Re: Outlook Web Access through ISA on internal- - - LAN
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 May 2002 14:32:04 -0500
Hi Tim,
ISA Server shouldn't be passing any tokens. You either authenticate with
the Incoming Web Requests listener or you authentication with the OWA
box. There are limits on the authentication schemes so that you should
NOT enable authentication on both the listener and the site. The only
time dual authentication will work is when you use X.509 auth on the
listener and basic/digest/integrated auth on the Web server.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Thursday, May 16, 2002 11:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Outlook Web Access through ISA on internal- - -
LAN
http://www.ISAserver.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 02:08 AM 5/16/2002, you wrote:
>The only thing I can think of that is causing this is something along
>these lines:
>- The Exchange server allows external clients to use basic
authentication
>and they don't need Log on Locally rights to do this
I've been testing this to see if I can reproduce it, but
can't. Everything I have ever done w/Basic Auth requires LOL,
regardless
of the app running- it must be authenticated before the app kicks in
anyway. My guess is that there is something about your ISA -> Ex2k
authentication that is authenticating these users on ISA, and building
an
access token including some sort of group membership that the Exchange
server recognizes as one that can LOL. The way to test this is to go to
the Ex2k, and enable successful "logon events" and "account logon
events" -
then have them logon externally- you will see the logon even in Ex2k,
and
can examine the username and logon type... If it is Logon Type 2, you
*know* that the user has been granted interactive logon (LOL) rights to
the
box, and you can see what ISA is doing to cause this.
This is of particular interest to me, as if you indeed have some
membership
structure where the ISA server will pass tokens to the internal Ex2k
server
that allows them to impersonate LOL rights without actually having those
rights on the server itself, I would really like to know. I see many
configurations like this where Ex2k is on the DC, and I too want to
avoid
giving the scrubs LOL rights for all the DC's.
>- For internal clients the ISA server won't pass Integrated Windows
>Authentication credentials. The Exchange server won't allow internal
>clients to use basic authentication because it recognises that they're
>part of the domain and therefore tries to force Integrated Windows
>Authentication onto them which ISA won't pass. How it recognises this
I
>don't know. The IIS logs show that the URLs /Exchange,
/Exchange/username
>and /Exchange/username/Inbox all authenticate (HTTP status code 200)
but
>as soon as there's a redirect to /Exchweb/controls it fails (HTTP
status
>code 401). Perhaps this is the stage at which active content is run
which
>determines that it's an internal client not an external one (though
this
>would have to be run on the server as there is no active content
fetched
>by the client at this stage)? This is pure speculation...!
So, did you go to a client's IE config and add the FDQN to the Intranet
sites, and then verify that "automatically logon only in intranet zone"
is
selected? That will ensure that the client first passes NTLM creds to
the
site when accessed via the FDQN. Can you check that and let us know?
Thanks
Tim
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPOPg4YhsmyD15h5gEQK9YgCcCM8fS02ENpwmXfE3Ftv4Joz+Nd0AnAzG
wMtoryNFvTbeQh6G8P0/n7+f
=CHQ2
-----END PGP SIGNATURE-----
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
