[isapros] Re: RPC Question
- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 6 Sep 2007 07:56:29 -0400
Whereas it is true that ripe fruit spontaneously generates fruit flies,
a subtle difference.
Amy
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, September 06, 2007 7:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RPC Question
Sure, it's a "perception" not a fact.
It's the perception of many that rotting meat generates flies
(spontaneous generation). Which it seems to "make sense" it's just not
true :))
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Thursday, September 06, 2007 6:18 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: RPC Question
>
> The problem is Tom, it is often more of a perception thing. "Domain
> joined = less secure" is the view of many people, irrespective of the
> fact that the internal interface is IP connected to the LAN...many
> people overlook this simple reality.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: 06 September 2007 12:13
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: RPC Question
>
> One nice thing about Kerberos Constrained Delegation is that it forces
> the dolts to join the ISA Firewalls to the domain.
>
> BTW -- I have not yet found anyone who could point out where in CORBIT
> 4.1 or in the SOX, GLB or HIPAA guidelines that state anything related
> to the ISA Firewall's domain membership. So if you have some dumb*ss
> auditor telling that lie, FORCE them to show you the
> paragraph and line
> number that says that the domain joined ISA Firewall, which provides
> higher security than a non-domain joined ISA Firewall, would not meet
> the guidelines.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Thursday, September 06, 2007 6:06 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > Well, amazingly enough with my fear of KCD, I have actually got this
> > working pretty quickly and no more OA prompts. Nice to
> actually see it
> > working and a good option for customers who want to live
> with the need
> > for extra listeners/IPs/certs in order to improve transparency.
> >
> > Jim - do you generally use KCD as your default delegation
> > method unless
> > the appliciton only supports something like Basic (e.g.
> ActiveSync)??
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: 06 September 2007 02:00
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > No; I'm saying that if CIO-JerkyBoy is intent on a no-prompt user
> > experience, Amy will have to:
> > 1. configure his OL to use NTLM (you probably overlooked
> this one) and
> > point it to the oa.domain.tld listener
> > 2. create two listeners for Exch; one for OA and another to
> > support FBA
> > / Basic
> > 3. create separate DNS records for the two listeners (yes;
> > now they have
> > to use "oa.domain.tld" and
> > "EveryFreakinOtherExchServiceCuzTheCioIsAJerkyBoy.domain.tld")
> > 3. configure the OA ISA listener for Integrated authentication
> > 4. configure the non-OA listener for FBA
> > 5. build two rules appropriate to the two listeners and point
> > them both
> > to the same Exchange CAS or farm
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jason Jones
> > Sent: Wednesday, September 05, 2007 5:51 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > Are you saying KCD will negate the prompt when using Outlook
> > Anywhere if
> > the user is using cached credentials?
> >
> > Thought I had got KCD working as all delegation errors had
> > gone, but OA
> > still prompting :-(
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: 06 September 2007 01:46
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > You get to play with KCD!
> > I hope they operate a Win2K3 Native domain...
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Amy Babinchak
> > Sent: Wednesday, September 05, 2007 5:51 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > Of course there is and it's the usual one. The CEO doesn't
> > want to type
> > in his password every time he uses Outlook.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Wednesday, September 05, 2007 8:24 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC Question
> >
> > Maybe a more important queston is:
> >
> > "Why do you want to use Integrated Authentication at the Web Proxy
> > Listener"
> >
> > Since the Basic credentails are hidden in SSL tunnels, it shouldn't
> > matter. Or is there another "hidden requirement" which is the actual
> > basis of the question?
> >
> > :)
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Wednesday, September 05, 2007 7:18 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: RPC Question
> > >
> > > Silly wabbit...
> > > This is an ISA 2006 deployment; none of that SBS/ISA2004
> > > Basic-delegation-only silliness.
> > >
> > > Amy - you need to get familiar with eth chart at the
> bottom of this
> > > page:
> > > http://www.microsoft.com/technet/isa/2006/authentication.mspx
> > >
> > > Also, if you're thinking about adding EAS clients, you're
> limited to
> > > using either Basic or ClientCert auth.
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Wednesday, September 05, 2007 5:10 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: RPC Question
> > >
> > > So as to avoid a can of worms that can't be opened.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Wednesday, September 05, 2007 7:08 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: RPC Question
> > > >
> > > > Why for you be says dat?
> > > > Snot true...
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Wednesday, September 05, 2007 4:18 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: RPC Question
> > > >
> > > > YOU MUST USE BASIC. That is a requirement.
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- Microsoft Firewalls (ISA)
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> Amy Babinchak
> > > > > Sent: Wednesday, September 05, 2007 6:15 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] RPC Question
> > > > >
> > > > > I'm working on an ISA 2006 machine with an Exchange 2003
> > > > server behind
> > > > > it to publish Outlook Anywhere. I used the wizard to create
> > > > > the rule. If
> > > > > I select Basic Authentication (on both ISA and IIS) the
> > > > > publishing rule
> > > > > works. If I use NTLM (on ISA and IIS) it doesn't. I get ISA
> > > > > Denied logs
> > > > > reason 12239. Does it not support NTLM authentication?
> > > > >
> > > > > Since this works with Basic I know I don't have certificate
> > > > > issues and I
> > > > > know it can authenticate usernames, passwords and find its
> > > > way to the
> > > > > mailbox.
> > > > >
> > > > > Amy
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
> >
> >
>
>
>
>
>
Other related posts: