Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
1 listener, 2 different authentication methods
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
1 listener, 2 different authentication methods - 13.Oct.2006 6:59:05 AM
|
|
|
rosscoid
Posts: 15
Joined: 1.Oct.2004
From: Buckinghamshire, UK
Status: offline
|
I am publishing an Exchange server through ISA2006 and would like to make OWA and ActiveSync available to the outside world. This in itself is no problem and works great with forms based authentication.
However, we have a RADIUS server (2-factor solution - one time password) that I would like to use to further secure the OWA access, so for the listener properties I change the 'authentication validation method' to RADIUS OTP and tick the 'collect additional delegation credentials in the form' and this works brilliantly for OWA, but it breaks ActiveSync from my Windows Mobile 5 clients. I guess this problem occurs because the mobile clients are also being asked for a OTP which I don't want to happen, since they just need to use basic authentication with their cached AD credentials.
So, is it possible to define these 2 different authentication methods in one listener / IP address? Or is there a better way to acheive what I am trying to do?
Thanks for any advice.
|
|
|
|
RE: 1 listener, 2 different authentication methods - 13.Oct.2006 8:10:20 AM
|
|
|
simek
Posts: 2
Joined: 11.Oct.2006
Status: offline
|
Have you considered Kerberos delegation, that way all that the user would require to provide is the OTP and no domain password - this works for OWA. I'm not really sure if Kerberos would work for EAS.
But i Think you could use one listener, just add a publishing rule, with a different auhentication delegation for the EAS.
What kind of credential delegation do you have defined now?
Rgrds
S
|
|
|
|
|
RE: 1 listener, 2 different authentication methods - 13.Oct.2006 10:52:40 AM
|
|
|
rosscoid
Posts: 15
Joined: 1.Oct.2004
From: Buckinghamshire, UK
Status: offline
|
Thanks for the reponse simek. I've not tried using Kerberos delegation before, and if I'm honest having read a few technotes and looking at the settings / help about it in ISA it sounds complicated.
Not sure that I can use the same listener because the RADIUS OTP setting is within the listener's properties. I'd need one rule using Active Directory (for ActiveSync) and one rule using RADIUS OTP (for OWA) that would have to be 2 different listeners, but it's not possible for 2 listeners to listen on the same IP address and port (HTTPS). So, I could use different IP addresses for each listener, but that means different certificates, and I'm not sure if it's possible to then bridge to a single IIS server (which only has 1 certificate).
?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
