• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Exchange ActiveSync user authentication problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Exchange ActiveSync user authentication problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
Exchange ActiveSync user authentication problem - 21.Jul.2010 6:46:23 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
I have followed Tom's tutorial to the tee, and have a problem that has stumped me and Microsoft support seems to be getting nowhere just as quickly.

1. I have ISA 2006 servers in thier own domain (isadomain)
2. I have already published ActiveSync for an Exchange 2007 domain (domain1.bob.com) with LDAP Authentication and it is funtioning as expected, and I see user login info through logging. The only usergroup for this rule is Authenticted Users.
3. I am publishing any other domain (say domain2.steve.com and domain3.tom.org), mostly ActiveSync 2003 environments, and cannot get them to preauthenticate through ISA. The only way they work is by allowing All Users access to the rule and letting them authenticate to Exchange directly. But when All Users is removed, once again I get anonymous user errors (see below).
4. Even if I specifically add a test user account to the LDAP users, and login successfully and apply it to the rule, it still does not let them preauthenticate to this domain (adding in steve@domain2.steve.com) unless I add back the All Users group.

Logging shows:
Denied Connection ISAServer 7/21/2010 1:50:49 PM
Log type: Web Proxy (Reverse)
Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
Rule: Rule for domain2.steve.com Exchange2003 - mobile.steve.com
Source: (Phone IP)
Destination: (LISTENER IP:443)
Request: OPTIONS http://mobile.steve.com/Microsoft-Server-ActiveSync?User=steve\jdoe&DeviceId=34D0102247F0CB68227AD84E8DEFE48A&DeviceType=PocketPC
Filter information: Req ID: 1f9cd1d1; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
Additional information
Client agent: MSFT-PPC/5.2.101
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 1 ms
MIME type:

I am trying to figure out why two things occur and how to findthem/fix them.

1. Why does the destination say the listener address rather than the actual Exchange server address unless I add the All Users in?
2. Why does it say the User is anonymous when i am entering in login info the same as the fist rule above that is working correctly?

It is as though ISA is denying the requests, but I cannot see why!
Post #: 1
RE: Exchange ActiveSync user authentication problem - 22.Jul.2010 2:51:56 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
After much testing and troubleshooting and a lot of odd dreams about why it wasn't working, it turns out that Login Expressions when implemented correctly work wonders, but when implmented incorrectly cause pre-authentication to fail. Go figure...

Thanks for the consideration, and if you have authentication issues when using multiple LDAP domains, check your login expressions.

(in reply to jtheboywonder)
Post #: 2
RE: Exchange ActiveSync user authentication problem - 21.Aug.2010 6:29:27 AM   
mpower

 

Posts: 29
Joined: 9.May2008
Status: offline
I see this all the time in one environment I have.  AKAIK, my login expressions are correct.
I see this error for the same user in one instance, but then a little while later, they are authenticating fine.  It comes and goes, so I'm not sure if it's the network or LDAP or something else.

I am moving away from authenticating with LDAP.  I've had nothing but issues with it.

(in reply to jtheboywonder)
Post #: 3
RE: Exchange ActiveSync user authentication problem - 23.Aug.2010 12:56:33 PM   
jtheboywonder

 

Posts: 21
Joined: 9.Mar.2009
Status: offline
What are you moving to? Are you getting rid of pre-auth or going to something else other than AD? How are you planning to authenticate across multiple domains or do you administer all the domains as well? What is your strategy?

(in reply to jtheboywonder)
Post #: 4
RE: Exchange ActiveSync user authentication problem - 23.Aug.2010 1:02:36 PM   
mpower

 

Posts: 29
Joined: 9.May2008
Status: offline
We have since moved to a webservices/SQL pre-auth "filter".  Child domains have been consolidated, so I only have one prod domain to worry about.  We're going to auth directly with Exchange, no delegation, but client may auth directly.

(in reply to jtheboywonder)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Exchange ActiveSync user authentication problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts