http://www.ISAserver.org ------------------------------------------------------- OWA doesn't use NTLM, its uses basic, at least for Exch2003. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan > Sent: Thursday, February 22, 2007 2:29 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > Okay, now I'm really confused. > > I setup the test server again and using the standard edge template > created a whole new setup from scratch. If I publish a webserver, it > works at first glance. However, whenever I go to a page that require > NTLM authentication I get the error message a 403 error but no login > box. > > If I change the Authentication delegation to "No delegation, > but client > may authenticate directly", I get the original error about requiring > SSL. > > If I then use the redirect to SSL in the web listener, > everything works, > but then EVERYTHING is redirected to SSL. (This is the way > I've had our > site running for about two months now.) > > This makes it a bit difficult to use, in that NTLM authentication is > what is required to log into Exchange (in non-FBA mode) and our > webserver, which supports AD integration. This was working with > ISA2004, but not with ISA2006. > > However, I'm not 100% certain it was working upon the initial "clean" > installation of ISA2006. Since I didn't know exactly what to > look for, > I just got the website publishing rule setup to browse the anonymous > portion of our website and assumed it was working. I'm not entirely > sure that using the templates (or doing a backup restore) overwrites > "everything" in the ISA server, so only another clean install would > prove that. > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Thursday, February 22, 2007 1:55 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > It was affecting both Web and OWA publishing. I was working > specifically with the web publishing rule over the last few days. > > I spoke too soon on it being fixed though. I was just looking at it > again and it appears that with that setting it will not prompt a user > for a domain login on either our webserver or our Exchange > server. OWA > is now disabled, with a 403 forbidden error 12202, no login > box appears. > > As for auth settings at the FE server, we only have one ISA and one > Exchange, none of which are set up for requiring SSL (or any > authentication) right now. Not sure exactly what settings you are > referring to. > > I put the test server back on the shelf, but can fire that > one up again > and do more testing. If you want, I can send you a backup > export which > you can use for testing. I made several backups during the > testing, and > the last one I did was a bare-bones system with one web > publishing rule, > and no confidential or permissions settings exported. > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Thursday, February 22, 2007 1:06 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > Was this an Exchange publishing scenario? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Thursday, February 22, 2007 11:48 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Ok - now I have to play with this. > > What auth settings did you have at the FE server? > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Ball, Dan > > Sent: Thursday, February 22, 2007 9:12 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > Situation finally resolved, I just KNEW it had to be > > something simple! > > > > > > > > It took a few days, but I finally got a test server online. > Installed > > ISA2006, verified it would publish the website properly, > then imported > > the other ISA server's backup. Had to do some minor tweaks > > to adjust it > > for a different computer, but got it running and was able > to reproduce > > the problem (w/o SurfControl or RainConnect). I then spent > > quite awhile > > purging out all the excess settings to finally get it down a > > bare system > > with one publishing rule exhibiting the same problem. > > > > > > > > I then tried to purge that rule down to the bare minimums, and the > > problem disappeared! So, I went through each setting, > one-by-one, and > > finally found that if you set the Authentication Delegation > tab to "No > > delegation, but client may authenticate directly", you get the SSL > > required response. I changed it to "No delegation, and > client cannot > > authenticate directly" on the live server, and everything started to > > work again! > > > > > > > > I know for a fact that I have changed that setting numerous > > times during > > my testing, so how I didn't stumble across this fix before is > > beyond me. > > Both of the webservers I publish do support NTLM > authentication, so by > > the description of that setting you'd think you'd need to > have it set. > > This is definitely something to keep in mind for future > > troubleshooting... > > > > > > > > To summarize, if you see this error (and SSL is not specified as a > > requirement ANYWHERE): > > > > Error Code: 403 Forbidden. The page must be viewed over a > > secure channel > > (Secure Sockets Layer (SSL)). Contact the server > > administrator. (12241) > > > > Check your Authentication Delegation settings! > > > > > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Ball, Dan > > Sent: Tuesday, February 20, 2007 11:16 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Unfortunately, I ran out of time before I was able to do > that. I did > > attempt to test it, but "all" publishing wasn't working at > that time, > > and I had to get SurfControl back up and operational in a > really short > > span of time, so it wasn't completed. I also tried to put > RainConnect > > back on, but that gave me some serious errors and wouldn't > > work at all, > > and with the short amount of time I had to work with I ended > > up removing > > that and bringing the server up with only one ISP just to get it > > operational. > > > > > > > > I just got off the phone with SurfControl, and they confirmed what I > > suspected. That program will "block" SSL or non-SSL, but there is > > nothing in the program that will "force" a connection to use > > SSL, so we > > can "almost" rule that out. Or, at least we can rule out a SC > > configuration setting as the culprit. > > > > > > > > I have an aide setting up another test ISA server right > now, and will > > test a clean install (not using the ISA backup) to see if I > can narrow > > it down a bit more. > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Steve Moffat > > Sent: Tuesday, February 20, 2007 10:44 AM > > To: ISA Mailing List > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Did you try it before you added in rainconnect & surfcontrol..... > > > > > > > > S > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Ball, Dan > > Sent: Tuesday, February 20, 2007 10:43 AM > > To: ISA Mailing List > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Not that I can tell. It can block SSL or non-SSL > > connections, but don't > > see anyway to force it to be required. I'll contact > > SurfControl and see > > if they know of anything like that. > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Tuesday, February 20, 2007 9:12 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Unfortunately, there's no way for me to review the SC > > settings - does it > > have any way to enforce SSL? > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Ball, Dan > > Sent: Tuesday, February 20, 2007 5:44 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Well, it appears that it might be a configuration issue. I did an > > almost total rebuild yesterday; I exported the ISA > settings, formatted > > the drive, reinstalled ISA and SurfControl (left > RainConnect out), and > > got the same exact symptoms. I'm thinking I'm going to have > > to rewrite > > all my ISA settings from scratch now. > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Sunday, February 11, 2007 5:05 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > I did and so far, the data doesn't line up. > > > > The capture clearly indicates that ISA is the one > responding with the > > "muse use SSL", but none of the configuration seems to require it. > > > > I tried your site today and I get a "302" redirect, but the > > SSL listener > > is apparently deaf. > > > > This too is a non-functional combination. > > > > I'll have to format the tracing and see what shakes out. We > > may have to > > repeat this process a time or two... > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Ball, Dan > > Sent: Tuesday, February 06, 2007 11:18 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Were you able to make sense of the info I sent you? > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: Friday, February 02, 2007 11:12 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Get an ISABPAPack in repro mode and send me the results. > > > > You can get ISABPA from MS downloads. > > > > The instructions for running ISABPAPack in repro mode are > part of the > > package. > > > > > > All mail to and from this domain is GFI-scanned. > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx