Hi, Yes I checked that setting and it was set to basic (as I configured it manually on our test network, which has no connection to the Exchange server other than via HTTP via the ISA box). I did try Outlook SP1 with all patches and it gave me the same error (even before we get to configure any accounts). I tried a Linux wget command and was successfully able to retrieve the autodiscover.xml file via basic authentication (as the form based auth had dropped back to plain due to the Wget user-agent string), so in theory, it is working, so I don't know why Outlook is not authenticating, or why I don't get a username/password prompt. Thanks. Andrew. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: 06 April 2009 13:55 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Question about forms mode authentication for OWA Andrew, I think Jim is referring to the Microsoft Exchange Proxy Settings configured for use with Outlook Anywhere on the Outlook client. Outlook 2007 Take a look at Tools -> Account Settings... -> Change... (after selecting Microsoft Exchange account) -> More Settings... -> Connection -> Exchange Proxy Settings (Under Outlook Anywhere section) -> Proxy authentication settings. Located there you should find the option "Use this authentication when connecting to my proxy server for Exchange:". There should be two possible selections: NTLM Authentication (default) and Basic Authentication. Proxy authentication settings should use Basic Authentication, I believe. On Mon, Apr 6, 2009 at 4:36 AM, Andrew Hodgson <Andrew.Hodgson@xxxxxxxxxx<mailto:Andrew.Hodgson@xxxxxxxxxx>> wrote: http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Hi Jim, Thanks for this. I have made further investigations and found that it is just the autodiscover service that is failing - the Outlook Anywhere is actually working if I define the settings manually, including the offline address book etc. The rule that publishes the autodiscover is the Outlook Anywhere rule, and this is set to basic authentication with the web listener set to form based authentication. The rule tests fine on all paths. I checked the logs, and it is giving an access denied error to the autodiscover path, possibly because Outlook isn't trying to authenticate? I can't see any evidence in the logs that ISA is dropping back to basic authentication because of the Outlook HTTP user-agent string. I discovered on this machine that we are pre Outlook 2007 SP1, so just applying all patches before continuing. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: 03 April 2009 17:48 To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Using FBA/Basic requires that the OL clients use basic as well when they authenticate to ISA. FBA cannot fall back to anything other than HTTP-Basic. It's highly doubtful that your internal clients are using Basic auth, since OL will tend to use RPCoTCP, not RPCoHTTP internally. Use the logging monitor if you want to understand what's failing and when - that's what it's for. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Andrew Hodgson Sent: Friday, April 03, 2009 7:33 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Hi Jim, Thanks - that is strange, since the FBA/Basic authentication was what I was using originally on the failed OA connection. Looking into it further, I wonder whether the autodiscover is what is causing the problem? The autodiscover path is by default in that rule if you choose the option to include the extra paths in the wizard. Thanks. Andrew. ________________________________________ From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison [Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>] Sent: 03 April 2009 14:25 To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Actually, no. There is a relationship between the external and delegated auth method and these are detailed in http://technet.microsoft.com/en-us/library/bb794722.aspx. Andrew, if you want to use Basic delegation internally, you can only use FBA or HTTP-Basic at ISA. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Moore, Scott A. Sent: Friday, April 03, 2009 6:19 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- From my recollection, the auth method on ISA and on the CAS server must match. I believe I was told this directly from PSS when I worked an issue on a customer engagement for their Outlook Anywhere issues with ISA. That particular customer is using Basic with All Users. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Andrew Hodgson Sent: Friday, April 03, 2009 9:01 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Hi, One thing with this is that whichever scenario I use, the Exchange remote connectivity test tool passes on all counts. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Andrew Hodgson Sent: 03 April 2009 13:38 To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA Hi all, I have successfully got OWA and ActiveSync working using form based authentication. However, there is a problem with the Outlook Anywhere rule: If I set the Outlook anywhere rule to allow all users to connect, and allow clients to authenticate with the published application (thus negating the ISA authentication), everything works perfectly. However, If I choose Basic authentication in the Authentication Delegation tab of the OA publishing rule, then set it so that only authenticated users can connect, Outlook gives an error regarding not being able to find an encrypted connection to the Exchange server. Basic authentication is chosen for the OA on the CAS server. I did think about using NTLM authentication, but as users will use basic authentication either internally or externally (since the OA users are not joined to the domain), I wanted the internal and external view to be the same. Thanks. Andrew. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Steven Comeau Sent: 02 April 2009 16:04 To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- I do it and just have a different rule, however, I use the same listener and IP. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com/> -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Moore, Scott A. Sent: Thursday, April 02, 2009 10:54 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Separate rules, same listeners and IP. This should give you a primer for everything you need to setup and best practices. http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Andrew Hodgson Sent: Thursday, April 02, 2009 10:40 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Question about forms mode authentication for OWA http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Hi, I have an ISA Server 2006 SP1 server set up to publish an Exchange OWA instance (running Exchange 2007). I am testing using the forms mode authentication through the ISA box. If I use forms mode on an external web listener, is it correct that the ActiveSync and Outlook Anywhere will not work with this, and that I would need to use a different web listener for these methods? If that is the case, do I need to use another external IP address on the web listener for the ActiveSync/RPC stuff? Thanks. Andrew. -- allpay Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. On 5th March 2009, allpay.net<http://allpay.net/> Limited changed its name to allpay Limited. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88. Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net<http://www.allpay.net/> Email: enquiries@xxxxxxxxxx<mailto:enquiries@xxxxxxxxxx> This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net<http://allpay.net/> Information Security Manager at the number above. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com/> *** ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer