• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on Web Listeners for Autodiscover Service

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Discussion about article on Web Listeners for Autodiscover Service Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on Web Listeners for Autodisco... - 10.Sep.2007 12:34:37 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on Web Listeners for the autodiscover service at XXX

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on Web Listeners for Autod... - 14.Sep.2007 9:29:40 AM   
vapor-trails

 

Posts: 14
Joined: 2.Dec.2002
From: US
Status: offline
Good Morning Tom!

Can you expand on this article with respect to having a site certificate that supports Subject Alternate Names?  I noticed in the article that you've chosen two different website IPs with two different digital certificates.

Wouldn't this work with 1 IP and 1 certificate assuming that the certificate supports Subject Alternate Names?

-Vapor-Trails

(in reply to tshinder)
Post #: 2
RE: Discussion about article on Web Listeners for Autod... - 17.Sep.2007 7:52:42 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi VT,

No, that will not work because the clients aren't able to "consume" the SANs.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vapor-trails)
Post #: 3
RE: Discussion about article on Web Listeners for Autod... - 17.Sep.2007 8:21:15 PM   
vapor-trails

 

Posts: 14
Joined: 2.Dec.2002
From: US
Status: offline
I am not sure I follow you.  Could you be more specific?  Thanks!

(in reply to tshinder)
Post #: 4
RE: Discussion about article on Web Listeners for Autod... - 18.Sep.2007 6:53:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ISA Firewall presents the certificate to the clients. Since the clients aren't able to use the SANs, they won't work.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vapor-trails)
Post #: 5
RE: Discussion about article on Web Listeners for Autod... - 18.Sep.2007 4:26:54 PM   
vapor-trails

 

Posts: 14
Joined: 2.Dec.2002
From: US
Status: offline
I am not sure I understand why the client wouldn't be able to use SANs.  There are 3 providers (probably more) that i know of that will be in the trusted certificate list (Verisign, Thwate, Godaddy, etc).

If I am publishing "mobile.E2K7domain.com" to 13.13.13.13 and "autodiscover.E2K7domain.com" to 13.13.13.13; all while using a wildcard cert, why wouldn't ISA 2006 properly setup the SSL and then pass it on to CAS?

-Vapor-Trails

(in reply to tshinder)
Post #: 6
RE: Discussion about article on Web Listeners for Autod... - 19.Sep.2007 7:20:54 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The wildcard cert is using the subject name field, that's why that works.

The clients don't "consume" the SAN fields.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vapor-trails)
Post #: 7
RE: Discussion about article on Web Listeners for Autod... - 17.Oct.2007 11:12:12 AM   
jazzer

 

Posts: 24
Joined: 15.Feb.2004
From: Switzerland
Status: offline
Hi Tom,

1.
I read your article and all other article on msExchangeTeam and msExchangeOrg and technet. To Publish Exchange 2007 with isa 2006, it maks never sense to take a UC Certificate or a Certificate with SAN's. Is this right? The Isa can only consume the first cn in the Cert, it is one Match, like a Normal cheap Webserver Certificate? All other Names in the Cert brakes the Isa.
Is there a reason to take a SAN Cert instead to a Normal Cert when i publish ex07 with isa06?

Is a Fix for the ISA 06 SAN Problem in the pipeline? (I know the fix for the Outlook 2007, SRV Record)

2.
Would it work when i publish all the Ex07 URL's with the autodiscover.doamin.com/owa  ./rpc URL instead owa.doamin.com? With this i only need 1IP 1SSL Cert. It resolves all the problems?

Regards Stive

(in reply to tshinder)
Post #: 8
RE: Discussion about article on Web Listeners for Autod... - 18.Oct.2007 9:47:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stive,

1. I don't think so, they might in the next version.

2. Not sure this will work, because of the authentication requirements

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jazzer)
Post #: 9
ISA Authentication problem for Autodiscover - 31.Aug.2008 5:56:12 PM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi

Testing my planned upgrade to Exchange 2007, I've succesfully setup the CAS server.
Internally, everything works fine, including the autodiscover function. But (there's always a but, isn't there?), externally, I am running into a weird problem.

