Re: Outlook Web Access through ISA on internal- - - LAN
- From: "JD" <jgd@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 16 May 2002 03:08:07 -0600
> > At 08:12 AM 5/15/2002, you wrote:
> > >http://www.ISAserver.org
> > >
> > >
> > >Hey Tim,
> >
> > Greetings, Doctor!
> >
> >
> > >I have the Domain Users with the Logon Locally Right enabled on all
> > >Exchange Servers running OWA. I figured this isn't an issue since these
> > >users don't have any other rights on the server that could get me in
> > >trouble. They don't have access to shares they're not supposed to access
> > >(admin shares disabled), Terminal Services only allow admins, and most
> > >of the other cool stuff noted in the Hacking Exposed Windows 2000 has
> > >been implemented.
> > >
> > >So, I don't *think* allowing domain users the log on locally right
> > >should be a problem. Heck if inet_user can, surely the domain users can
> > >:-)
> >
> > As do I. In all of my configs, it was a requirement for basic
> > authentication to work- Basic authenticaion is Logon Type 2, which requires
> > "log on locally" rights. The thread started when JD could not get
> > internal folks to access OWA via the FQDN- however, they could access via
> > the NetBIOS name. In his config, he has Basic and NT Integrated selected,
> > but says his users are *not* members of a group that can log on locally,
> > yet it still works, so I am thinking that internal clients are using NT
> > Integrated.
> >
> > However, I have not heard back from him whether his internal clients have
> > to enter a password or not, so I don't know.
> >
> > I think it is one of two things: One, he is using NT Integrated
> > internally, which is Logon Type 3 (or a "network logon") which does not
> > need "log on locally" rights, but is failing because he done not have the
> > FQDN in his Intranet Sites and/or "Logon automatically only in the Intranet
> > Zone" is not set. In this case, I think it is then falling back to Basic
> > Authentication, which fails because they can't log on locally.
> >
> > The only strange part is that his external people can use it, and he says
> > they log in, which means it is basic authentication, which means they have
> > to be set for "log on locally."
> >
> > It is a mystery! We'll see what the deal is when he posts back.
> >
> > Thanks!
> >
> > Timbomatic
> >
> >
> OK, here's the results so far of my investigations
>
> External clients through ISA to Exchange OWA can log on using Basic
> authentication. This is despite there being no log on locally rights for
> them on the Exchange box.
>
> Internal clients accessing Exchange OWA direct have no problems - they use
> Integrated Windows Authentication and do not need to enter a
> username/password.
>
> Internal clients accessing Exchange OWA as if it were an external site (ie
> through our external FQDN and ISA server) get repeated requests for
> authentication. Looking at the Exchange server's IIS logs, they get the
> \Exchange\ page but nothing from the \Exchweb pages - all 401 errors. I
> have checked and double checked the virtual directory for \Exchweb and the
> authentication is set just the same as for \Exchange - both basic (with
> default domain specified) and Integrated Windows authentication allowed.
> Besides it works for external clients.
> The WEIRD thing is that any user who is a member of the ISA local
> Administrators group can access OWA from an internal client using the
> external FQDN. I can't see why the ISA administrators group should make a
> difference!
>
> Granting normal users Log on Locally rights to the Exchange box does cure
> the problem - all those 401 errors turn to 200s. But I really don't want
> to do this as the Exchange box is also a DC and to grant this I have to
> use the Domain Controllers Security Policy and grant the right to all DCs.
>
> Thanks for all your help with this!
Ignore that bit about ISA local administrators - the same users had Log on
locally rights to the Exchange server - my fault for not checking this!
The only thing I can think of that is causing this is something along
these lines:
- The Exchange server allows external clients to use basic authentication
and they don't need Log on Locally rights to do this
- For internal clients the ISA server won't pass Integrated Windows
Authentication credentials. The Exchange server won't allow internal
clients to use basic authentication because it recognises that they're
part of the domain and therefore tries to force Integrated Windows
Authentication onto them which ISA won't pass. How it recognises this I
don't know. The IIS logs show that the URLs /Exchange, /Exchange/username
and /Exchange/username/Inbox all authenticate (HTTP status code 200) but
as soon as there's a redirect to /Exchweb/controls it fails (HTTP status
code 401). Perhaps this is the stage at which active content is run which
determines that it's an internal client not an external one (though this
would have to be run on the server as there is no active content fetched
by the client at this stage)? This is pure speculation...!
Other related posts:
