i figured out, that only admins can login into our owa which is published with isa 2006. The isa-server authenticates the users over ldap against the active directory. Nobody can login, until I add the user to the domain-admin-group.
In IIS under Directory Security for Exchange, please check your Authentication methods.
If already done so, disregard...Do you have your domain name set to your NetBIOS Domain name or a slash? I have seen that using a slash works in solving this problem; however the NetBIOS name should work too for your domain to lock down access to only your environment. Also, don't forget to untick the anonymous access...
thank you for the hints; but it doesn't work. I can access owa on the isa-server itself without any problems. When i come through the internet, it does not work and the isa-server says it can't authenticate me. It only works if i am member of the domain-admin-group.
Have you created a group in ISA by browsing in AD for the group created within, and applying accordingly? If yes, what if you add a user to the published rule, are you still having the same problem? Have you tried using the "All Users" group built in from ISA to see if that works...for testing?
have you tried using Authenticated users vs all users?
I'm not entirely sure I understand your concern though. The Forms based authentication page OWA page is just like any other website in that it should respond to anyone. Once they get the login then using a specific group vs all users doesn't really matter. LDAP is either going to allow or not allow the users to login regarless of which group they are in.
If you are trying to enable OWA for specific users and not others, use the AD feature to not enable OWA for those users. Even if the firewall tries to connect that user to OWA the exchange/AD piece will block them from logging in.