Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
UPN logon doesn't work for user when using basic auth. to diff. domain
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
UPN logon doesn't work for user when using basic auth. ... - 24.Jan.2006 7:30:47 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Our network is a multi-domain forest. I am configuring ISA Server 2004 (member of DOMAIN2) to publish a secure Sharepoint web-site (also a member of DOMAIN2) to users in DOMAIN2 and DOMAIN3. The WSS servers (load-balanced) are setup in the MS recommended reverse-proxy configuration requiring basic authentication only (configured to use DOMAIN2 as default domain).
In ISA I have an inbound web-publishing rule configured with basic delegation enabled. The web-listener's only configured authentication method is also basic (DOMAIN2 is the default domain) and authentication is not required.
If I set the firewall rule to apply to 'All Authenticated Users' instead of 'All Users' OR if I set the web listener to require authentication I get an error when a user from DOMAIN3 attempts to login using a UPN. For example, when a user from DOMAIN3 attempts to login with a UPN username (preferred), like user@domain3.com or even an alternate UPN (all users UPN actually match their e-mail address and those domains are configured as alternate UPN suffixes on the domain so this would be what we actually have) the login fails and the user is continually prompted to input user credentials. If the user submits the username as DOMAIN3\user however the login succeeds. Users from DOMAIN2, the default domain for basic authentication on both ISA and IIS, UPN logins work just fine (as well as just typing in the username and password).
If I remove the requirement for authentication, so if I configure the firewall rule to publish for 'All Users' and the web listener is reset to not require authentication a user from DOMAIN3 can login using a UPN name without issue, but it appears it is IIS authenticating the request, not ISA.
I would very much like to force authentication at the ISA server by restricting incoming access to authenticated users but all external users from DOMAIN3 who will be accessing this web site WILL be using UPN login names. Is this just a limitation of ISA 2004? What other options do I have?
Thanks,
Chris
< Message edited by Jack in the Box -- 24.Jan.2006 7:50:18 PM >
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 24.Jan.2006 10:06:41 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Tom,
No, as I mentioned in my post the IIS website ISA is bridging to is set to use basic authentication only with the default domain set to DOMAIN2. Integrated authentication is disabled.
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 3:15:20 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Chris,
Sorry about that, I was hoping for an easy answer.
I do recall reading the reason for this, but I don't remember where (for what use that is).
I see if I can find some information on this issue and a possible fix.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 4:02:14 AM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Any help or insight you could provide would be much appreciated Tom. Thank you.
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 8:58:22 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Unfortunately it doesn't. The first work around is to specify the domain via DOMAIN3\user which won't work as these users do not even know the domain name. And the other method, specifying the username in UPN form, like user@test.com is exactly what isn't working for users in DOMAIN3.
Workaround 2 doesn't apply since this is WSS and does not use the OWA login form and Workaround 3 is what I already have in place to get around this issue but it is not preferred as I would like to authenticate at the ISA server rather then at the web server.
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 27.Jan.2006 4:29:12 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jack,
I seem to recall something that you can do in AD Domains and Trusts where you can configure alternative domain name suffixes. Right click the root node in the left pane of the console and click Properties and let me know how that works for you.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 27.Jan.2006 5:13:55 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
The alternative domain suffixes are already configured at the forest level and the users already have the alternate suffixes configured for their login. DOMAIN2 and DOMAIN3 based users do not have an issue using UPN login when authentication directly against the IIS servers (same setup as ISA, member of DOMAIN2, configured for basic authentication only with DOMAIN2 as the default domain).
It is when authenticating against ISA 2004 that UPN logins do not work for DOMAIN3 based users (ISA is setup the same as ISS, it is a member of DOMAIN2 and configured to use basic authentication only with DOMAIN2 as the default domain). It is this problem I am hoping to resolve or at least confirm as a known limitation. If ISA can't do it, then I'll have no choice then to open the rule up to 'All USers' and allow authentication at the web server; this works fine. It would just be really great if I don't have to allow unauthenticated traffic to my WSS sites by getting this issue resolved and allow ISA to authenticate the requests first.
< Message edited by Jack in the Box -- 27.Jan.2006 5:18:37 PM >
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 28.Jan.2006 6:40:45 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jack,
Hmmm. OK, in the Authentication dialog box on the ISA firewall's Web listener, do you have "\" configured as the default domain?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 28.Jan.2006 8:21:43 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
No I don't. I have tried it with it <blank> and as 'DOMAIN2'. Let me try that and I'll report back with the results.
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 11.Feb.2006 2:20:13 AM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Alright, I'm back, finally. Had a trip out of town sprung on me unexpectedly and the ISA config is in the lab which I don't have access to remotely.
Using '\' for the default domain in ISA had no effect, it still didn't work. The only difference is would get a 401 error, back from IIS because ISA was passing just the username and password back to IIS with no domain specified. I then proceeded to try every combination between ISA and IIS for default basic domain settings and no combination was successful if I set ISA to authenticate the user.
So I'm back to where I was originally, requiring ISA to simply allow all users access and have IIS do the authentication. Not ideal but at least it has the functionality I require (DOMAIN2 users can enter use username/password since IIS has DOMAIN2 as the default domain and DOMAIN3 users can login as user@domain3.com/password).
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 19.Mar.2006 5:42:57 PM
|
|
|
Jim Harrison
Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline
|
Hi Jack,
Are you interested in providing some ISA debugging data offline?
This should be working.
_____________________________
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site
|
|
|
|
|
RE: UPN logon doesn't work for user when using basic au... - 22.Mar.2006 5:25:18 PM
|
|
|
Jack in the Box
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
|
Hello Jim,
I would have problem providing some debugging information. I still have ISA configured in our test lab where I can reproduce this problem. What do you need?
Chris
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