Here's the case:
The ISA 2006 resides in the 3rd party firewall DMZ, has a properly working SAN certificate and is not a domain member.
It connects to the AD using RADIUS (for VPN) and LDAPS-GC (for FB).

What does work:
  • Outlook Web Access
  • Outlook Anywhere
  • Autodiscover Test from Outlook

What does not work:
  • Autodiscover in Outlook wizard

What seems to be the case here?

Having set up an Outlook Anywhere client manually, the clients logs on to the ISA server using Domain\User credentials, which work fine with both RADIUS and LDAP.
When consequently testing the Autodiscover function, it runs fine, since the client has already been validated at the ISA server and is thus allowed to access the CASE\Autodiscover directory.

Setting up an Outlook Anywhere client from scratch, the client tries to login with the e-mail address ("user@domain.com"), as submitted to the wizard.
Easily traced using RADIUS, the domain controller that runs IAS rejects this authentication packages since the user is unknown ("user@domain.com" instead of "User").
The client therefore cannot access the CAS\Autodiscover directory and fails to download the autodiscover.xml file.

My question, therefore, is:

How can I ensure the ISA server authenticates a requests from an Autodiscover wizard against RADIUS or LDAP?

Thank you very much in advance!



_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 10
RE: ISA Authentication problem for Autodiscover - 3.Sep.2008 6:17:45 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Update:

Switched to LDAPS/GC, I've locked down the issue to an AD problem.
The ISA server simply tries to authenticate to the domain controller using the exact credentials entered by the client.
In this case, Outlook sends the e-mail address.
I have been unable to solve this issue on the ISA Server.

The domain controller logs the following:

EVENTID: 680
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: test@domain.com
Source Workstation: ISASERVER
Error Code: 0xC0000064

EVENTID: 529
Logon Failure:
Reason:  Unknown user name or bad password
User Name: test@domain.com
Domain:  
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ISASERVER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: ISA IP
Source Port: 33473

I will try to solve this on the domain controller and keep this thread posted.
In case anybody here might have a clue, I'd be happy to know!

< Message edited by Arcesilaus -- 3.Sep.2008 10:43:49 AM >


_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to Arcesilaus)
Post #: 11
RE: ISA Authentication problem for Autodiscover - 3.Sep.2008 11:32:12 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Update 2:

Getting closer: it first seemed to be a known issue:
http://support.microsoft.com/kb/947861

I requested the hotfix, installed, rebooted the DC and retried - still the same issue.
I then manually changed the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\to value 2 and retried: still no luck. Now I realise that the domain I am using to login with (.e.g. domain.com) is not exactly the same as the local domain (domain.local). I guess, therefore, my question has changed: how can I configure AD to accept login requests for a secondary domain?

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to Arcesilaus)
Post #: 12
RE: ISA Authentication problem for Autodiscover - 3.Sep.2008 6:23:00 PM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Update 3:

For those of you running into similar problems and might be interested:

I was able to solve the logon issue, by following this thread:

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3760627&SiteID=17

It refers to here: http://support.microsoft.com/kb/243629, where you are told how to link a custom UPN to domain.
Next, using the Exchange 2007 Management Console, you can edit a user's Account Details where you can change his UPN to enable authentication using his primary email-address, if different from the default domain.
Please note that login with UPN only works with LDAP, not with RADIUS!

That issue being solved, there appears to be a new one:

Using Outlook wizard, the Autodiscover process runs fine, until it comes to the point where you need to login to the CAS server itself.
Some users have laptops that are not domain members (I know, I know) and the Exchange OWA virtual dir allows only basic authentication.
It works great in case of manual configuration, but using Outlook wizard, I cannot get beyond the point of authenticating against the CAS.
I am running 2003 x64 so it's not an IPv6 issue, as is the case here:
http://technet.microsoft.com/en-us/library/cc671176(EXCHG.80).aspx

Does anybody have a clue?

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to Arcesilaus)
Post #: 13
RE: ISA Authentication problem for Autodiscover - 4.Sep.2008 9:06:35 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Thanks for sharing the information you're discovering. I haven't been answering since I don't know the answers to the autoconfig issues.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Discussion about article on Web Listeners for Autodiscover Service Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts