Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Outlook Anywhere NTLM Auth & ISA 06EE
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Outlook Anywhere NTLM Auth & ISA 06EE - 27.Mar.2007 5:24:50 PM
|
|
|
muflon_
Posts: 3
Joined: 29.Aug.2004
Status: offline
|
Hi,
i used this guide for setup Exchange 07 with ISA06
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx
Everythink work fine except Outlook Anywhere Authentificatin.
When i use NTLM Outlook client always promt for password and dont connect to Exchange Server.(Basic auth working fine).
Any solutions?
TX
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 9.May2007 11:10:40 PM
|
|
|
tempus
Posts: 5
Joined: 9.May2007
Status: offline
|
Hi Tom,
is there any reason why we have to use basic in outlook client since NTLM is used when Outlook Anywhere is enabled on Exch 2007 ?
Is there any article from Microsoft stating that ? If so, then we'll have a reason to say that this is a design by Microsoft.
Thanks..
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 11.May2007 1:46:58 PM
|
|
|
tempus
Posts: 5
Joined: 9.May2007
Status: offline
|
i'm using a single web listener for both OWA and Outlook Anywhere..
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 13.May2007 10:36:54 AM
|
|
|
tempus
Posts: 5
Joined: 9.May2007
Status: offline
|
so u mean i should use another web listerner for rpc/http with the option to use integrated authentication ? ..in that case should i use Basic Authentication for the access rule for rpc/http or what?
seems kinda confusing :)
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 13.May2007 12:31:12 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The reason is that FBA fallback is to basic. So, if you want to use FBA on the same listener, you have to have RPC/HTTP fall back to basic.
If you create a second listener, you configure it to use integrated so that the fallback mechanism isn't required.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 18.May2007 4:31:54 PM
|
|
|
uzimmermann
Posts: 39
Joined: 15.May2007
Status: offline
|
Hi Tom
you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role
and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)
when you can deal with the option to allow RPC in a Company i think you can also deal with this
Regards
uzimmermann
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 2:46:42 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi UZ,
Does that actually work? I would think that the FBA enabled Web listener would block direct authentication from the RPC/HTTP client.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 8:03:42 PM
|
|
|
uzimmermann
Posts: 39
Joined: 15.May2007
Status: offline
|
Hi Tom
Yes Actually this is working for E2k7 and ISA 2006.
i use one Rule for OWA and Activesync with NTLM Delegation and FBA enabled Listener and i
created a 2nd Rule over the OWA Rule with only RPC Virtual Directory.
This Rule i configured to use Delegation: "no delegation but client can directly
authenticate" and its working with the same FBA enabled Listener (single IP Publishing)
The RPC Client (Outlook 2003 & 2007 will still work with Basic & NTLM Settings...
I tested only in a single E2k7 Scenario but i think its also working with a separated CAS because it will nothing change on the idee.
But i also make more tests next week
kind Regards
uzimmermann
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 19.May2007 8:13:52 PM
|
|
|
uzimmermann
Posts: 39
Joined: 15.May2007
Status: offline
|
Sorry EAS isnt in the NTLM Delegated Rule only OWA :)
Regards
uzimmermann
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 20.May2007 11:24:41 AM
|
|
|
uzimmermann
Posts: 39
Joined: 15.May2007
Status: offline
|
Hi Tom
i have more Feedbacks for the Scenario with MSRPC and NTLM.
so i had a interesting conversation with some Experts and
why this is working with a single FBA Listener
Because the MSRPC User Agent ignors FBA by Default.
You can check this by use a Script to read the actually USer Agent Configs with FBA.
so when i use Authentication Delegation "no delegation but client can directly authenticate on my upper Rule i can use NTLM but he also goes direct to Exchange so the Security isnt really strong.
I think when you use HTTPS SSL to Publish this Scenario which is the Best Practice it makes no really different to use only Basic or also NTLM Auth. with MSRPC (from the Security Part)
kind Regards
uzimmermann
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 21.May2007 10:58:51 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi UZ,
Well, this is very interesting, because I thought the mechanism was to fall back to basic when the form is presented to the client.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 22.May2007 5:31:31 AM
|
|
|
uzimmermann
Posts: 39
Joined: 15.May2007
Status: offline
|
Hi Tom
Yes it is and i also think it for MSRPC before this Solution.
I hope you can test this to and give some Feedbacks.
Thank you
kind Regards
UZ
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 22.May2007 8:10:09 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi UZ,
I will need to get a new computer to test this. I tried to work with the 32bit trial version of Exchange 2007, but the SMTP "service" failed to work correctly and there were other problems. I have a Pentium D series 820 dual core machine, but it's not VT enabled, so I can't run 64 bit guests. So I'm likely going to have to wait a few months before I can rest Exchange 2007 scenarios.
Tom
< Message edited by tshinder -- 22.May2007 8:53:20 AM >
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 6.Jun.2007 11:12:42 PM
|
|
|
L663
Posts: 6
Joined: 6.Jun.2007
Status: offline
|
"you can also use the same FBA Weblistener when you Create a 2nd Webpublishing Rule for Anywhere over the OWA Role
and make the Authentication Delegation Option: "no authentication but client can authenticate directly" i know then he goes directly to exchange but so NTLM will works in the Outlook Client on the same Listener Single IP :)
when you can deal with the option to allow RPC in a Company i think you can also deal with this"
Uzimmermann,
Can you post some more detail on the rules you use to get NTLM to work externally? I've tried a 2nd rule for same listener, but can't get NTLM to work thru ISA 2006. Basic work fine Internally and Externally or NTLM will work Internally. I can't get NTLM to work externally.
Thanks!
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jun.2007 1:19:04 AM
|
|
|
tempus
Posts: 5
Joined: 9.May2007
Status: offline
|
phew...finally got mine to work. what i did was to recreate the certificate from the Exchange server to include also the hostname of the ISA server using alternative domain name which allows multiple domain names in 1 certificate..
after that Outlook configured with NTLM works internally from LAN and also when outside of the LAN.
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 8.Jun.2007 9:00:01 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tempus,
How did you recreate the certificate? One gotcha I found when using the dreaded PowerHell to request the certificate is that you cannot export the certificate from the CAS with its private key -- so I had to create a new certificate using the Web enrollment site for the ISA Firewall to get OWA and ActiveSync to work -- still don't have Outlooko 2007 RPC/HTTP working yet. The Microsoft doc on how to publish Exchange 2007 is not much help in this area.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Outlook Anywhere NTLM Auth & ISA 06EE - 10.Jun.2007 12:14:08 AM
|
|
|
adenhaan
Posts: 35
Joined: 15.Jul.2005
Status: offline
|
I found that the only way to get Outlook Anywere to work with NTLM while using an FBA listener is like uz described. Here are some more details as requested;
Use a separate web publishing rule for /rpc path.
Allow it for "All users" (not "All authenticated users") and make sure to uncheck the "require all users to authenticate". These together will effectively prevent ISA from doing any authentication, so also not the Fallback Basic auth challenge of the FBA listener.
Finally set authentication delegation to "no delegation but client can directly authenticate" and enable integrated auth on the rpc directory on the exchange server.
Note: Using this method the RPC users are NOT authenticated by ISA, but only and directly on Exchange server, as they pass anonymously through the FBA listener and this rpc rule.
< Message edited by adenhaan -- 10.Jun.2007 12:28:33 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
