• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Authentication with two domains

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Authentication with two domains Page: [1]
Login
Message << Older Topic   Newer Topic >>
Authentication with two domains - 10.Oct.2006 11:51:11 AM   
boydie1122

 

Posts: 12
Joined: 30.Mar.2005
Status: offline
Our old Setup:

ISA 2004 in DMZ,  joined to DMZ domain, publishing an internal FE servers OWA that is in the INTERNAL domain.  We have a checkpoing NG firewall in the DMZ and ISA just serves to publish OWA.

Internally we have an Internal Domain and our FE server and two BE servers are joined to it.

We have Basic Authentication and only port 443 between the DMZ and INtenal Networks.

Our New Setup

Is exactly the same only with ISA 2006.  We can access the FBA page but it is not possible to log in.  We I trey Windows Authentication I believe it is trying to authenticate with the DMZ domain.  When I try LDAP authentication and open port 389 on Checkpoint it seems to try and login but never gets there.

Any ideas because this seems like a standard configuration and one 50% of ISA users probably do but it does not work.

THanks,

Nathan
Post #: 1
RE: Authentication with two domains - 10.Oct.2006 5:51:53 PM   
boydie1122

 

Posts: 12
Joined: 30.Mar.2005
Status: offline
I think this is an issue of pre-authentication vs straight through authentication that ISA 2004 offered with FBA.  I now have it setup to use LDAP to an internal DC and have opened port 389 on the checkpoint firewall.

The PSS guy tells me that I don't need to setup LDAPS for this to work, but I think he maybe wrong.  What do you guys think?

(in reply to boydie1122)
Post #: 2
RE: Authentication with two domains - 10.Oct.2006 7:34:55 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Personnaly I would use LDAPS and this is needed is you want to support password changing features.

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to boydie1122)
Post #: 3
RE: Authentication with two domains - 12.Oct.2006 12:19:56 AM   
boydie1122

 

Posts: 12
Joined: 30.Mar.2005
Status: offline
The issue was resolved after speaking with the 4th PSS person.  It was ultimately pre-authentication in ISA 2006 that was not required in 2004.  Only 1 of 4 ISA PSS people knew ISA 2004 did not need to pre-authenticate.

I think at one point I probably had all the combination of settings but not together.  We needed to open the LDAP port that we previously had not had to do, and contrary to 1 PSS person you do need LDAP two ways.  

The main problem was that we were using the NETBIOS name of the Domain, within the LDAP listener settings, and this is a conflict with the certificate that requires FQDN.  Once we changed the LDAP domain settings to FQDN from Netbios we were able to pre-authenticate. 

Anyway this is working in the DMZ domain and is publishing OWA FBA, EAS, OMA and RPC over HTTPs on the same rule with the same listener.  We are using 1 IP address and ISA is behind a firewall with only ports 389 and 443 open to the internal network from ISA in the DMZ.

(in reply to Jason Jones)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Authentication with two domains Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts