Re: Outlook Web Access through ISA on internal- - - LAN
- From: "JD" <jgd@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 16 May 2002 02:06:27 -0600
> At 08:12 AM 5/15/2002, you wrote:
> >http://www.ISAserver.org
> >
> >
> >Hey Tim,
>
> Greetings, Doctor!
>
>
> >I have the Domain Users with the Logon Locally Right enabled on all
> >Exchange Servers running OWA. I figured this isn't an issue since these
> >users don't have any other rights on the server that could get me in
> >trouble. They don't have access to shares they're not supposed to access
> >(admin shares disabled), Terminal Services only allow admins, and most
> >of the other cool stuff noted in the Hacking Exposed Windows 2000 has
> >been implemented.
> >
> >So, I don't *think* allowing domain users the log on locally right
> >should be a problem. Heck if inet_user can, surely the domain users can
> >:-)
>
> As do I. In all of my configs, it was a requirement for basic
> authentication to work- Basic authenticaion is Logon Type 2, which requires
> "log on locally" rights. The thread started when JD could not get
> internal folks to access OWA via the FQDN- however, they could access via
> the NetBIOS name. In his config, he has Basic and NT Integrated selected,
> but says his users are *not* members of a group that can log on locally,
> yet it still works, so I am thinking that internal clients are using NT
> Integrated.
>
> However, I have not heard back from him whether his internal clients have
> to enter a password or not, so I don't know.
>
> I think it is one of two things: One, he is using NT Integrated
> internally, which is Logon Type 3 (or a "network logon") which does not
> need "log on locally" rights, but is failing because he done not have the
> FQDN in his Intranet Sites and/or "Logon automatically only in the Intranet
> Zone" is not set. In this case, I think it is then falling back to Basic
> Authentication, which fails because they can't log on locally.
>
> The only strange part is that his external people can use it, and he says
> they log in, which means it is basic authentication, which means they have
> to be set for "log on locally."
>
> It is a mystery! We'll see what the deal is when he posts back.
>
> Thanks!
>
> Timbomatic
>
>
OK, here's the results so far of my investigations
External clients through ISA to Exchange OWA can log on using Basic
authentication. This is despite there being no log on locally rights for
them on the Exchange box.
Internal clients accessing Exchange OWA direct have no problems - they use
Integrated Windows Authentication and do not need to enter a
username/password.
Internal clients accessing Exchange OWA as if it were an external site (ie
through our external FQDN and ISA server) get repeated requests for
authentication. Looking at the Exchange server's IIS logs, they get the
\Exchange\ page but nothing from the \Exchweb pages - all 401 errors. I
have checked and double checked the virtual directory for \Exchweb and the
authentication is set just the same as for \Exchange - both basic (with
default domain specified) and Integrated Windows authentication allowed.
Besides it works for external clients.
The WEIRD thing is that any user who is a member of the ISA local
Administrators group can access OWA from an internal client using the
external FQDN. I can't see why the ISA administrators group should make a
difference!
Granting normal users Log on Locally rights to the Exchange box does cure
the problem - all those 401 errors turn to 200s. But I really don't want
to do this as the Exchange box is also a DC and to grant this I have to
use the Domain Controllers Security Policy and grant the right to all DCs.
Thanks for all your help with this!
Other related posts:
