Whereas it is true that ripe fruit spontaneously generates fruit flies, a subtle difference. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, September 06, 2007 7:31 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RPC Question Sure, it's a "perception" not a fact. It's the perception of many that rotting meat generates flies (spontaneous generation). Which it seems to "make sense" it's just not true :)) Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Thursday, September 06, 2007 6:18 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: RPC Question > > The problem is Tom, it is often more of a perception thing. "Domain > joined = less secure" is the view of many people, irrespective of the > fact that the internal interface is IP connected to the LAN...many > people overlook this simple reality. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: 06 September 2007 12:13 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: RPC Question > > One nice thing about Kerberos Constrained Delegation is that it forces > the dolts to join the ISA Firewalls to the domain. > > BTW -- I have not yet found anyone who could point out where in CORBIT > 4.1 or in the SOX, GLB or HIPAA guidelines that state anything related > to the ISA Firewall's domain membership. So if you have some dumb*ss > auditor telling that lie, FORCE them to show you the > paragraph and line > number that says that the domain joined ISA Firewall, which provides > higher security than a non-domain joined ISA Firewall, would not meet > the guidelines. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > Sent: Thursday, September 06, 2007 6:06 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > Well, amazingly enough with my fear of KCD, I have actually got this > > working pretty quickly and no more OA prompts. Nice to > actually see it > > working and a good option for customers who want to live > with the need > > for extra listeners/IPs/certs in order to improve transparency. > > > > Jim - do you generally use KCD as your default delegation > > method unless > > the appliciton only supports something like Basic (e.g. > ActiveSync)?? > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: 06 September 2007 02:00 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > No; I'm saying that if CIO-JerkyBoy is intent on a no-prompt user > > experience, Amy will have to: > > 1. configure his OL to use NTLM (you probably overlooked > this one) and > > point it to the oa.domain.tld listener > > 2. create two listeners for Exch; one for OA and another to > > support FBA > > / Basic > > 3. create separate DNS records for the two listeners (yes; > > now they have > > to use "oa.domain.tld" and > > "EveryFreakinOtherExchServiceCuzTheCioIsAJerkyBoy.domain.tld") > > 3. configure the OA ISA listener for Integrated authentication > > 4. configure the non-OA listener for FBA > > 5. build two rules appropriate to the two listeners and point > > them both > > to the same Exchange CAS or farm > > > > Jim > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jason Jones > > Sent: Wednesday, September 05, 2007 5:51 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > Are you saying KCD will negate the prompt when using Outlook > > Anywhere if > > the user is using cached credentials? > > > > Thought I had got KCD working as all delegation errors had > > gone, but OA > > still prompting :-( > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Jim Harrison > > Sent: 06 September 2007 01:46 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > You get to play with KCD! > > I hope they operate a Win2K3 Native domain... > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Amy Babinchak > > Sent: Wednesday, September 05, 2007 5:51 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > Of course there is and it's the usual one. The CEO doesn't > > want to type > > in his password every time he uses Outlook. > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Wednesday, September 05, 2007 8:24 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: RPC Question > > > > Maybe a more important queston is: > > > > "Why do you want to use Integrated Authentication at the Web Proxy > > Listener" > > > > Since the Basic credentails are hidden in SSL tunnels, it shouldn't > > matter. Or is there another "hidden requirement" which is the actual > > basis of the question? > > > > :) > > > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Wednesday, September 05, 2007 7:18 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: RPC Question > > > > > > Silly wabbit... > > > This is an ISA 2006 deployment; none of that SBS/ISA2004 > > > Basic-delegation-only silliness. > > > > > > Amy - you need to get familiar with eth chart at the > bottom of this > > > page: > > > http://www.microsoft.com/technet/isa/2006/authentication.mspx > > > > > > Also, if you're thinking about adding EAS clients, you're > limited to > > > using either Basic or ClientCert auth. > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thomas W Shinder > > > Sent: Wednesday, September 05, 2007 5:10 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: RPC Question > > > > > > So as to avoid a can of worms that can't be opened. > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Wednesday, September 05, 2007 7:08 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: RPC Question > > > > > > > > Why for you be says dat? > > > > Snot true... > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Wednesday, September 05, 2007 4:18 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: RPC Question > > > > > > > > YOU MUST USE BASIC. That is a requirement. > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder/ > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Amy Babinchak > > > > > Sent: Wednesday, September 05, 2007 6:15 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] RPC Question > > > > > > > > > > I'm working on an ISA 2006 machine with an Exchange 2003 > > > > server behind > > > > > it to publish Outlook Anywhere. I used the wizard to create > > > > > the rule. If > > > > > I select Basic Authentication (on both ISA and IIS) the > > > > > publishing rule > > > > > works. If I use NTLM (on ISA and IIS) it doesn't. I get ISA > > > > > Denied logs > > > > > reason 12239. Does it not support NTLM authentication? > > > > > > > > > > Since this works with Basic I know I don't have certificate > > > > > issues and I > > > > > know it can authenticate usernames, passwords and find its > > > > way to the > > > > > mailbox. > > > > > > > > > > Amy > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > >