I've recently upgraded my ISA Server 2004 to 2006. In its freshly upgraded state, RPC over HTTPS, OWA, OMA and ActiveSync continue to work fine (we're using SSL end to end).
However, due to the prevous limitation on Basic Auth/Forms Based Auth, we previously used only Basic Auth on ISA 2004 and used Forms Based Authenication on the actual Exchange 2003 SP2 Server. This worked, but meant we were not pre-authenticating the connections.
Because ISA 2006 will now fail back to Basic Auth, its possible to enable Forms Based Auth for everything. I've switched off forms based on my Exchange 2003 SP2 server, and have enabled a Forms based listener using Basic delegation.
The ISA Server 2006 is not a domain member, but I have configured LDAPS authenication. I am not 100% certain this is working correctly, and may be the cause of the problem; but I'm finding it difficult to troubleshoot - can anyone suggest some good LDAPS tests to try...?
If "Users" in the rule is set to "All Authenicated Users", then the new ISA Server 2006 OWA Form is displayed, but authenication fails. However, If "Users" is set to "All Users" OWA works... but the articles written by Tom states use "All Authenicated Users" - hence the reason I think LDAPS may be broken...
With Forms Based Authenication switched on in ISA Server 2006, RPC over HTTPS (used in Outlook) fails when authenicating.
I've been using the Live Monitor in ISA Server to troubleshoot - but I saw a post by Tom suggesting this isn't the best debugging method...
I publiced OWA by HTTP..But When Client access Exchange Server from Internet is show HTTP Authentication...Later, I typed Username & Password but don't access to Exchange...Help me..Thanks..
Did you find the fix or cause for this as i have a similar problem where my isa box is in the dmz and i get the isa owa form to login from the internet but cannot login where the page sits there without doing anything.
I have same config as well. Can get to the page externally, but after typing user name and password correctly I get a 403 error. No packets are exchange between my ISa server 2003 and Exchange Server 2003.
Adding "/exchange" to the end of my URL fixed the problem. Created a Link Translation so that users would only have to type in "https://webmail.netsecdesign.com"
I used Global Link Translation to solve the HTTP to HTTPs as well as "/" to "/Exchange" translation.
I'm also suffering from the authentication piece of it. I have a hunch that it's directly related to "Connect LDAP servers over secure connection". How is this connection exstablished to be secure? Does it require a cert? I have a cert installed on the ISA server. When I try to configure an LDAP server set, it tells me it cannot find an LDAP server to verify the user. I checked the Event log and I keep seeing one event associated with this issue:
The LDAP server <IP Address> did not respond.......
Thanks for the reply. I tried running the procedure in support.microsoft.com/kb/321051. It ran pretty smoothly but I'm still getting the "None of the configured LDAP servers is available for verifying the user." error message. This error corresponds with the error in the eventvwr: Event ID 21286 Source Microsoft ISA server: The LDAP server <servername> did not respond........
If you're talking OWA authentication - which at this point I'm not sure if I'm missing your point or not - the word from Tom Schinder himself is that Basic Auth is the only way OWA works.
If you're not talking OWA, you're in the wrong part of the forums, I think. This is the Exchange publishing forum, which may be why I'm confused on your intents.
I think I'm still in the corect part of the forum.... I'm using LDAPs between the ISA server and the AD DC to authenticate a groups of users in AD who are allowed to use OWA. This group is referenced when authenticating the user via FBA from outside.
AfricanIvory, if you're still reading this thread, please post how you got this LDAP stuff to work with OWA. I think I get what you are saying. You're doing pre-authentication with LDAP and then authenticating the users with basic auth to get them logged in to their mailbox. I can't wrap my head around how that'd work, so I hope you can educate us all!
Matt_Kopf, can you please give some more detail on what you're trying to do? What is your exact problem? Can you tell us about your configuration to help you troubleshoot?
I will try as best I can to describe what we are trying to do in our lab enviorment.
we have the internet--firewall--isa server--firewall--lan (exchange, AD domain)
on the internet the ISA server is known as test.dnsalias.org and the exchange server is just called exchange.
We have created certificates for both the test.dnsalias.org and exchange server. They have both been installed on ISA. the web listener is set to listen for the test.dnsalias.org requests, and that appears to work as we get the login page generated by ISA.
We are having ISA use LDAPS to authenticate users to the system. We have punched the proper holes in the internal firewall to all LDAPS to talk to the AD computer, which is also in the lab the CA issuer.
When we have the rule>users>user sets, set to all users everything is file. This tells me that ISA is not authenticating anything and that it is taking place at exchange. when change it to all authenticated users it fails at the login. the LDAPS is not working. I dont know how to test this anymore of even how to find out what exactly failed.
1. When you're set to All Users, can you successfully log in? You don't state that. You just say you get the login page. It's not quite clear on if this works.
2. How do you have your validation servers configured? Can you give some details?
3. For LDAPS, you don't want All Authenticated Users... I don't think that works. If I get how LDAP works with ISA you need to create a new LDAP authentication group. This is why *I think* things fail.
To do this, go to your firewall rule, go to Users, click Add, click New, and follow the wizard. Tell it which AD group you're authenticating against.
If you're trying to allow anyone in your domain to authenticate, why bother with LDAP? Just use basic auth and let ISA to the pre-authentication with FBA. My assumption is that you're using LDAP to limit which domain members can log in.
BTW, what exactly are you trying to publish? OWA, ActiveSync, RPC/HTTP, all of these?
1. When you're set to All Users, can you successfully log in? You don't state that. You just say you get the login page. It's not quite clear on if this works.
Im sorry, yes I can successfully login with all users.
quote:
2. How do you have your validation servers configured? Can you give some details?
We created a LDAP server set pointing to our domain controler. Using the logon Expression <domain>\* in the server set we told it to connect using LDAP over secure connection and gave it a username and password to use. Is that what you were asking?
quote:
3. For LDAPS, you don't want All Authenticated Users... I don't think that works. If I get how LDAP works with ISA you need to create a new LDAP authentication group. This is why *I think* things fail.
This is how I understand it, and i may be wrong. If you use 'All Authenticated Users' what ISA does is it takes the username and password that the user provides and then submits it to the LDAP server for authentation. If it gets a positive response then it allows you through, to exchagne in this case. If not you are blocked.
quote:
To do this, go to your firewall rule, go to Users, click Add, click New, and follow the wizard. Tell it which AD group you're authenticating against.
If you're trying to allow anyone in your domain to authenticate, why bother with LDAP? Just use basic auth and let ISA to the pre-authentication with FBA. My assumption is that you're using LDAP to limit which domain members can log in.
BTW, what exactly are you trying to publish? OWA, ActiveSync, RPC/HTTP, all of these?
We are trying to publish OWA and ActiveSync (windows moble)
Yep, the details you posted about your validation servers was what I was after. That looks right to me.
Now, as far as the All Authenticated Users deal, can you send me a link that talks about that? This is for my educational purposes, mainly. Again, I understand it differently regarding LDAP, which is why I want to check out that link.
Please keep in mind I'm just a guy who has gotten this working and by no means to I consider myself an "expert", so you're assessment of AAU vs using a specific AD group, like I am may, be right.
I figured you were doing OWA and EAS, but I wanted to double check. Always better to be on the same page on things.
Yep, the details you posted about your validation servers was what I was after. That looks right to me.
Now, as far as the All Authenticated Users deal, can you send me a link that talks about that? This is for my educational purposes, mainly. Again, I understand it differently regarding LDAP, which is why I want to check out that link.
Please keep in mind I'm just a guy who has gotten this working and by no means to I consider myself an "expert", so you're assessment of AAU vs using a specific AD group, like I am may, be right.
I figured you were doing OWA and EAS, but I wanted to double check. Always better to be on the same page on things.
ok doing a quick search I got this:
In the Web Publishing Rule we created, we used the default setting for the authentication option, which was to allow all authenticated users access to the published Web sites. In a production environment, you might want to limit access to selected groups, instead of allowing unfettered access to any user who has an account in the domain in question.
I do want people on my domain to have access to OWA or Active sysc, and will control it at the exchange server for now at least. I see where the other way might be preferable though. Again I don't have a definitive answer on this ether.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Publishing Exchange 2003 with ISA Server 2006 
Publishing Exchange 2003 with ISA Server 2006 - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread