• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

OWA FBA Issues with ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> OWA FBA Issues with ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
OWA FBA Issues with ISA - 18.May2009 5:09:44 AM   
pirao

 

Posts: 4
Joined: 23.Feb.2006
Status: offline
Hi all,

I am in an environment with a pre-existing OWA (Exchange 2003) and ISA (ISA 2004) setup. Basically internal users are using Basic Authentication if they ever need to access OWA and external users were using Integrated Authentication.
I am in the process of implementing SSL for all users, both internal and external, to take advantage of OWA's password changing facility. SSL is working fine for internal and external users but now I want to turn off HTTP access and only allow HTTPS access via Form Based Authentication. I want users to be displayed with an SSL required error message when they try to access via HTTP so that they can learn the new process.
FBA is currently on on the Exchange and is used when internal users try and browse via HTTPS. I turn off FBA on the Exchange so that Internal users are using Basic Authentication and it is working fine. I then turn on FBA on the ISA and try to test from an external connection. HTTPS works fine but HTTP returns an Error 500: Internal Server Error. As soon as I switch FBA off on the ISA then it is all good again. Even though I  want to turn HTTP off I still want the users presented with an error message stating that they require SSL and not some generic Error 500.
Post #: 1
RE: OWA FBA Issues with ISA - 18.May2009 10:50:58 AM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


Basically internal users are using Basic Authentication if they ever need to access OWA and external users were using Integrated Authentication.


Huh? Did you mean to say that external users are using Basic and Internal are using Integrated?

quote:


I want users to be displayed with an SSL required error message when they try to access via HTTP so that they can learn the new process.


First thing, are you utilizing a FE? If you’re not then using FBA is going to be a challenge for your Internal/External users.

Requiring SSL has to be done by modifying the Exchange server’s IIS default website (Directory Security) settings by selecting the “Require SSL for incoming requests”. Best option (using ISA 2004) would be to modify the ASP and redirect to SSL.

http://support.microsoft.com/kb/839357

quote:

 
FBA is currently on the Exchange and is used when internal users try and browse via HTTPS. I turn off FBA on the Exchange so that Internal users are using Basic Authentication and it is working fine. I then turn on FBA on the ISA and try to test from an external connection. HTTPS works fine but HTTP returns an Error 500: Internal Server Error. As soon as I switch FBA off on the ISA then it is all good again. Even though I  want to turn HTTP off I still want the users presented with an error message stating that they require SSL and not some generic Error 500.


FBA needs to be turned off on the Exchange and as mentioned this is where it gets challenging if you don’t have a front-end Exchange in your site for external users. The other challenge is with FBA enabled on the ISA server web listener. With ISA 2004 and FBA enabled, no OTHER authentication method can be used on the same web listener. There are work-a-rounds and you can search this site for the articles to do so. 

HTH

RB   


_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to pirao)
Post #: 2
RE: OWA FBA Issues with ISA - 18.May2009 7:27:12 PM   
pirao

 

Posts: 4
Joined: 23.Feb.2006
Status: offline
Thanks for the reply RB,

The Exchange Virtual Directory has "Enable Anonumous Access" ticked and also has "Integrated Authentication" ticked. The Exchweb has "Enable Anonymous Access" ticked. I haven't set this up and so am unsure on what the settings should be.
The ISA Web Listener has "Integrated Authentication" ticked.
These settings are all the pre-SSL settings and I know certain ones will be changed when I move over to SSL only.
There is a need for internal users to authenticate instead of just using pass through as in some services there is 1 computer log on but multiple people check email using OWA.
We are not utilising a front end, the Exchange Server is running the front end and the databases all in one.
With regards to redirecting SSL I have gone through numerous articles and have found some differences. Many articles want you to activate SSL on the "Default Web Site' however this causes the redirection to fail with an SSL required message. The only work arounds I have found were to put the "Default Web Site" in the "ExchangeApplicationPool" and activate the custom 403.4 error on that instead of on the "Exchange" virtual directory. The other work around was to activate SSL on all the virtual directories that require it individually , leaving it off on the "Default Web Site".
Do you recommend I give FBA a miss as we have no seperate front end? Would ISA 2006 solve some of our issues?

(in reply to pirao)
Post #: 3
RE: OWA FBA Issues with ISA - 18.May2009 8:49:29 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
ISA2k6 can provide seamless HTTP to HTTPS...you could also look at Collective Software's WebDirect if you want to keep ISA2k4.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pirao)
Post #: 4
RE: OWA FBA Issues with ISA - 19.May2009 4:04:57 AM   
pirao

 

Posts: 4
Joined: 23.Feb.2006
Status: offline
Thanks for the reply,

I have reset the permissions on the Exchange Server IIS for OWA and then recreated the OWA publishing rule and listener in ISA. I then used the ISARedirects from isatools.org to redirect all users to the https site. Internal users still use basic authentication which is fine on the LAN side.

We will be moving to ISA 2006 soonish, I hear it's FBA is much better than 2004.

(in reply to pirao)
Post #: 5
RE: OWA FBA Issues with ISA - 19.May2009 4:53:53 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: pirao

Thanks for the reply,

I have reset the permissions on the Exchange Server IIS for OWA and then recreated the OWA publishing rule and listener in ISA. I then used the ISARedirects from isatools.org to redirect all users to the https site. Internal users still use basic authentication which is fine on the LAN side.

We will be moving to ISA 2006 soonish, I hear it's FBA is much better than 2004.


Yeah, lots better!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pirao)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> OWA FBA Issues with ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts