Welcome to ISAserver.org

LDAP Password Chg-Avoid Need to Enter Domain Name/Username

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> LDAP Password Chg-Avoid Need to Enter Domain Name/Username

Page: [1]

Message

<< Older Topic Newer Topic >>

LDAP Password Chg-Avoid Need to Enter Domain Name/Username - 5.Jun.2008 9:25:41 AM

katkin

Posts: 11
Joined: 9.Apr.2003
From: New York
Status: offline

We published OWA 2003 w/LDAP on our ISA 2006 Server (not a member of the domain.)

Our users were previously using OWA 2003 via ISA 2004 and used to only entering their username and password.

We set up the ability for users to change their passwords but wanted them to still log in without entering a domain name (equal to our login expression).

We added our domain name to the advanced properties of the Authentication Delegation screen on the web listener thinking that might resolve the issue.

As explained in Doc Shinder's tutorial on Configuring ISA 2006 Firewall to Support Password Changes, we still received the Error Page 500 message when changing passwords without domain name entered in login screen.

Our solution: added a login expression wildcard equal to * in the LDAP Servers configuration.

We only have one domain published on the listener and can now change passwords by logging in with just username.

If there are any security snafus with this setup, would welcome your feedback.

Thank you.

Post #: 1

Featured Links*

RE: LDAP Password Chg-Avoid Need to Enter Domain Name/U... - 5.Jun.2008 10:37:28 AM

Jason Jones

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

I don't see a problem with this...

...until you add a second domain

Why not join ISA to the domain and then you would never need to worry about LDAP sets

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to katkin)

Post #: 2

RE: LDAP Password Chg-Avoid Need to Enter Domain Name/U... - 5.Jun.2008 1:05:39 PM

katkin

Posts: 11
Joined: 9.Apr.2003
From: New York
Status: offline

To: Jason Jones
Subject: Joining ISA to a Domain

Hi Jason - Thank you so much for replying to my post.

Re joining ISA to a domain to avoid use of LDAP sets, we have an ISA Server with a front firewall template configuration, so we can route citrix gateway traffic through ISA to our DMZ. Our backend device is a Cisco router performing PAT.

Should we consider changing out our backend to an ISA server?

From: Jason Jones
Subject: RE: Joining ISA to a Domain

Not 100% sure on your current topology, but the most intelligent firewall should be closest to your assets...therefore ISA should be closest to your internal servers.

If you need two tiers of firewall, then place you "hardware/network" firewall at the front and make ISA a domain joined backend firewall. You could also use ISA as the front firewall if you want the two-tier architecture and plan on placing servers between the two ISA servers that could benefit from ISA publishing by the frontend device. Also, consider creating ISA protected perimeter networks (DMZs) on the backend firewall with additional network interfaces.

Here are some good links:

http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Ba
ck-ISA-Firewall-DMZ-Part1.html

http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Config
uration-Netscreen-DMZ.html

http://www.isaserver.org/tutorials/2004isapixdmz.html

http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters
-Multihomed-ISA-Firewall-Part1.html

Enjoy!

Cheers

JJ

(in reply to katkin)

Post #: 3