Quick question. I had not thought of apply FBA to other sites, but if I wanted to do that how to I customize for multiple sites? In other words, what if I had a sharepoint site and an OWA site through the same ISA and wanted separate FBA screens. Is that handled in the code or is there a way to use multiple custom pages.
Just a question, on the left of the logon form is a vertical line which joins to logon_IE_top.gif, how do you replace this or modify it? I have looked at all the cell, table, form properties, but can't find it.
From: Bedford UK
Like David above, I should like to use this feature for different web-sites behind our ISA server . . or at least one type of form for OWA and a different one for our web site, to start with. Is multiple forms possible?
(Will this get us over the nightmare of Windows logins at the moment, which depends on what OS the client is using out there . . sometimes they need DOMAIN\username, sometimes username@domain, and sometimes they get offered a 'three-box' login which has the domain in line three. If this forms-based login can get us over that, it would be FANTASTIC!)
Hopefully Tom or Ladislav Solc can answer this question. By the way Tom your book rocks. We have used it a lot.
The sitution is that we used Ladislav document as a reference to modify the html code to the FBA log in page. If we add our own images on the ISA server in the directory they do not work. But if we change the logon_MSIERich and point to another webserver for the images the page comes up fine. We want to place the images on the isa server in the cookieauthtemplates directory because we have invested in a load balancing and do not want to reference a webserver our of the ISA environment but for some reason they do not load even after stopping and starting the firewall server or bouncing the box. Would this be a cache issue? If not is there a security function that is keeping the new images from being loaded.
Here is snipet of code that we used in the logon_MSIERichpage to reference the images and stylesheets on another server:
We would really like to figure out how to get the images to work on the ISA server. Any help would be appreciated. Below is a link to the owa site we are testing on our lab isa server. These images are pulled from the webserver example above and not on the isa server. Our ADG group has done a great job and we hope we can resolve this issue to get the images properly referenced on the ISA server for redunancy. https://mail.pbsj.net/exchange
We have spent a lot of hours and effort developing the form-based login screen, plus our custom functions. We started with ISA 2000 and had two versions. Now we are working on the version 3 on ISA 2004. I can tell you that it's a difficult job. We hired two consultants who have a lot of c/c++ and ISAPI filter experience and we are still struggling with the problems in our version 3.
We have asked Microsoft to help and they said they will include it in their next release (who knows when we will see it!) Meanwhile, we need it now. I agree with jeffa, if OWA FBA code could be released and we could add in our custom code, it would be very helpful.
Changing the ISA OWA pages is one thing but using this to front end access to sharepoint is another issue. Although the initial authentication through to ISA is successful, whenever Sharepoint prompts for authentication again (i.e. create a new document), ISA returns the OWA forms page in the office application instead of the I.E. browser. According to PSS, there is no way around this issue since the session is based on cookie authentication.
Has anyone else run into this issue authoring documents? If so were you able to find a solution?
You should always pre-authenticate users on the ISA 2004 system before allowing them to servers running services like IIS, Exchange, SPS, etc. With regards to some of the questions/concerns it sounds like most of the OOB capabilities/limitations have been discussed. You may also want to consider evaluating a more advanced authentication filter from us at www.collectivesoftware.com (FlexAuth for ISA 2004). It gives you the ability to customize the FBA page much more so than you can out of the box. It also provide the ability to deliver FBA to browsers that support it and Basic to those that don't (such as the example of wanting to use FBA but also allow WORD to access documents). Another great feature when publishing things like SPS is our SSO capabilities that can provide SSO across a single session even if you are browsing between OWA, SPS or other published web sites. It will not provide SSO into office (you will get a basic prompt in Word for example) because that is a different session and we do not put persistent cookies down because of the security risks involved.
There are a variety of other benefits in FlexAuth such as the options for LDAP for authentication and some protections against DoS attacks for account lockouts. Check out an eval if it sounds like some of these features might help with any of your problems.