Welcome to ISAserver.org

Undoubtedly stupid ISA+Exchange auth question

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Undoubtedly stupid ISA+Exchange auth question

Page: [1]

Message

<< Older Topic Newer Topic >>

Undoubtedly stupid ISA+Exchange auth question - 3.Dec.2004 5:14:00 PM

paulrobichaux

Posts: 5
Joined: 3.Dec.2004
Status: offline

I'm probably missing something very simple but darned if I know what. Since upgrading my ISA 2000 server to ISA 2004, I've had an odd problem, and I am just now getting around to trying to fix it.

Environment:

ISA 2004 on Windows 2003 (isa01; not in a domain)
Exchange 2003 front-end/Windows 2003 (superman)
Exchange 2003 back-end/Windows 2003 (batman)
external DNS record for exchange.robichaux.net that points to public IP of ISA box

ISA 2004 config:

separate publishing rules for POP3S, IMAP, POP, SMTP, IMAPS. These all work fine.
publishing rule from outside to superman.robichaux.net for OWA, OMA, EAS
HOSTS file entry resolving superman.robichaux.net to correct internal IP
form-based authentication enabled for Exchange

Problem : external users cannot log on to OWA, OMA, or Exchange ActiveSync. They're prompted for login credentials; after 3 attempts (for OMA and EAS) or 1 (for FBA), they get a 401 Unauthorized response.
Interesting facts
1. Internal users can log on to OWA and OMA on the FE or BE, with or without SSL. This tells me that Exchange's authentication is configured right and that the certs are properly installed.
2. There are no errors in the FE or BE event logs.
3. I can't figure out where to check the ISA box for authentication results from the FBA request.

Supposition: for some reason, the credentials requested from the user are making it to the ISA box, but auth between the ISA and FE is failing.

Question: how the heck do I troubleshoot and fix this? It's really bugging me, even though it's not impacting my operations any.

I welcome all constructive suggestions.

Post #: 1

Featured Links*

RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 12:35:00 AM

TitusHoc

Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline

Hey Paul,

The Answer is in your question:
�form-based authentication enabled for Exchange�

Disable that - ISA 2004 firewall form-based authentication allows firewall to generate the form, instead of the Exchange 2003 Web Site. Firewall generated form-based authentication extends the security provided by the delegation of basic authentication to protect the OWA Web site from attacks by unauthenticated users.

Titus

(in reply to paulrobichaux)

Post #: 2

RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 1:37:00 PM

paulrobichaux

Posts: 5
Joined: 3.Dec.2004
Status: offline

I turned off FBA on the ISA box and enabled basic. Same problem: attempts to load the page fail after three separate credential popups.

(in reply to paulrobichaux)

Post #: 3

RE: Undoubtedly stupid ISA+Exchange auth question - 4.Dec.2004 2:16:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Paul,

Solution:

Join the ISA firewall to the domain. [Smile]

I won't bore you with all the triviality, but there is no problem joining the ISA firewall to the domain.

I've run into so many wonks and security 'wankers' who tell me in stentorial tones "corporate security officiers say not to join the firewall to the domain" and when I press them, I get a govt-oid "fop" look from them as they wrestle with a cogent answer to this question (they might as well be trying to comes up with an answer to the meaning of life) :K

However, if you don't want to do that because your sec officier won't let you [Smile]

then you can use RADIUS auth with FBA (you'll need to call PSS to get that fix), or you can use plain SSL/Basic auth.

Make sure you're using SSL to SSL bridging too.

Let me know how it works out for you. Send me a note when you post to this thread again.

Thanks!
Tom

(in reply to paulrobichaux)

Post #: 4

RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 11:22:00 AM

paulrobichaux

Posts: 5
Joined: 3.Dec.2004
Status: offline

quote:
Originally posted by tshinder:
Hi Paul,

Solution:

Join the ISA firewall to the domain.

I won't bore you with all the triviality, but there is no problem joining the ISA firewall to the domain.

I've run into so many wonks and security 'wankers' who tell me in stentorial tones "corporate security officiers say not to join the firewall to the domain" and when I press them, I get a govt-oid "fop" look from them as they wrestle with a cogent answer to this question (they might as well be trying to comes up with an answer to the meaning of life) :K

Well, in my environment, I am the security officer, so I have some latitude [Smile]

However, I've kept the ISA box out of the domain for a simple reason: to an attacker, it's more valuable to compromise a domain joined box than a standalone box because the domain member a) has more information about the domain and b) presents a better springboard for compromising other, higher-value hosts in the domain. In my threat model, that's not a big concern, but I like the (small) degree of extra protection.

However, I'm willing to compromise if it'll make things work [Smile]

quote:

However, if you don't want to do that because your sec officier won't let you then you can use RADIUS auth with FBA (you'll need to call PSS to get that fix), or you can use plain SSL/Basic auth.

I am using SSL/basic, and even that isn't working.

(in reply to paulrobichaux)

Post #: 5

RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 12:55:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Paul,

I realize the theoretical concerns re: domain members being better targets and perhaps they are able to leverage the machine's domain membership if attacked, but the fact is no one has ever been able to actually demonstrate a compromise of an attacked firewall that can take advantage of these conceptual issues. It sounds good, and I even promoted that party line at one time, until something hit me along the side of the head with a "put out or get out" scenario, and I wasn't able to put out [Smile]

Fact is that its like worrying about pieces from passing airplanes falling on your head. Once you get to that point of paranoia, there are problably better treatments.

Are you using FBA on the Exchange Server too? Is so, that can create a problem, because you can use FBA on the ISA firewall, or on the Exchange Server, but not both.

If disabling FBA on the Exchange Server doesn't work, send me your backup file and I'll replicated your config in my lab and see if we can come up with a quick solution.

HTH,
Tom

(in reply to paulrobichaux)

Post #: 6

RE: Undoubtedly stupid ISA+Exchange auth question - 6.Dec.2004 8:59:00 PM

paulrobichaux

Posts: 5
Joined: 3.Dec.2004
Status: offline

quote:
Originally posted by tshinder:
Hi Paul,

I realize the theoretical concerns re: domain members being better targets and perhaps they are able to leverage the machine's domain membership if attacked, but the fact is no one has ever been able to actually demonstrate a compromise of an attacked firewall that can take advantage of these conceptual issues. It sounds good, and I even promoted that party line at one time, until something hit me along the side of the head with a "put out or get out" scenario, and I wasn't able to put out Fact is that its like worrying about pieces from passing airplanes falling on your head. Once you get to that point of paranoia, there are problably better treatments.

I'm not disagreeing; most of the places I go, there are so many more egregious problems that need fixin' that having a domain-joined ISA server is way down on the list (like the time I went to a huge law firm and found a blank admin password.. but I digress [Smile]

quote:

Are you using FBA on the Exchange Server too? Is so, that can create a problem, because you can use FBA on the ISA firewall, or on the Exchange Server, but not both.

I had FBA enabled when I was using ISA 2000. I never disabled it after upgrading to ISA 2004, but I didn't use it either, so I didn't notice it was broken. Now that I do notice it, I turned it off and enabled FBA only on ISA. Still no joy.

quote:

If disabling FBA on the Exchange Server doesn't work, send me your backup file and I'll replicated your config in my lab and see if we can come up with a quick solution.

You've got mail [Smile]

(in reply to paulrobichaux)

Post #: 7

RE: Undoubtedly stupid ISA+Exchange auth question - 8.Dec.2004 12:35:00 PM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Paul,

I reviewed your config and it looks like you're forcing basic auth on the Web listener. That is fine if the ISA firewall is a member of the domain, but breaks things unless you want to auth users against the local user database on the ISA firewall machine itself.

You've got mail too! [Smile]

HTH,
Tom

(in reply to paulrobichaux)

Post #: 8

RE: Undoubtedly stupid ISA+Exchange auth question - 21.Jun.2005 10:34:00 PM

ferrix

Posts: 375
Joined: 16.Mar.2005
Status: offline

As a postscript to this thread, I'd like to offer up our authentication filter, FlexAuth (at http://www.collectivesoftware.com) as a potential solution to some of these issues.

For example, FlexAuth supports LDAP as an authenticator, so even if you can't put your ISA into a domain, you can still use Windows groups and users in your rules. We also provide customizable forms based auth, and automatically use Basic for clients that don't support forms (such as ActiveSync, etc).

As in the posts above, it is important to configure your target Exchange server to turn off its FBA. Otherwise things get very confusing =)

Hope this helps someone in the future!

(in reply to paulrobichaux)

Post #: 9