Is it possible to use both OWA and OA with 1 web listener? Assuming that OA uses HTTP Integrated authentication and Kerberos constrained authentication uses the mailserver's SPN to delegate authentication.
If not, please advice what is the best strategy in terms of publishing and authentication.
I currently use 1 weblistener but the problem is that OWA works randomly. On the other hand I notice that OWA sometimes doesn't work with IE8 but it works with 3rd party browsers (of course in light mode)
So, it means that it is possible. I currently have 1 listener with the thought that a second listener would require its own socket (IP/Port) - (Am I correct on this, or is it possible to have 2 listeners on the same socket?)
I don't mind entering Windows password and OWA forms password but unfortunately, here is what happens: - On some occasions, the Windows logon appears first and the OWA login form second, and sometimes the opposite happens. (I cannot classify this as reasonable) - Sometimes, after Windows and Form login, the page cannot be displayed and the error is that it is forbidden. After a while, it is not forbidden. (More strange: It happens with IE but not with other browsers, however, other browsers open the light version) - Sometimes, the page fails from the first time before any login prompt is displayed. - A very strange point which I assume it has to do with all the mystery, (but I can't figure it out on my own, I need advice), is that I have previously configured port redirection (accept both HTTP and HTTPS connections and redirect all HTTP traffic to HTTPS) and it never worked BUT when everything IS fine, and I enter http://owa.dom.com/owa I just get the error that the page cannot be displayed because it requires SSL. (Happens with all browsers). During those times, if I use HTTPS properly, everything will be fine. Now, when there is a problem, redirection works. If I enter http://..., it will automatically convert to https:// but later I will get error page cannot display. All these, led me to ask about Web Listener (One for both or one for each)? OWA is published with an OWA publishing rule, using the same listener as OA (HTTP/Integrated), same delegation configuration and OWA form on Exchange uses form authentication. THE SPN I use is how it appears in AD and the one I associated there but the following error appears in ISA:
ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule OWA Publishing. Check that the SPN: http/mailxxx.internal-domain.com configured in ISA Server matches the SPN in Active Directory.