• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

owa & kcd / smart card fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> owa & kcd / smart card fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
owa & kcd / smart card fails - 15.Nov.2007 1:31:31 PM   
pupperalda

 

Posts: 2
Joined: 15.Nov.2007
Status: offline
we publish owa (ex2007) with isa2006

authentication in listener "ssl client certificate authentication" with "basic" and "ntml" fallback

authentication delegation in rule "kerberos constrained delegation"
spn is (should be) configured correctly

ca root and certificate authentication are generally working fine - no problems at all


now the problem :-)
when we access https://xxx/owa all looks working, but after having loaded most of the page we get a "user/password request window" - as the user has just the smart card to authenticate, there is no other way as abort the upcoming request
finally we get http error 401 and isa error 12209

now the very interesting part - if we close the browser and reopen the owa page ALL WORKS FINE
so it looks that the browser do not requests all elements (images etc.) and the isa server do not stops working


actually we have the impression, that isa gets to many kerberos authentications request in the first owa login

if we wait a while (15 minutes>) then we have to login .. we get the error .. closes the browser ... reopen owa and then it works

if we refreshes (F5) the browser, we get again the http error 401


we tested with xp sp2, ie6
xp sp2, ie7
vista, ie7

on all pc's and configurations the same error


does kcd & kerberos has a flood protection?
any ideas what that could be wrong?
Post #: 1
RE: owa & kcd / smart card fails - 15.Nov.2007 1:37:55 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
ISA Flood Mitigation wouldn't provide a "401" (authentication required).

Look in the ISA and IIS logs and see what response codes you find and make not of which URLs are in the request.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to pupperalda)
Post #: 2
RE: owa & kcd / smart card fails - 15.Nov.2007 3:02:23 PM   
pupperalda

 

Posts: 2
Joined: 15.Nov.2007
Status: offline
on iis logs all looks fine - 65 successfully (200) served request
no errors

in isa i see after some (see above) requests an http status code 1790 from client anonymous to an external url (xxx/owa/8.0.744.0/themes/...)
former request to the same directory was successfully

then i se an error 12239


so error looks to arrive between client and isa


ps: accessing owa by ntml all works perfectly

(in reply to Jim Harrison)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> owa & kcd / smart card fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts