• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

UPN logon doesn't work for user when using basic auth. to diff. domain

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> UPN logon doesn't work for user when using basic auth. to diff. domain Page: [1]
Login
Message << Older Topic   Newer Topic >>
UPN logon doesn't work for user when using basic auth. ... - 24.Jan.2006 7:30:47 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Our network is a multi-domain forest.  I am configuring ISA Server 2004 (member of DOMAIN2) to publish a secure Sharepoint web-site (also a member of DOMAIN2) to users in DOMAIN2 and DOMAIN3.  The WSS servers (load-balanced) are setup in the MS recommended reverse-proxy configuration requiring basic authentication only (configured to use DOMAIN2 as default domain). 

In ISA I have an inbound web-publishing rule configured with basic delegation enabled.  The web-listener's only configured authentication method is also basic (DOMAIN2 is the default domain) and authentication is not required.

If I set the firewall rule to apply to 'All Authenticated Users' instead of 'All Users' OR if I set the web listener to require authentication I get an error when a user from DOMAIN3 attempts to login using a UPN.  For example, when a user from DOMAIN3 attempts to login with a UPN username (preferred), like user@domain3.com or even an alternate UPN (all users UPN actually match their e-mail address and those domains are configured as alternate UPN suffixes on the domain so this would be what we actually have) the login fails and the user is continually prompted to input user credentials.  If the user submits the username as DOMAIN3\user however the login succeeds.  Users from DOMAIN2, the default domain for basic authentication on both ISA and IIS, UPN logins work just fine (as well as just typing in the username and password).

If I remove the requirement for authentication, so if I configure the firewall rule to publish for 'All Users' and the web listener is reset to not require authentication a user from DOMAIN3 can login using a UPN name without issue, but it appears it is IIS authenticating the request, not ISA.

I would very much like to force authentication at the ISA server by restricting incoming access to authenticated users but all external users from DOMAIN3 who will be accessing this web site WILL be using UPN login names.  Is this just a limitation of ISA 2004?  What other options do I have?

Thanks,
Chris

< Message edited by Jack in the Box -- 24.Jan.2006 7:50:18 PM >
Post #: 1
RE: UPN logon doesn't work for user when using basic au... - 24.Jan.2006 9:41:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Is IIS using integrated authentication?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 2
RE: UPN logon doesn't work for user when using basic au... - 24.Jan.2006 10:06:41 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Tom,

No, as I mentioned in my post the IIS website ISA is bridging to is set to use basic authentication only with the default domain set to DOMAIN2.  Integrated authentication is disabled.

(in reply to tshinder)
Post #: 3
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 3:15:20 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Sorry about that, I was hoping for an easy answer.

I do recall reading the reason for this, but I don't remember where (for what use that is).

I see if I can find some information on this issue and a possible fix.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 4
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 4:02:14 AM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Any help or insight you could provide would be much appreciated Tom.  Thank you.

(in reply to tshinder)
Post #: 5
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 8:07:28 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Does this help?

http://support.microsoft.com/?kbid=820378

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 6
RE: UPN logon doesn't work for user when using basic au... - 25.Jan.2006 8:58:22 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Unfortunately it doesn't.  The first work around is to specify the domain via DOMAIN3\user which won't work as these users do not even know the domain name.  And the other method, specifying the username in UPN form, like user@test.com is exactly what isn't working for users in DOMAIN3.

Workaround 2 doesn't apply since this is WSS and does not use the OWA login form and Workaround 3 is what I already have in place to get around this issue but it is not preferred as I would like to authenticate at the ISA server rather then at the web server.

(in reply to tshinder)
Post #: 7
RE: UPN logon doesn't work for user when using basic au... - 27.Jan.2006 4:29:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

I seem to recall something that you can do in AD Domains and Trusts where you can configure alternative domain name suffixes. Right click the root node in the left pane of the console and click Properties and let me know how that works for you.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 8
RE: UPN logon doesn't work for user when using basic au... - 27.Jan.2006 5:13:55 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
The alternative domain suffixes are already configured at the forest level and the users already have the alternate suffixes configured for their login.  DOMAIN2 and DOMAIN3 based users do not have an issue using UPN login when authentication directly against the IIS servers (same setup as ISA, member of DOMAIN2, configured for basic authentication only with DOMAIN2 as the default domain). 

It is when authenticating against ISA 2004 that UPN logins do not work for DOMAIN3 based users (ISA is setup the same as ISS, it is a member of DOMAIN2 and configured to use basic authentication only with DOMAIN2 as the default domain). It is this problem I am hoping to resolve or at least confirm as a known limitation.  If ISA can't do it, then I'll have no choice then to open the rule up to 'All USers' and allow authentication at the web server; this works fine.  It would just be really great if I don't have to allow unauthenticated traffic to my WSS sites by getting this issue resolved and allow ISA to authenticate the requests first.

< Message edited by Jack in the Box -- 27.Jan.2006 5:18:37 PM >

(in reply to tshinder)
Post #: 9
RE: UPN logon doesn't work for user when using basic au... - 28.Jan.2006 6:40:45 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Hmmm. OK, in the Authentication dialog box on the ISA firewall's Web listener, do you have "\" configured as the default domain?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 10
RE: UPN logon doesn't work for user when using basic au... - 28.Jan.2006 8:21:43 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
No I don't.  I have tried it with it <blank> and as 'DOMAIN2'.  Let me try that and I'll report back with the results.

(in reply to tshinder)
Post #: 11
RE: UPN logon doesn't work for user when using basic au... - 29.Jan.2006 4:31:37 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Thanks! Looking forward to hearing about the results.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 12
RE: UPN logon doesn't work for user when using basic au... - 11.Feb.2006 2:20:13 AM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Alright, I'm back, finally.  Had a trip out of town sprung on me unexpectedly and the ISA config is in the lab which I don't have access to remotely.

Using '\' for the default domain in ISA had no effect, it still didn't work.  The only difference is would get a 401 error, back from IIS because ISA was passing just the username and password back to IIS with no domain specified.  I then proceeded to try every combination between ISA and IIS for default basic domain settings and no combination was successful if I set ISA to authenticate the user.

So I'm back to where I was originally, requiring ISA to simply allow all users access and have IIS do the authentication.  Not ideal but at least it has the functionality I require (DOMAIN2 users can enter use username/password since IIS has DOMAIN2 as the default domain and DOMAIN3 users can login as user@domain3.com/password).

(in reply to tshinder)
Post #: 13
RE: UPN logon doesn't work for user when using basic au... - 12.Feb.2006 7:49:25 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

Darn. I still haven't found anything to solve this problem.

Maybe with ISA 2006

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jack in the Box)
Post #: 14
RE: UPN logon doesn't work for user when using basic au... - 19.Mar.2006 5:42:57 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Hi Jack,

Are you interested in providing some ISA debugging data offline?
This should be working.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to tshinder)
Post #: 15
RE: UPN logon doesn't work for user when using basic au... - 22.Mar.2006 5:25:18 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Hello Jim,

I would have problem providing some debugging information.  I still have ISA configured in our test lab where I can reproduce this problem.  What do you need?

Chris

(in reply to Jim Harrison)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> UPN logon doesn't work for user when using basic auth. to diff. domain Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts