[isalist] Re: Publishing in ISA2006
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 15:29:21 -0500
http://www.ISAserver.org
-------------------------------------------------------
Okay, now I'm really confused.
I setup the test server again and using the standard edge template
created a whole new setup from scratch. If I publish a webserver, it
works at first glance. However, whenever I go to a page that require
NTLM authentication I get the error message a 403 error but no login
box.
If I change the Authentication delegation to "No delegation, but client
may authenticate directly", I get the original error about requiring
SSL.
If I then use the redirect to SSL in the web listener, everything works,
but then EVERYTHING is redirected to SSL. (This is the way I've had our
site running for about two months now.)
This makes it a bit difficult to use, in that NTLM authentication is
what is required to log into Exchange (in non-FBA mode) and our
webserver, which supports AD integration. This was working with
ISA2004, but not with ISA2006.
However, I'm not 100% certain it was working upon the initial "clean"
installation of ISA2006. Since I didn't know exactly what to look for,
I just got the website publishing rule setup to browse the anonymous
portion of our website and assumed it was working. I'm not entirely
sure that using the templates (or doing a backup restore) overwrites
"everything" in the ISA server, so only another clean install would
prove that.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, February 22, 2007 1:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
http://www.ISAserver.org
-------------------------------------------------------
It was affecting both Web and OWA publishing. I was working
specifically with the web publishing rule over the last few days.
I spoke too soon on it being fixed though. I was just looking at it
again and it appears that with that setting it will not prompt a user
for a domain login on either our webserver or our Exchange server. OWA
is now disabled, with a 403 forbidden error 12202, no login box appears.
As for auth settings at the FE server, we only have one ISA and one
Exchange, none of which are set up for requiring SSL (or any
authentication) right now. Not sure exactly what settings you are
referring to.
I put the test server back on the shelf, but can fire that one up again
and do more testing. If you want, I can send you a backup export which
you can use for testing. I made several backups during the testing, and
the last one I did was a bare-bones system with one web publishing rule,
and no confidential or permissions settings exported.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, February 22, 2007 1:06 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
http://www.ISAserver.org
-------------------------------------------------------
Was this an Exchange publishing scenario?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Thursday, February 22, 2007 11:48 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok - now I have to play with this.
> What auth settings did you have at the FE server?
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Thursday, February 22, 2007 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
> Situation finally resolved, I just KNEW it had to be
> something simple!
>
>
>
> It took a few days, but I finally got a test server online. Installed
> ISA2006, verified it would publish the website properly, then imported
> the other ISA server's backup. Had to do some minor tweaks
> to adjust it
> for a different computer, but got it running and was able to reproduce
> the problem (w/o SurfControl or RainConnect). I then spent
> quite awhile
> purging out all the excess settings to finally get it down a
> bare system
> with one publishing rule exhibiting the same problem.
>
>
>
> I then tried to purge that rule down to the bare minimums, and the
> problem disappeared! So, I went through each setting, one-by-one, and
> finally found that if you set the Authentication Delegation tab to "No
> delegation, but client may authenticate directly", you get the SSL
> required response. I changed it to "No delegation, and client cannot
> authenticate directly" on the live server, and everything started to
> work again!
>
>
>
> I know for a fact that I have changed that setting numerous
> times during
> my testing, so how I didn't stumble across this fix before is
> beyond me.
> Both of the webservers I publish do support NTLM authentication, so by
> the description of that setting you'd think you'd need to have it set.
> This is definitely something to keep in mind for future
> troubleshooting...
>
>
>
> To summarize, if you see this error (and SSL is not specified as a
> requirement ANYWHERE):
>
> Error Code: 403 Forbidden. The page must be viewed over a
> secure channel
> (Secure Sockets Layer (SSL)). Contact the server
> administrator. (12241)
>
> Check your Authentication Delegation settings!
>
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 11:16 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Unfortunately, I ran out of time before I was able to do that. I did
> attempt to test it, but "all" publishing wasn't working at that time,
> and I had to get SurfControl back up and operational in a really short
> span of time, so it wasn't completed. I also tried to put RainConnect
> back on, but that gave me some serious errors and wouldn't
> work at all,
> and with the short amount of time I had to work with I ended
> up removing
> that and bringing the server up with only one ISP just to get it
> operational.
>
>
>
> I just got off the phone with SurfControl, and they confirmed what I
> suspected. That program will "block" SSL or non-SSL, but there is
> nothing in the program that will "force" a connection to use
> SSL, so we
> can "almost" rule that out. Or, at least we can rule out a SC
> configuration setting as the culprit.
>
>
>
> I have an aide setting up another test ISA server right now, and will
> test a clean install (not using the ISA backup) to see if I can narrow
> it down a bit more.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steve Moffat
> Sent: Tuesday, February 20, 2007 10:44 AM
> To: ISA Mailing List
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Did you try it before you added in rainconnect & surfcontrol.....
>
>
>
> S
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 10:43 AM
> To: ISA Mailing List
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Not that I can tell. It can block SSL or non-SSL
> connections, but don't
> see anyway to force it to be required. I'll contact
> SurfControl and see
> if they know of anything like that.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, February 20, 2007 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Unfortunately, there's no way for me to review the SC
> settings - does it
> have any way to enforce SSL?
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 5:44 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Well, it appears that it might be a configuration issue. I did an
> almost total rebuild yesterday; I exported the ISA settings, formatted
> the drive, reinstalled ISA and SurfControl (left RainConnect out), and
> got the same exact symptoms. I'm thinking I'm going to have
> to rewrite
> all my ISA settings from scratch now.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, February 11, 2007 5:05 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> I did and so far, the data doesn't line up.
>
> The capture clearly indicates that ISA is the one responding with the
> "muse use SSL", but none of the configuration seems to require it.
>
> I tried your site today and I get a "302" redirect, but the
> SSL listener
> is apparently deaf.
>
> This too is a non-functional combination.
>
> I'll have to format the tracing and see what shakes out. We
> may have to
> repeat this process a time or two...
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 06, 2007 11:18 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Were you able to make sense of the info I sent you?
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, February 02, 2007 11:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Get an ISABPAPack in repro mode and send me the results.
>
> You can get ISABPA from MS downloads.
>
> The instructions for running ISABPAPack in repro mode are part of the
> package.
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
