I have followed Tom's tutorial to the tee, and have a problem that has stumped me and Microsoft support seems to be getting nowhere just as quickly.
1. I have ISA 2006 servers in thier own domain (isadomain) 2. I have already published ActiveSync for an Exchange 2007 domain (domain1.bob.com) with LDAP Authentication and it is funtioning as expected, and I see user login info through logging. The only usergroup for this rule is Authenticted Users. 3. I am publishing any other domain (say domain2.steve.com and domain3.tom.org), mostly ActiveSync 2003 environments, and cannot get them to preauthenticate through ISA. The only way they work is by allowing All Users access to the rule and letting them authenticate to Exchange directly. But when All Users is removed, once again I get anonymous user errors (see below). 4. Even if I specifically add a test user account to the LDAP users, and login successfully and apply it to the rule, it still does not let them preauthenticate to this domain (adding in firstname.lastname@example.org) unless I add back the All Users group.
Logging shows: Denied Connection ISAServer 7/21/2010 1:50:49 PM Log type: Web Proxy (Reverse) Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. Rule: Rule for domain2.steve.com Exchange2003 - mobile.steve.com Source: (Phone IP) Destination: (LISTENER IP:443) Request: OPTIONS http://mobile.steve.com/Microsoft-Server-ActiveSync?User=steve\jdoe&DeviceId=34D0102247F0CB68227AD84E8DEFE48A&DeviceType=PocketPC Filter information: Req ID: 1f9cd1d1; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: https User: anonymous Additional information Client agent: MSFT-PPC/5.2.101 Object source: (No source information is available.) Cache info: 0x8 (Request includes the AUTHORIZATION header.) Processing time: 1 ms MIME type:
I am trying to figure out why two things occur and how to findthem/fix them.
1. Why does the destination say the listener address rather than the actual Exchange server address unless I add the All Users in? 2. Why does it say the User is anonymous when i am entering in login info the same as the fist rule above that is working correctly?
It is as though ISA is denying the requests, but I cannot see why!
After much testing and troubleshooting and a lot of odd dreams about why it wasn't working, it turns out that Login Expressions when implemented correctly work wonders, but when implmented incorrectly cause pre-authentication to fail. Go figure...
Thanks for the consideration, and if you have authentication issues when using multiple LDAP domains, check your login expressions.
I see this all the time in one environment I have. AKAIK, my login expressions are correct. I see this error for the same user in one instance, but then a little while later, they are authenticating fine. It comes and goes, so I'm not sure if it's the network or LDAP or something else.
I am moving away from authenticating with LDAP. I've had nothing but issues with it.
What are you moving to? Are you getting rid of pre-auth or going to something else other than AD? How are you planning to authenticate across multiple domains or do you administer all the domains as well? What is your strategy?
We have since moved to a webservices/SQL pre-auth "filter". Child domains have been consolidated, so I only have one prod domain to worry about. We're going to auth directly with Exchange, no delegation, but client may auth directly.