• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

1 listener, 2 different authentication methods

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> 1 listener, 2 different authentication methods Page: [1]
Login
Message << Older Topic   Newer Topic >>
1 listener, 2 different authentication methods - 13.Oct.2006 6:59:05 AM   
rosscoid

 

Posts: 15
Joined: 1.Oct.2004
From: Reading, UK
Status: offline
I am publishing an Exchange server through ISA2006 and would like to make OWA and ActiveSync available to the outside world.  This in itself is no problem and works great with forms based authentication.

However, we have a RADIUS server (2-factor solution - one time password) that I would like to use to further secure the OWA access, so for the listener properties I change the 'authentication validation method' to RADIUS OTP and tick the 'collect additional delegation credentials in the form' and this works brilliantly for OWA, but it breaks ActiveSync from my Windows Mobile 5 clients.  I guess this problem occurs because the mobile clients are also being asked for a OTP which I don't want to happen, since they just need to use basic authentication with their cached AD credentials.

So, is it possible to define these 2 different authentication methods in one listener / IP address?  Or is there a better way to acheive what I am trying to do?

Thanks for any advice.

Post #: 1
RE: 1 listener, 2 different authentication methods - 13.Oct.2006 8:10:20 AM   
simek

 

Posts: 5
Joined: 11.Oct.2006
Status: offline
Have you considered Kerberos delegation, that way all that the user would require to provide is the OTP and no domain password - this works for OWA. I'm not really sure if Kerberos would work for EAS.

But i Think you could use one listener, just add a publishing rule, with a different auhentication delegation for the EAS.
What kind of credential delegation do you have defined now?

Rgrds

S

(in reply to rosscoid)
Post #: 2
RE: 1 listener, 2 different authentication methods - 13.Oct.2006 10:52:40 AM   
rosscoid

 

Posts: 15
Joined: 1.Oct.2004
From: Reading, UK
Status: offline
Thanks for the reponse simek.  I've not tried using Kerberos delegation before, and if I'm honest having read a few technotes and looking at the settings / help about it in ISA it sounds complicated.

Not sure that I can use the same listener because the RADIUS OTP setting is within the listener's properties.  I'd need one rule using Active Directory (for ActiveSync) and one rule using RADIUS OTP (for OWA) that would have to be 2 different listeners, but it's not possible for 2 listeners to listen on the same IP address and port (HTTPS).  So, I could use different IP addresses for each listener, but that means different certificates, and I'm not sure if it's possible to then bridge to a single IIS server (which only has 1 certificate).

?

(in reply to simek)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> 1 listener, 2 different authentication methods Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts