RE: multiple authentications boxes & OWA
- From: "Alfonso Lopez de Ayala" <alopezdeayala@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 6 Jun 2002 13:47:14 -0700
Thanks... but the problem is: no directory should have anonymous read
access.
-----Original Message-----
From: Walkowiak, Matt [mailto:Matt.Walkowiak@xxxxxxxxxxxx]
Sent: Thursday, June 06, 2002 12:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: multiple authentications boxes & OWA
http://www.ISAserver.org
Here is how ya do it (this is basically the manual way of doing what
FrontPage does when you have it do the security)
Create all the different accounts you will be using in usr mgr (or
whatever it's called in Win2K now...) Take them out of the "Users"
group and stick-em in the Guest group. If there are a lot of accounts,
stick em all into a local group, too. NOTE: do NOT use domain accounts
or domain groups unless this box is a DC or the users will need access
to other servers - keep the web server "an island un to itself."
Goto the root folder of your web site, and remove all inherited
security. Heck, remove it all, and we will build it up from scratch.
Ok - add in the local Administrators group and the System account, and
give them both full access. Now add the ISUR account for general
anonymous access. The rights here are kinda tricky. You want to give
ONLY read access, so do this:
Click on advanced in the security tab and edit the existing IUSR
account's rights. There should be 5 boxes checked. Leave those alone.
Above the boxes is a drop down box - change that to Folders and
Subfolders, and say OK. Click Add, and add in another IUSR account, and
edit it. Have it looks the same as the "Folders and Subfolders"
account, except UNcheck the top box (2-4 and read permissions should be
checked). In the drop down box, chose Files Only.
Now, for every account you want to have access to a special part of the
web site, add their account the same way as you added the IUSR account.
Let these permissions propagate to ALL the subfolders and files. THEN
remove the IUSR account from the directories you want to secure!
Done!
Matt Walkowiak
-----Original Message-----
From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx]
Sent: Thursday, June 06, 2002 1:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: multiple authentications boxes & OWA
http://www.ISAserver.org
Matt Walkowiak... wow... awesome insight... you're so right it's
probably a permissions issue rather than ISA... so what is the right way
to do it: set IUSR on all the directories or the specific users ALSO in
the IUSR directories or...?
Testing the web site (Exchange's OWA actually) internally (not thru ISA)
I notice that using Integrated Authentication in IIS it works fine, but
get multiple logon boxes at browser when using Basic Authentication in
IIS... but the problem is that the site needs to be accessed externally
(thru ISA) and then Integrated Authentication doesn't work.
-----Original Message-----
From: Walkowiak, Matt [mailto:Matt.Walkowiak@xxxxxxxxxxxx]
Sent: Wednesday, June 05, 2002 12:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: multiple authentications boxes & OWA
http://www.ISAserver.org
This kind of thing happens when you have a 'mostly' anonymous web site,
and it isn't quite setup correctly. Let me see if I can explain:
You have a web site that has 10 directories under the root. Being a
careful admin, you have setup the whole web site to use the IUSR account
for anonymous access, the System and Administrators groups have full
access, and have removed the Everyone group completely. Now when you
surf the site anonymously, you should be able to get everywhere (using
the IUSR account to get past the security).
Next, you decide that you want a little extra security on one of the
directories, so on that particular directory you remove the IUSR account
and add a normal user and give that user read rights to the secure
directory. When a user tries to access resources in the secure
directory, Windows notices that the IUSR account is not allowed, and it
asks the user to supply different credentials. The user does this, so
now they will be surfing in this particular zone with a different
username - not the IUSR account anymore. So, they can see the resources
in the directory they are in just fine - except for one thing: The
secure directory asks for things (like pictures in the images directory)
outside of the secure directory. Since the user is now surfing with a
set of credentials OTHER THAN the IUSR or an Administrator, they are not
allowed to view the resources in the other directories that ARE viewable
if they use the IUSR (anonymous) account.
That all make sense?
Anyway, I would look at your web server first, namely the permissions on
the files and folders. I don't think it is ISA because ISA is allowing
you to send packets to the web server. Also, another place to look is
the web log files - turn logging all the way on and log everything, then
look to see where the IUSR account is being used and where a specific
user account is being used.
Matt Walkowiak
-----Original Message-----
From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx]
Sent: Wednesday, June 05, 2002 10:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] multiple authentications boxes & OWA
http://www.ISAserver.org
I know similar issues have been discussed here recently... this is yet
another manifestation of (perhaps) the same problem... has anyone found
the definitive solution for this ISA bug?
When a user tries to access an internal web server from the Internet
(published thru ISA using Web Publishing Rules with its appropriate
Destination Set), the user gets multiple authentication boxes... the web
page contents (buttons, images, frames, etc.) appear little by little on
the browers, as the user enters username/password/domain repeatedly...
this causes the web application to be practically unusable.
Note: I don't see that the specifics on the web server have anything to
do
with the problem, but in this case it is users accessing Exchange's OWA
(Outlook Web Access) from the Internet. Exchange/OWA/IIS/ISA are all in
the same box in this case. Also, the same users can access OWA with no
problem from the internal LAN.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
matt.walkowiak@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
alopezdeayala@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
matt.walkowiak@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
alopezdeayala@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
