RE: multiple authentications boxes & OWA
- From: "Walkowiak, Matt" <Matt.Walkowiak@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 5 Jun 2002 14:05:29 -0500
This kind of thing happens when you have a 'mostly' anonymous web site,
and it isn't quite setup correctly. Let me see if I can explain:
You have a web site that has 10 directories under the root. Being a
careful admin, you have setup the whole web site to use the IUSR account
for anonymous access, the System and Administrators groups have full
access, and have removed the Everyone group completely. Now when you
surf the site anonymously, you should be able to get everywhere (using
the IUSR account to get past the security).
Next, you decide that you want a little extra security on one of the
directories, so on that particular directory you remove the IUSR account
and add a normal user and give that user read rights to the secure
directory. When a user tries to access resources in the secure
directory, Windows notices that the IUSR account is not allowed, and it
asks the user to supply different credentials. The user does this, so
now they will be surfing in this particular zone with a different
username - not the IUSR account anymore. So, they can see the resources
in the directory they are in just fine - except for one thing: The
secure directory asks for things (like pictures in the images directory)
outside of the secure directory. Since the user is now surfing with a
set of credentials OTHER THAN the IUSR or an Administrator, they are not
allowed to view the resources in the other directories that ARE viewable
if they use the IUSR (anonymous) account.
That all make sense?
Anyway, I would look at your web server first, namely the permissions on
the files and folders. I don't think it is ISA because ISA is allowing
you to send packets to the web server. Also, another place to look is
the web log files - turn logging all the way on and log everything, then
look to see where the IUSR account is being used and where a specific
user account is being used.
Matt Walkowiak
-----Original Message-----
From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx]
Sent: Wednesday, June 05, 2002 10:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] multiple authentications boxes & OWA
http://www.ISAserver.org
I know similar issues have been discussed here recently... this is yet
another manifestation of (perhaps) the same problem... has anyone found
the definitive solution for this ISA bug?
When a user tries to access an internal web server from the Internet
(published thru ISA using Web Publishing Rules with its appropriate
Destination Set), the user gets multiple authentication boxes... the web
page contents (buttons, images, frames, etc.) appear little by little on
the browers, as the user enters username/password/domain repeatedly...
this causes the web application to be practically unusable.
Note: I don't see that the specifics on the web server have anything to
do
with the problem, but in this case it is users accessing Exchange's OWA
(Outlook Web Access) from the Internet. Exchange/OWA/IIS/ISA are all in
the same box in this case. Also, the same users can access OWA with no
problem from the internal LAN.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
matt.walkowiak@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
