Welcome to ISAserver.org

Solution-Activesync and Forms authent

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Solution-Activesync and Forms authent

Page: [1]

Message

<< Older Topic Newer Topic >>

Solution-Activesync and Forms authent - 14.Aug.2004 5:29:00 PM

BobW

Posts: 200
Joined: 27.Mar.2002
Status: offline

Not sure if anyone has seen/done this,but it makes my happy!

My users, how do you say, have troubles with anything other than a simple logon process for OWA. Some of them don't even know there username let alone the domain....

Activesync for handhelds (i.e Ipaq in my case) requires Integrated Windows, which in turn messes up the basic authentication required for my users.

MS had an article on performing a reg hack etc, but it was pulled for some reason.

So here is what I did:

I set authentication on the exchange server on the "exchange" virtual directory for basic AND Integrated Windows Authenticated. This ruins your basic authent method and requires the entering of a domain name to logon to OWA.

THEN I set up the ISA 2004 publishing rule to use forms based authentication. Then I edited the the logon.asp on the exchange server to include the default domain name (see the article at msexchange.org there is even a download for a premodified logon.asp).

THEN, to make the screen not show domain\username but rather username (as to not confuse my users) I modified the strings.txt file on the ISA box located in "C:\Program Files\Microsoft ISA Server\CookieAuthTemplates".

Throw in a link translation for http: to https: and you end up with:

1. An easy way for your users to login to OWA (not to mention a way to stop folks fromleaving OWA logged in on public workstations).

2. An easy way to redirect OWA to https via link translation.

3. A way to enable Activesync (via https:) without messing with IIS to heavily, hacking the registry, and a way to use IIS 5 (which MSs pulled article did not address).

There you are....works great...just make sure to backup the files before you modify them,

Bob

NOTE: looking forward to feedback and stories that it works for others!

[ August 15, 2004, 03:14 AM: Message edited by: BobW ]

Post #: 1

Featured Links*

RE: Solution-Activesync and Forms authent - 14.Aug.2004 9:24:00 PM

paulbaldwin

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline

Hi Bob,

MS probably pulled the article because it was basically 'barking up the wrong tree'. I'd been ranting about it for eons. As you pointed out it's later versions didn't work for 2000; it also required un-necessary reg hacks (there are better ways) and you could still find yourself in a pickle with FE-BE arrangements.

But there may be a few problems with your solution. Sounds like you edited authentication through IIS Manager cos FBA messes things up. That's fine, until you restart Exchange or make some other change; the dreaded DS2MB process is waiting to bite you! But don't let that put you off - I ran like this for about 9 months!

I couldn't quite make out what you are doing with link translation, but it is best avoided with OWA: Try moving a message using drag-and-drop, you may see 'the item has already been moved or deleted' or something like that.

There will be an article on this subject appearing in MSExchange.org shortly that you may like. Its a shame its taken so long to find a good solution - even MS couldn't find one (they had the answers but probably lost them when they sacked the MMIS team after the Exchange 2003 team stole all their code [Wink]

)

(in reply to BobW)

Post #: 2

RE: Solution-Activesync and Forms authent - 15.Aug.2004 3:10:00 AM

BobW

Posts: 200
Joined: 27.Mar.2002
Status: offline

What do you mean by "the dreaded DS2MB process is waiting to bite you!" please elaborate.

and how about "Sounds like you edited authentication through IIS Manager cos FBA messes things up." All I changed was the authentication on the Exchange virtual folder in IIS manager!

With regard to link translation. My users go to a basic website that they then must click on a link to get to the OWA site or any of the other available resources. I simply told the ISA box to change all requests for http://www.sitename.com to https://www.sitename.com at the ISA box. The outside world is connecting to the ISA box intially via port 80, but then the ISA box switches them to SSL, but between the ISA and exchange box it is running http. I have also set the publishing rule to require SSL effectively closing th direct port 80 to exchange possibility.

Any and all tips/suggestions you can give me is MUCH appreciated!

Thanks,
Bob

[ August 15, 2004, 05:03 AM: Message edited by: BobW ]

(in reply to BobW)

Post #: 3

RE: Solution-Activesync and Forms authent - 15.Aug.2004 4:39:00 AM

BobW

Posts: 200
Joined: 27.Mar.2002
Status: offline

OK, I anwered some of my own questions.

I did not realize I should be modifying OWA authentication via "system manager"! I guess that the IIS mod is something I had leftover from my 5.5 days! Pretty embarassing, but hey, never taken a computer class in my life....

After your post I bounced the server. It seems to work fine. Then I modified the OWA authent to be basic/integrated via system manager (it only showed basic although IIS was set for both).

I then tried draggin and dropping with no issues.

So just to be clear I have basic/integrated on the E2K3 box with FBA on the ISA 2004 box.

Everything seems to be OK still.

Thanks for any help/insight,
Bob

NOTE: Sorry to beat this to death, but modifying Exchange server spooks me.

[ August 15, 2004, 04:43 AM: Message edited by: BobW ]

(in reply to BobW)

Post #: 4

RE: Solution-Activesync and Forms authent - 16.Aug.2004 2:03:00 PM

paulbaldwin

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline

Hi Bob,

Yikes, I misread your post. You must have been scratching your head over how I could have figured you were using IIS Manager! But at least we cleared that one up and you gained a tip. FBA on ISA (I read Exchange!), that's fine. Avoiding FBA on Exchange avoids much head-banging.

Because you said 'link translation' I assumed you were using the ISA feature of that name (which translates responses). Fortunately that isn't what you were doing because that would have created the weird effects I mentioned.

Cheers

(in reply to BobW)

Post #: 5

RE: Solution-Activesync and Forms authent - 16.Aug.2004 4:28:00 PM

BobW

Posts: 200
Joined: 27.Mar.2002
Status: offline

We are so close to being on the same page it is rather painful! I am using the ISA link translation BUT only on my portal type page, thus makign all links on my portal page (one of which is OWA) change to SSL.

This way if my internal users use OWA from the same portal page the internal listener does NOT redirect them to SSL. This way I don't have to have SSL on the exchange server, only on the ISA box.

At any rate, going back to the orginal post, is the coming article on msexchange.org using a similar solution to the basic/forms/activesync issue? Does mine sound OK?

Thanks, this is my last post post I swear!
Bob

(in reply to BobW)

Post #: 6

RE: Solution-Activesync and Forms authent - 16.Aug.2004 7:02:00 PM

paulbaldwin

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline

Ahhh, I see now. Nice!

Unfortunately everyone else reading this thread has gone, thinking 'what are they rabbiting about'. Sorry about that; my fault.

You've gone around the problems with EAS etc, and it is fine - you're happy aren't you. My solution isn't quite the same but you can see it soon and determine the pros and cons of each.

Cheers

(in reply to BobW)

Post #: 7