is set). I can also confirm that the default domain
is set on the listener in ISA. I found Dr. Shinder's walkthrough on
setting up OWA on ISA 2004, which indicates to use forms based
authentication. I did try that and it just stopped working completely.
I would also note that isn't really a solution for me because I have
multiple SSL sites on the ISA Server, and it will not let me listen on
443 with different types of authentication, so this isn't a solution for
me anyway (unless there is someway to work around that limitation). I
have googled around and found somebody else attributing this issue to
ISA 2004, but none of the solutions provided there are of any help to
me. The main recommendation is to get people to logon with the UPN, but
that is no better than me communicating to them to prefix with the
domain.
Any and all help is greatly appreciated!
Bill Mayo
Pitt County MIS
Other related posts:
