Welcome to ISAserver.org

[solved] OWA FBA : authenticated user is denied connection

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> [solved] OWA FBA : authenticated user is denied connection

Page: [1]

Message

<< Older Topic Newer Topic >>

[solved] OWA FBA : authenticated user is denied connection - 19.Apr.2006 11:51:00 AM

Venefyxatu

Posts: 3
Joined: 14.Apr.2006
Status: offline

Hi,

First of all, I've already found tons of useful information on this site and the message boards; most of it I even found relatively fast ;)

The newest problem has me stumped, though ...

Let's start with the network setup : I've created a small test network, completely separated from any and all other networks, including the internet, so as not to disturb the "real" network :)

- 1 PC acts as an internal client
- 1 PC acts as Exchange Server, IIS Server, internal DNS Server and Domain Controller
- 1 PC acts as "The Internet".
It has DNS configured to point everything that ends in domain.com to the public interface of the ISA server.
- 1 PC is the ISA server firewall and has 3 NICs

From the ISA Server and the internal client PC I have no problem accessing the OWA web client, can login just fine, etc. However, from the "internet", I get the fancy login form, but as soon as I try to login I get "The page cannot be displayed" (error 403 : the server denied the specified URL)
The ISA logs show a lot of initiated & closed HTTPS connections to the public interface of the ISA server, a few failed https connections with Client Username "anonymous", and one https Denied Connection (as per the Default Rule) to the public IP address of the ISA server, with Client Username domain.com\Administrator (note the capitalisation on the https/HTTPS ... when does ISA use which one?)

Because of this I assume that the authentication is successful, but that authenticated users do not have the right to access the perimeter network from the internet. So I tried adding "Authenticated Users" to my PublishOWA rule, without success.

Some settings :
- Public Name : Requests for the following websites : mail.domain.com
- Bridging : Redirect requests to SSL port 443
- Users : All Users (tried both turning on and off the Forward Basic authentication credentials, neither did anything to solve the problem)
- To : Server mail.domain.com, Forward original host header, Requests appear to come from the original client
- Traffic : HTTPS, Require 128-bit encryption for HTTPS traffic
- Listener : Listens on External network, HTTPS port 443, has a valid certificate, uses OWA FBA and has Always Authenticate set to Yes

For network settings I used the 3-leg Perimeter template, but changed Perimeter Access relation to NAT and Perimeter Configuration relation to Route.

Regards,

Venefyxatu

< Message edited by Venefyxatu -- 20.Apr.2006 11:19:24 AM >

Post #: 1

Featured Links*

RE: OWA FBA : authenticated user is denied connection - 20.Apr.2006 11:16:57 AM

Venefyxatu

Posts: 3
Joined: 14.Apr.2006
Status: offline

Never mind, the problem has been solved.

Apparently, when making an OWA publishing rule throught the "Publish a Mail Server" option, it automagically fills in the Paths with :
External Path ==> Internal path
<same as internal> ==> /exchange/*
<same as internal> ==> /exchweb/*
<same as internal> ==> /public/*

The issue is solved when removing these three lines, and adding the following :
<same as internal> ==> /*

This is exactly the same as what is generated when publishing a regular web server.

That does make me wonder, though ... why on earth does it automatically generate those three paths if they prevent OWA from working correctly?
Wasn't this mentioned in any of the (otherwise excellent) toturials, did I miss it, or am I the first ever person to come across this issue?

Regards,

Venefyxatu

(in reply to Venefyxatu)

Post #: 2