ISA for Exchange 2003 / OWA Pre-Authentication
- From: "Brian Williams" <brian.williams@xxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Mon, 24 Nov 2003 17:10:37 -0700
We have setup a proof of concept that includes backend and front end
Exchange 2003 servers all residing on the internal network. We have
plugged an ISA server in integrated mode into our existing DMZ. The edge
firewalls are PIX.
We need the ability to change passwords through OWA. We have this ability
setup using the IISADMPWD virtual directory in IIS 6 and it's supporting
ASP files. Internal users go directly to the front end exchange servers
and not through ISA. They can change their passwords just fine. Also, if
it is a new user that is set with a forced password change at first logon,
OWA recognizes the password expiration and deals with it appropriately.
The issue is with external users that have to come through the ISA server
before being able to access the front end OWA server on the internal
network. We have SSL bridging setup for this. We are pre authenticating
the users at the ISA server using basic credentials which are then
automatically passed on to the front end OWA server so that the user only
authenticates once. If a new user is accessing the system and they are
forced to change their password at first logon, the pre-authentication at
the ISA server fails. We enabled auditing on the ISA servers and can see
the audit where ISA tries to pre-authenticate the user, but cannot handle
the password expiration. Therefore, the ISA server denies the request. Any
ideas on what we could do to keep the password change functionality
without turning off the pre-authentication at the ISA server? Your replies
are greatlt appreciated. Thanks.
Other related posts:
