Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
double forms login?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
double forms login? - 4.Jan.2006 11:02:27 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
I have followed the documentation found on the site to a T and all is working well, but the fact that we are getting a double forms login page. We recently upgraded from ISA 2000 to 2004 and we were publishing OWA through 2000 which worked great. Now in 2004 I have ISA's publish rule to use FBA and I get the initial login page, I type in my credentials and I am forwarded to the front end servers authentication page, if I just click login on that page I am forwarded to my inbox. I have disabled FBA in exchange system manager so I am not sure why I keep getting the second page. Can anyone provide insight as to why this other page keeps showing up?
thanks,
Paul
|
|
|
|
RE: double forms login? - 5.Jan.2006 3:17:13 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Paul,
Some things to check:
1. Make sure that FBA is disabled on the Exchange Servers
2. Make sure the ISA firewall is a member of the domain
3. Make sure that you are forwarding basic credentails to the published Web site
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: double forms login? - 5.Jan.2006 4:46:52 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
Tom, thanks for the reply, and I have done the below but I am still getting the same double forms page.
One question I have is for the paths on the ISA publish rule should I only be pointing it to /Exchange, /ExchWeb, and /Public?
When I do this I get a page can not be displayed message, however if I put /* in the path all works well but I get the double forms.
confused.
Paul
|
|
|
|
|
RE: double forms login? - 5.Jan.2006 5:47:02 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Paul,
That's correct. Those are the only paths required.
What is the exact configuration of your Web Publishing Rule? Maybe that can speed up the solution.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: double forms login? - 6.Jan.2006 3:30:19 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
Thanks for you help Tom, here is how my rule is set up.
The publish rule is set up to accept connections made from Anywhere going to Webmail.domain.com set to forward the Original host header, and request appear to come form the original client. Traffic is set to accept only HTTPS using the listener I created which has our cert registered and is specified to use the OWA FBA, and always Authenticate is checked. Public name is setup as webmail.domain.com, and the path currently is set to /* because I get the 403 error code server denied specified URL when I specify the specific paths as stated above. Users is set to all users.
The host file also the entry on the ISA box for webmail.domain.com with the front end exchange server address.
thanks again for any insight.
Paul
|
|
|
|
|
RE: double forms login? - 6.Jan.2006 3:44:13 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Paul,
In order to solve this problem, I need the exact configuration, not example names. I mean exact down to the the common names on the Web site cert and the cert bound to the ISA firewall's Web listener.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: double forms login? - 9.Jan.2006 2:40:59 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
Thanks for helping Tom, the real info is the cert is registered under webmail.biotek.com, and that is the cert that is installed both on the exchange front end server as well as the ISA server web listener. for the rule I am only using webmail.biotek.com, and the host file has an entry for webmail.biotek.com directing it to our front end exchange server. Those are the exact names for the publish rule.
thanks,
Paul
|
|
|
|
|
RE: double forms login? - 9.Jan.2006 6:02:18 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Paul,
OK, so it sounds like you're using webmail.biotek.com from end to end and this is the name on the ISA firewall's Web listener certificate and also the name of the cert of the FE Exchange Server.
Delete the rule and try it again, using the Publish a Mail Server Wizard. Make sure the default auth settings are on the FE Exchange Server, and that the ISA firewall is a domain member and that you're delegating basic authentication to the FE Exchange Server.
Just to confirm, the ISA firewall, FE and BE Exchange Servers are all members of the same domain?
FBA is disabled on both the FE and BE Exchange Servers?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: double forms login? - 9.Jan.2006 9:20:39 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
you are correct in that the ISA firewall and both the FE and BE exchange servers are all part of the same domain.
I have double checked that FBA is disabled on both the FE and BE servers and I will let you know how creating the new rule goes.
thanks,
Paul
|
|
|
|
|
RE: double forms login? - 12.Jan.2006 12:04:02 AM
|
|
|
lolson
Posts: 43
Joined: 23.Nov.2005
Status: offline
|
Is it required for all the servers to be part of the domain? My FE and BE servers are part of the domain, but I removed my ISA server from the domain once I had it working and it still works this way.
|
|
|
|
|
RE: double forms login? - 12.Jan.2006 3:55:19 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Lolson,
Bad move! You can't pre-authenticate unless you use RADIUS, which is a performance dragger.
However, if you're using the ISA firewall only for inbound access, and only in "crippled mode" (unihomed), then its an option, but never my preferred one.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: double forms login? - 17.Jan.2006 4:51:53 PM
|
|
|
BTIAdmin
Posts: 8
Joined: 4.Jan.2006
Status: offline
|
Tom, just wanted to fill you in with what I have found, and because some users wanted to use OMA we decided not to use the FBA on ISA.
But before reverting I found that if you used webmail.biotek.com/exchange you wouldn't get the double forms, you would just get the ISA Form, and then once authenticated it would log you into your mailbox.
just curious if that could give any extra insigt but not a problem anymore because our remotes complained about the isa forms on their Treos...
thanks,
Paul
|
|
|
|
|
RE: double forms login? - 19.Jan.2006 6:26:55 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Paul,
Ha! I just assumed you were using /exchnage at the end of the path! That explains it all.
That's true, you can't enable FBA on the same Web listener as that used by Windows Mobile. In that case, bind a second IP address to the external interface of the ISA firewall, then create a new Web listener with a new cert.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
