Because of this I decided to upgrade to ISA 2006, and get rid of the localhost listener. ( I install 2006 on a brand new server)
I create a publishing rule to publish OMA, OWA and EAS. I use forms-based on the rule and EAS and OWA works fine, but OMA dosn`t work with the new forms based authentication. If I use basic authentication OMA work, but I want to use Forms Based!
Many of my users use Nokia with Mail for Exchange installed, but thay cannot sync after upgrade to ISA 2006. Qtek work fine.
Because of this problem I decided to downgrade to ISA 2004 again!!!
I've also installed ISA 2006 Standard and I can succesfully sync with Mail for Exchange on my Nokia E70, but I have a problem with OMA and Windows Mobile 2003, when I access it using internet explorer from my Desktop or from the browser on the Nokia E70, I'm presented with the Form Based Authentication screen so that works. However, when I access it using Pocket Internet Explorer on my PDA running windows mobile 2003, I immediately get '401 Unauthorized. The server requires authentication to fullfill the request. I get no password prompt or the FBA screen.
yes. On the delegation tab for the OWA publishing rule 'Basic Authentication' is selected. Weird thing is, that it works in every browser, except for Windows Mobile 2003. Even my Nokia E70 displays the FBA logon screen, but WM2003 does not.
Wish I could test this out, as there is a potential fix. What I need to know is the entry in the Client Agent field in the ISA Firewall's log files. Then we can potentially use this information for the failback to basic feature.
I have more or less the same scenario as Brandy descibes in his first post, trying to publish all exchange services on the same listener. Using mostly symbian based Nokias and SonyEricssons with roadsync and Nokia's own Mail4Exchange push email client. I spent quite a lot of time on timeout issues with ISA 2004 to make sure I had an "honest push email scenario" without constant timeouts and reauthentications. FYI here is a link to my posts on a Nokia forum describing some related issues: http://discussions.nokia.co.uk/discussions/tracker?user.id=8565 . I have deployed ISA 2006 in a test scenario and also experience that the OMA presents the FBA in the Nokia phone as Brandy describes. If I understand your posts correctlly, this is by design and does not pose any handicap in my scenarioes.
What I am having trouble with, is the timeout issue. On ISA 2004 I had this working by selecting 1800 secs on the ISA listener and on the IIS web server hosting the exchange directories.(Still not sure if the latter was necessary). This was based on the fact that the Roadsync product had a 15 minutes default keepalive setting for push email and that Nokia would not even disclose the value they had chosen. I also looked at the following MS article: http://support.microsoft.com/?id=905013 On the ISA 2006 I have selected the same value but clients keep disconnecting/reconnecting more or less all the time. I was hoping for some guidance here. The listener has FBA, Basic auth delegated, force users to auth.
< Message edited by henning -- 18.Sep.2006 6:01:54 PM >
thanks for the update. Basic delegation is set up fine and I'm using SSL to SSL. When going to the oma page from a windows mobile device I'm directly presented with the oma.aspx page (along with a very long string before it, I suspect this is the cookie string). However, the page displays that I'm not authorized. So I assume that ISA 2006 thinks that it should handle the request just a if it's an activesync request thus passing through instead of presenting the FBA page. However, since it's unauthenticated it fails.
that's really the problem we are currently facing. As soon as we use one listener for Activesync, OMA and have FBA enabled on the ISA 2006 server, the issue occurs that's mentioned in this thread (unauthorized message and no FBA screen on Windows CE, but a FBA screen on Nokia E70 and normal desktops). When disabling the FBA on the isa server and passing through authentication to the exchange server itself then everything works. But that's not what we want, since we need ISA to authenticate on behalf of the exchange server.