Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Our network is a multi-domain forest. I am configuring ISA Server 2004 (member of DOMAIN2) to publish a secure Sharepoint web-site (also a member of DOMAIN2) to users in DOMAIN2 and DOMAIN3. The WSS servers (load-balanced) are setup in the MS recommended reverse-proxy configuration requiring basic authentication only (configured to use DOMAIN2 as default domain).
In ISA I have an inbound web-publishing rule configured with basic delegation enabled. The web-listener's only configured authentication method is also basic (DOMAIN2 is the default domain) and authentication is not required.
If I set the firewall rule to apply to 'All Authenticated Users' instead of 'All Users' OR if I set the web listener to require authentication I get an error when a user from DOMAIN3 attempts to login using a UPN. For example, when a user from DOMAIN3 attempts to login with a UPN username (preferred), like user@domain3.com or even an alternate UPN (all users UPN actually match their e-mail address and those domains are configured as alternate UPN suffixes on the domain so this would be what we actually have) the login fails and the user is continually prompted to input user credentials. If the user submits the username as DOMAIN3\user however the login succeeds. Users from DOMAIN2, the default domain for basic authentication on both ISA and IIS, UPN logins work just fine (as well as just typing in the username and password).
If I remove the requirement for authentication, so if I configure the firewall rule to publish for 'All Users' and the web listener is reset to not require authentication a user from DOMAIN3 can login using a UPN name without issue, but it appears it is IIS authenticating the request, not ISA.
I would very much like to force authentication at the ISA server by restricting incoming access to authenticated users but all external users from DOMAIN3 who will be accessing this web site WILL be using UPN login names. Is this just a limitation of ISA 2004? What other options do I have?
Thanks, Chris
< Message edited by Jack in the Box -- 24.Jan.2006 7:50:18 PM >
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Tom,
No, as I mentioned in my post the IIS website ISA is bridging to is set to use basic authentication only with the default domain set to DOMAIN2. Integrated authentication is disabled.
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Unfortunately it doesn't. The first work around is to specify the domain via DOMAIN3\user which won't work as these users do not even know the domain name. And the other method, specifying the username in UPN form, like user@test.comis exactly what isn't working for users in DOMAIN3.
Workaround 2 doesn't apply since this is WSS and does not use the OWA login form and Workaround 3 is what I already have in place to get around this issue but it is not preferred as I would like to authenticate at the ISA server rather then at the web server.
I seem to recall something that you can do in AD Domains and Trusts where you can configure alternative domain name suffixes. Right click the root node in the left pane of the console and click Properties and let me know how that works for you.
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
The alternative domain suffixes are already configured at the forest level and the users already have the alternate suffixes configured for their login. DOMAIN2 and DOMAIN3 based users do not have an issue using UPN login when authentication directly against the IIS servers (same setup as ISA, member of DOMAIN2, configured for basic authentication only with DOMAIN2 as the default domain).
It is when authenticating against ISA 2004 that UPN logins do not work for DOMAIN3 based users (ISA is setup the same as ISS, it is a member of DOMAIN2 and configured to use basic authentication only with DOMAIN2 as the default domain). It is this problem I am hoping to resolve or at least confirm as a known limitation. If ISA can't do it, then I'll have no choice then to open the rule up to 'All USers' and allow authentication at the web server; this works fine. It would just be really great if I don't have to allow unauthenticated traffic to my WSS sites by getting this issue resolved and allow ISA to authenticate the requests first.
< Message edited by Jack in the Box -- 27.Jan.2006 5:18:37 PM >
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Alright, I'm back, finally. Had a trip out of town sprung on me unexpectedly and the ISA config is in the lab which I don't have access to remotely.
Using '\' for the default domain in ISA had no effect, it still didn't work. The only difference is would get a 401 error, back from IIS because ISA was passing just the username and password back to IIS with no domain specified. I then proceeded to try every combination between ISA and IIS for default basic domain settings and no combination was successful if I set ISA to authenticate the user.
So I'm back to where I was originally, requiring ISA to simply allow all users access and have IIS do the authentication. Not ideal but at least it has the functionality I require (DOMAIN2 users can enter use username/password since IIS has DOMAIN2 as the default domain and DOMAIN3 users can login as user@domain3.com/password).
Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Hello Jim,
I would have problem providing some debugging information. I still have ISA configured in our test lab where I can reproduce this problem. What do you need?