I have a strange problem ever since upgrading ISA 2006 to SP1. ISA not a domain member, set as a front firewall and using the LDAPS. Exchange2003 SP2 published behind it, Outlook Anywhere rules created. Everything worked perfect before SP1. Now the problem is: you open up Outlook 2007, the pop-up with login name and pass shows up. If you enter a wrong password it keeps trying and trying until in the end the account gets locked out in Active Directory. Before if you typed in a wrong password the pop-up kept coming back alowwing you to re-enter it. Not any more.
Hey Tom before anything else let me tell you that I am able to reproduce this on my test environment and I can say for sure it is linked with SP1 for ISA 2006. Do you know if there is any way I can contact Microsoft and let them know about this issue?
I created in my virtual machines the same scenario as online: ISA non domain member. Authentication made via LDAPS. Exchange2003 with SP2 (all installed on 1 server here, meaning DC and exchange) and a client XP with Outlook 2007 trying to connect via Outlook Anywhere. Without the SP1 installed if in the initial pop-up that comes up when you open Outlook to enter your username and password you put a wrong password then the pop-up comes up again and you can retype. After SP1 is installed if I put a wrong password the pop-up does not come up anymore... and it tries and tries with that wrong password until the account is locked out in AD as I have set it to lock out after 5 attempts. If I put the right password in it works fine even after SP1. It is just that case with the wrong password that is affected.
I am sure this is an issue, if you want I can put my test environment online and give you access and you can take a look for yourself as I think this is an interesting finding. Let me know and I can PM you my email address with the details.
< Message edited by remushociota -- 22.Jul.2008 3:24:07 PM >
I can't find anything relevant in logs... In ISA it starts with a few of these:
Denied Connection ISA 7/22/2008 3:09:15 PM Log type: Web Proxy (Reverse) Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. Rule: ex Source: (192.168.1.108) Destination: (192.168.1.50:443) Request: RPC_IN_DATA http://mail.domain.com/rpc/rpcproxy.dll?mail.domain.com:6002 Filter information: Req ID: 06d4f7d9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes Protocol: https User: anonymous Additional information Client agent: MSRPC Object source: (No source information is available.) Cache info: 0x8 (Request includes the AUTHORIZATION header.) Processing time: 360 ms MIME type:
Denied Connection ISA 7/22/2008 3:09:15 PM Log type: Web Proxy (Reverse) Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. Rule: ex Source: (192.168.1.108) Destination: (192.168.1.50:443) Request: RPC_OUT_DATA http://mail.domain.com/rpc/rpcproxy.dll?mail.domain.com:6002 Filter information: Req ID: 06d4f7db; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes Protocol: https User: anonymous Additional information Client agent: MSRPC Object source: (No source information is available.) Cache info: 0x8 (Request includes the AUTHORIZATION header.) Processing time: 280 ms MIME type:
and the same but for port 6001
and then I get the
Initiated Connection ISA 7/22/2008 3:09:16 PM Log type: Firewall service Status: Rule: [System] Allow access to directory services for authentication purposes Source: Local Host (10.0.0.1:1226) Destination: Internal (mail.domain.com 10.0.0.4:636) Protocol: LDAPS User: Additional information Number of bytes sent: 0 Number of bytes received: 0 Processing time: 0 ms Original Client IP: 10.0.0.1 Client agent:
And then nothing relevant. Again this is a setup that works 100% if you enter the right password.
< Message edited by remushociota -- 22.Jul.2008 3:20:07 PM >
Ok Tom I just uninstalled SP1, restarted and the problem is gone. Now if I enter a wrong pass the pop-up comes up again and I get to re-enter it. So for sure it is linked to SP1. Let me know your findings please.
Hey Tom because I was so sure this is a bug in the new SP1 I decided to go ahead and run it through Ms Support. Yes yes I paid the 99$, you guys can thank me later :) As of matter of fact it seems they will refund me the fee as it seems to be a problem in ISA per the escalation engineer reply to my email:
This case has been escalated to me. I am the escalation engineer for ISA server team. I will be the point of contact moving forward. Already I have identified some root cause for this issue. I will analyze the provided traces and will keep you posted.
Once I have the result of all my debugging, then I will start working with isa developer and if we come up with a hotfix, I will send it to you.
Thanks so much for reporting this problem to Microsoft.
Ok today the escalation engineer sent me a what is called "private hotfix". I installed it and it fixes the problem. His suggestion is to wait for production for an hotfix update which will undergo some QA from Ms first... so as soon as I have that one I will let you know also.
Speaking of which... is there any really easy way to keep up with what Ms releases in terms of hotfixes for ISA 2006 sp1? He said they are cumulative so what should we do? Go on their website and search for them every 2 months or so?
Ms issued me the official hotfix however it is on a temp server with a ZIP with password and I don't know if it's ok to make that public now. However the KB Article Number this issue will be found under is 956269. In about 2-3 weeks they said...
Hope this helps other people as well,
P.S. They just called me now and told me that the KB article containing my fix and another one (some other problem in SP1) will be found under KB 956269.
< Message edited by remushociota -- 4.Aug.2008 1:36:04 PM >