[isalist] Re: Question about forms mode authentication for OWA
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 6 Apr 2009 06:24:49 -0700
http://www.ISAserver.org
-------------------------------------------------------
Unfortunately, the logs don't include the authentication method (that would be
useful, wouldn't it?).
Also, the initial request may be anonymous, so you'll want to look in nearby
log entries fro the successful autodiscover requests.
Can you paste the log entry here?
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Monday, April 06, 2009 1:36 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Hi Jim,
Thanks for this.
I have made further investigations and found that it is just the autodiscover
service that is failing - the Outlook Anywhere is actually working if I define
the settings manually, including the offline address book etc.
The rule that publishes the autodiscover is the Outlook Anywhere rule, and this
is set to basic authentication with the web listener set to form based
authentication. The rule tests fine on all paths.
I checked the logs, and it is giving an access denied error to the autodiscover
path, possibly because Outlook isn't trying to authenticate? I can't see any
evidence in the logs that ISA is dropping back to basic authentication because
of the Outlook HTTP user-agent string.
I discovered on this machine that we are pre Outlook 2007 SP1, so just applying
all patches before continuing.
Thanks.
Andrew.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 03 April 2009 17:48
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Using FBA/Basic requires that the OL clients use basic as well when they
authenticate to ISA.
FBA cannot fall back to anything other than HTTP-Basic.
It's highly doubtful that your internal clients are using Basic auth, since OL
will tend to use RPCoTCP, not RPCoHTTP internally.
Use the logging monitor if you want to understand what's failing and when -
that's what it's for.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Friday, April 03, 2009 7:33 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Hi Jim,
Thanks - that is strange, since the FBA/Basic authentication was what I was
using originally on the failed OA connection.
Looking into it further, I wonder whether the autodiscover is what is causing
the problem? The autodiscover path is by default in that rule if you choose
the option to include the extra paths in the wizard.
Thanks.
Andrew.
________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Jim Harrison [Jim@xxxxxxxxxxxx]
Sent: 03 April 2009 14:25
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Actually, no.
There is a relationship between the external and delegated auth method and
these are detailed in http://technet.microsoft.com/en-us/library/bb794722.aspx.
Andrew, if you want to use Basic delegation internally, you can only use FBA or
HTTP-Basic at ISA.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Moore, Scott A.
Sent: Friday, April 03, 2009 6:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
From my recollection, the auth method on ISA and on the CAS server must match.
I believe I was told this directly from PSS when I worked an issue on a
customer engagement for their Outlook Anywhere issues with ISA. That
particular customer is using Basic with All Users.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Friday, April 03, 2009 9:01 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Hi,
One thing with this is that whichever scenario I use, the Exchange remote
connectivity test tool passes on all counts.
Thanks.
Andrew.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: 03 April 2009 13:38
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
Hi all,
I have successfully got OWA and ActiveSync working using form based
authentication. However, there is a problem with the Outlook Anywhere rule:
If I set the Outlook anywhere rule to allow all users to connect, and allow
clients to authenticate with the published application (thus negating the ISA
authentication), everything works perfectly.
However, If I choose Basic authentication in the Authentication Delegation tab
of the OA publishing rule, then set it so that only authenticated users can
connect, Outlook gives an error regarding not being able to find an encrypted
connection to the Exchange server.
Basic authentication is chosen for the OA on the CAS server. I did think about
using NTLM authentication, but as users will use basic authentication either
internally or externally (since the OA users are not joined to the domain), I
wanted the internal and external view to be the same.
Thanks.
Andrew.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: 02 April 2009 16:04
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
I do it and just have a different rule, however, I use the same listener and IP.
Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Moore, Scott A.
Sent: Thursday, April 02, 2009 10:54 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Separate rules, same listeners and IP.
This should give you a primer for everything you need to setup and best
practices.
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Hodgson
Sent: Thursday, April 02, 2009 10:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Question about forms mode authentication for OWA
http://www.ISAserver.org
-------------------------------------------------------
Hi,
I have an ISA Server 2006 SP1 server set up to publish an Exchange OWA instance
(running Exchange 2007).
I am testing using the forms mode authentication through the ISA box.
If I use forms mode on an external web listener, is it correct that the
ActiveSync and Outlook Anywhere will not work with this, and that I would need
to use a different web listener for these methods? If that is the case, do I
need to use another external IP address on the web listener for the
ActiveSync/RPC stuff?
Thanks.
Andrew.
--
allpay Limited, Fortis et Fides, Whitestone Business Park, Whitestone,
Hereford, HR1 3SE.
On 5th March 2009, allpay.net Limited changed its name to allpay Limited.
Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.
Telephone: 0870 243 3434, Fax: 0870 243 6041.
Website: www.allpay.net
Email: enquiries@xxxxxxxxxx
This email, and any files transmitted with it, is confidential and intended
solely for the use of the
individual or entity to whom it is addressed. If you have received this email
in error please notify
the allpay.net Information Security Manager at the number above.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
