Thanks... but the problem is: no directory should have anonymous read access. -----Original Message----- From: Walkowiak, Matt [mailto:Matt.Walkowiak@xxxxxxxxxxxx] Sent: Thursday, June 06, 2002 12:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: multiple authentications boxes & OWA http://www.ISAserver.org Here is how ya do it (this is basically the manual way of doing what FrontPage does when you have it do the security) Create all the different accounts you will be using in usr mgr (or whatever it's called in Win2K now...) Take them out of the "Users" group and stick-em in the Guest group. If there are a lot of accounts, stick em all into a local group, too. NOTE: do NOT use domain accounts or domain groups unless this box is a DC or the users will need access to other servers - keep the web server "an island un to itself." Goto the root folder of your web site, and remove all inherited security. Heck, remove it all, and we will build it up from scratch. Ok - add in the local Administrators group and the System account, and give them both full access. Now add the ISUR account for general anonymous access. The rights here are kinda tricky. You want to give ONLY read access, so do this: Click on advanced in the security tab and edit the existing IUSR account's rights. There should be 5 boxes checked. Leave those alone. Above the boxes is a drop down box - change that to Folders and Subfolders, and say OK. Click Add, and add in another IUSR account, and edit it. Have it looks the same as the "Folders and Subfolders" account, except UNcheck the top box (2-4 and read permissions should be checked). In the drop down box, chose Files Only. Now, for every account you want to have access to a special part of the web site, add their account the same way as you added the IUSR account. Let these permissions propagate to ALL the subfolders and files. THEN remove the IUSR account from the directories you want to secure! Done! Matt Walkowiak -----Original Message----- From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx] Sent: Thursday, June 06, 2002 1:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: multiple authentications boxes & OWA http://www.ISAserver.org Matt Walkowiak... wow... awesome insight... you're so right it's probably a permissions issue rather than ISA... so what is the right way to do it: set IUSR on all the directories or the specific users ALSO in the IUSR directories or...? Testing the web site (Exchange's OWA actually) internally (not thru ISA) I notice that using Integrated Authentication in IIS it works fine, but get multiple logon boxes at browser when using Basic Authentication in IIS... but the problem is that the site needs to be accessed externally (thru ISA) and then Integrated Authentication doesn't work. -----Original Message----- From: Walkowiak, Matt [mailto:Matt.Walkowiak@xxxxxxxxxxxx] Sent: Wednesday, June 05, 2002 12:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: multiple authentications boxes & OWA http://www.ISAserver.org This kind of thing happens when you have a 'mostly' anonymous web site, and it isn't quite setup correctly. Let me see if I can explain: You have a web site that has 10 directories under the root. Being a careful admin, you have setup the whole web site to use the IUSR account for anonymous access, the System and Administrators groups have full access, and have removed the Everyone group completely. Now when you surf the site anonymously, you should be able to get everywhere (using the IUSR account to get past the security). Next, you decide that you want a little extra security on one of the directories, so on that particular directory you remove the IUSR account and add a normal user and give that user read rights to the secure directory. When a user tries to access resources in the secure directory, Windows notices that the IUSR account is not allowed, and it asks the user to supply different credentials. The user does this, so now they will be surfing in this particular zone with a different username - not the IUSR account anymore. So, they can see the resources in the directory they are in just fine - except for one thing: The secure directory asks for things (like pictures in the images directory) outside of the secure directory. Since the user is now surfing with a set of credentials OTHER THAN the IUSR or an Administrator, they are not allowed to view the resources in the other directories that ARE viewable if they use the IUSR (anonymous) account. That all make sense? Anyway, I would look at your web server first, namely the permissions on the files and folders. I don't think it is ISA because ISA is allowing you to send packets to the web server. Also, another place to look is the web log files - turn logging all the way on and log everything, then look to see where the IUSR account is being used and where a specific user account is being used. Matt Walkowiak -----Original Message----- From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx] Sent: Wednesday, June 05, 2002 10:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] multiple authentications boxes & OWA http://www.ISAserver.org I know similar issues have been discussed here recently... this is yet another manifestation of (perhaps) the same problem... has anyone found the definitive solution for this ISA bug? When a user tries to access an internal web server from the Internet (published thru ISA using Web Publishing Rules with its appropriate Destination Set), the user gets multiple authentication boxes... the web page contents (buttons, images, frames, etc.) appear little by little on the browers, as the user enters username/password/domain repeatedly... this causes the web application to be practically unusable. Note: I don't see that the specifics on the web server have anything to do with the problem, but in this case it is users accessing Exchange's OWA (Outlook Web Access) from the Internet. Exchange/OWA/IIS/ISA are all in the same box in this case. Also, the same users can access OWA with no problem from the internal LAN. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: matt.walkowiak@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alopezdeayala@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: matt.walkowiak@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alopezdeayala@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')