Problem after upgrade to ISA2006 SP1

Problem after upgrade to ISA2006 SP1 (Full Version)

All Forums >> [ISA 2006 General] >> General

Message

remushociota -> Problem after upgrade to ISA2006 SP1 (21.Jul.2008 11:44:54 AM)
I have a strange problem ever since upgrading ISA 2006 to SP1. ISA not a domain member, set as a front firewall and using the LDAPS. Exchange2003 SP2 published behind it, Outlook Anywhere rules created. Everything worked perfect before SP1. Now the problem is: you open up Outlook 2007, the pop-up with login name and pass shows up. If you enter a wrong password it keeps trying and trying until in the end the account gets locked out in Active Directory. Before if you typed in a wrong password the pop-up kept coming back alowwing you to re-enter it. Not any more. Anyone else seeing this problem?

tshinder -> RE: Problem after upgrade to ISA2006 SP1 (22.Jul.2008 11:31:05 AM)
Are there any entries in the ISA firewall's log files to help troubleshoot this? Anything showing up in the Event Viewer? Tom

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (22.Jul.2008 2:49:34 PM)
Hey Tom before anything else let me tell you that I am able to reproduce this on my test environment and I can say for sure it is linked with SP1 for ISA 2006. Do you know if there is any way I can contact Microsoft and let them know about this issue? I created in my virtual machines the same scenario as online: ISA non domain member. Authentication made via LDAPS. Exchange2003 with SP2 (all installed on 1 server here, meaning DC and exchange) and a client XP with Outlook 2007 trying to connect via Outlook Anywhere. Without the SP1 installed if in the initial pop-up that comes up when you open Outlook to enter your username and password you put a wrong password then the pop-up comes up again and you can retype. After SP1 is installed if I put a wrong password the pop-up does not come up anymore... and it tries and tries with that wrong password until the account is locked out in AD as I have set it to lock out after 5 attempts. If I put the right password in it works fine even after SP1. It is just that case with the wrong password that is affected. I am sure this is an issue, if you want I can put my test environment online and give you access and you can take a look for yourself as I think this is an interesting finding. Let me know and I can PM you my email address with the details.

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (22.Jul.2008 3:18:37 PM)
I can't find anything relevant in logs... In ISA it starts with a few of these: Denied Connection ISA 7/22/2008 3:09:15 PM Log type: Web Proxy (Reverse) Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. Rule: ex Source: (192.168.1.108) Destination: (192.168.1.50:443) Request: RPC_IN_DATA http://mail.domain.com/rpc/rpcproxy.dll?mail.domain.com:6002 Filter information: Req ID: 06d4f7d9; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes Protocol: https User: anonymous Additional information Client agent: MSRPC Object source: (No source information is available.) Cache info: 0x8 (Request includes the AUTHORIZATION header.) Processing time: 360 ms MIME type: and Denied Connection ISA 7/22/2008 3:09:15 PM Log type: Web Proxy (Reverse) Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. Rule: ex Source: (192.168.1.108) Destination: (192.168.1.50:443) Request: RPC_OUT_DATA http://mail.domain.com/rpc/rpcproxy.dll?mail.domain.com:6002 Filter information: Req ID: 06d4f7db; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes Protocol: https User: anonymous Additional information Client agent: MSRPC Object source: (No source information is available.) Cache info: 0x8 (Request includes the AUTHORIZATION header.) Processing time: 280 ms MIME type: and the same but for port 6001 and then I get the Initiated Connection ISA 7/22/2008 3:09:16 PM Log type: Firewall service Status: Rule: [System] Allow access to directory services for authentication purposes Source: Local Host (10.0.0.1:1226) Destination: Internal (mail.domain.com 10.0.0.4:636) Protocol: LDAPS User: Additional information Number of bytes sent: 0 Number of bytes received: 0 Processing time: 0 ms Original Client IP: 10.0.0.1 Client agent: And then nothing relevant. Again this is a setup that works 100% if you enter the right password.

tshinder -> RE: Problem after upgrade to ISA2006 SP1 (23.Jul.2008 9:12:27 AM)
Interesting. I'll see if anyone else has had a similar problem. Try uninstalling SP1 and see if you have the same problem. Thanks! Tom

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (23.Jul.2008 10:57:29 AM)
Ok Tom I just uninstalled SP1, restarted and the problem is gone. Now if I enter a wrong pass the pop-up comes up again and I get to re-enter it. So for sure it is linked to SP1. Let me know your findings please. thanks, remus

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (23.Jul.2008 1:52:25 PM)
Hey Tom because I was so sure this is a bug in the new SP1 I decided to go ahead and run it through Ms Support. Yes yes I paid the 99$, you guys can thank me later :) As of matter of fact it seems they will refund me the fee as it seems to be a problem in ISA per the escalation engineer reply to my email: Hi Remus, This case has been escalated to me. I am the escalation engineer for ISA server team. I will be the point of contact moving forward. Already I have identified some root cause for this issue. I will analyze the provided traces and will keep you posted. Once I have the result of all my debugging, then I will start working with isa developer and if we come up with a hotfix, I will send it to you. Thanks so much for reporting this problem to Microsoft. So guys once I have it you will have it :)

tshinder -> RE: Problem after upgrade to ISA2006 SP1 (24.Jul.2008 9:36:26 AM)
Hi Remus, We won't thank you later, we'll thank you now! [:D] Yes please, let us know what you find out. Thanks! Tom

Jim Harrison -> RE: Problem after upgrade to ISA2006 SP1 (24.Jul.2008 9:40:03 AM)
It's a bug. Call CSS and add yourself to the lucky list. Jim

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (24.Jul.2008 2:36:51 PM)
Ok today the escalation engineer sent me a what is called "private hotfix". I installed it and it fixes the problem. His suggestion is to wait for production for an hotfix update which will undergo some QA from Ms first... so as soon as I have that one I will let you know also. Speaking of which... is there any really easy way to keep up with what Ms releases in terms of hotfixes for ISA 2006 sp1? He said they are cumulative so what should we do? Go on their website and search for them every 2 months or so?

remushociota -> RE: Problem after upgrade to ISA2006 SP1 (3.Aug.2008 9:58:02 PM)
Ms issued me the official hotfix however it is on a temp server with a ZIP with password and I don't know if it's ok to make that public now. However the KB Article Number this issue will be found under is 956269. In about 2-3 weeks they said... Hope this helps other people as well, remus P.S. They just called me now and told me that the KB article containing my fix and another one (some other problem in SP1) will be found under KB 956269.

tshinder -> RE: Problem after upgrade to ISA2006 SP1 (5.Aug.2008 10:41:37 AM)
Hi Remus, Thanks!!! Great work. Tom

sunnyyupi -> RE: Problem after upgrade to ISA2006 SP1 (4.Sep.2008 3:29:53 AM)
Thanks for valuable news, but sorry that since not found the KB 956269..., but I've very urgent to need this fix, may you share?

elmajdal -> RE: Problem after upgrade to ISA2006 SP1 (4.Sep.2008 4:12:29 AM)
Please call Microsoft support (http://support.microsoft.com/contactus/?ws=support) and ask to get hotfix KB 956269.

shekharsahab -> RE: Problem after upgrade to ISA2006 SP1 (10.Sep.2008 9:03:12 AM)
Got that patch , however my problem is still the same https://abc.mail.com/exchange/ is not working and going in loop whereas https://abc.mail.com/owa/ works .

Page: [1]