• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for Using ISA Server Feature Pack 1 to Forward Basic Authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Discussion for Using ISA Server Feature Pack 1 to Forward Basic Authentication Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion for Using ISA Server Feature Pack 1 to Forwa... - 14.Jan.2003 7:50:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the Using ISA Server Feature Pack 1 to Forward Basic Authentication Credentials article at http://www.isaserver.org/tutorials/forwardbasicauth.html

Thanks!
Tom

[ January 14, 2003, 07:58 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 4:06:00 PM   
nhaajuice

 

Posts: 15
Joined: 23.Jul.2002
Status: offline
Good article - however, your images/graphics arn't displaying!

(in reply to tshinder)
Post #: 2
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 5:40:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi NJ,

check out it now. Let me know how its working!

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 5:43:00 PM   
267

 

Posts: 8
Joined: 14.Jan.2003
Status: offline
Any idea if this will allow OWA clients (Ex 5.5)to change there passwords after their passwords have expired in a NT 4.0 domain?

(in reply to tshinder)
Post #: 4
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 6:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi 267,

Don't know about 5.5, but this feature isn't even required to change passwords in Exchange 2000.

Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 7:09:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Hi Tom great article. I set it up, and its working good, however i want to be able to use SSL in the web publishing rule, but when i select redirect http requests as SSL, check require secure channel for SSL, and require 128 bit encryptrion, then i cannot get to the site. IE tells me that i will be viewing pages over a secure connection, but after that it fails, anf gives me a DNS error. I do not have any certificates configured on ISA, or the OWA server. Is this what im missing?

(in reply to tshinder)
Post #: 6
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 7:27:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Skip,

You need to install the certificates on the ISA Server and the Web server. Run out during your lunch break and get the ISA Server and Beyond book. If you're there in Redondo Beach, there's a book store real close. I grew up in Santa Monica, so I know the area well [Smile]

Thanks in advance!

Tom

(in reply to tshinder)
Post #: 7
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 7:39:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Already got the book, have had it for a couple of weeks now unfortunetly i havent had time to read it, but I will have to make the time. Yes Santa Monica is a great town, especially if your single, i bet you miss it

(in reply to tshinder)
Post #: 8
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 7:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Skip,

I do miss it, and I was single at the time [Big Grin] I'd hate to be a single man in Dallas, but fortunately I'm married now ;p

Tom

(in reply to tshinder)
Post #: 9
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 14.Jan.2003 11:09:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Just curious as to why an internal client trying to reach OWA that is on an internal machine, would be asked for uthentification from ISA? I have set the webproxy clients for direct access, and i have configured the LDT and LAT for only internal ip's and domain.

(in reply to tshinder)
Post #: 10
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 15.Jan.2003 1:22:00 AM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Hi all

I just set the incoming web request listener back to intagrated, unchecked allow delagation of authentification on the web publishing rule, and set the authentification in IIS back to basic, and restarted all the services, but when i browse my OWA site ISA thinks that it must still authenticate on the incoming web listener, and if i enter in my credentials it passes it to the OWA server, and I authenticate to this and it lets me in. However users did not want to authenticate twice, so i had to tell the incoming web listener to stop asking for authentification, but it still wants to.

thanks for any help

Skip

(in reply to tshinder)
Post #: 11
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 16.Jan.2003 1:07:00 AM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
What the hell. I have NO idea why ISA wants to try and authenticate any request for any published website on my internal network. My OWA site is set to Basic in IIS, ISA's incoming weblistener is set to intagrated, and the web publishing rule is set to allow any request. I dont get it. Is this a FP1 issue? Hello MS what the #@$@#%.

(in reply to tshinder)
Post #: 12
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 16.Jan.2003 2:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Dude!

REMOVE the integrated auth setting. Read the heads up at the end of the article again and see what I have to say about mixing 'em up. Read the beginning of the article to see what happens with double authentcation [Smile]

HTH,
Tom

[ January 16, 2003, 02:40 AM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 13
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 16.Jan.2003 5:57:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Ok I will re read the article. I guess the part I'm not understanding is this. Before i installed FP1 I had the incoming web request listener set to intagrated, and OWA was set to basic, and when a user typed in mail.domainname.com\exchange they only got authenticated at the ISS server hosting OWA. Now after installing FP1 if i set the internal web request listener to intagrated and OWA to basic, i then get promted by ISA for authentification, if i swtich the listener to basic, then only IIS authenticated. So i guess my question is did installing FP1 change how ISA authenticates internal web request?

Thanks for the help

Skip

(in reply to tshinder)
Post #: 14
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 16.Jan.2003 9:22:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Ok I looked at the article again,and after doing several tests, i now how a better understanding of what is going on. It is interesting indeed. This is what i can gather so far with all of this.

#1 If the internal website is set to basic, and the internal weblistener is set to basic as well, and in the web publishing rule you control access by users and groups, then if you are one of the users who is allowed access by the web publishing rule, then you will only be authenticated once by ISA, and ISA will pass this along to the internal site.

#2 If the internal website is set to anonymous, and the intenal weblistener is set to basic, and in the webpublishing rule you allow access to certain users/groups, then if a users who is part of the group in the web publishing tries to access the site, then ISA will ask who you are and pass you on to the site.

#3 If the internal website is set to basic, and the internal weblistener is set to basic as well, and in the webpublishing rule you allow any request, and the internwl website is set to basic, then ISA passes the request on to the internal site.

#4 If OWA is set to Basic on the internal server, and the internal weblistener is set to basic, and you apply the webpublishing rule to Domain users, then you will get to basic log on boxes. One will be for ISA, and then this will pass it on to OWA, and OWA will ask as well. I tested this out several times.

(in reply to tshinder)
Post #: 15
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 17.Jan.2003 3:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Skip,

Almost,except for #4. When you enable delegation of basic authentication on the Web Publishing Rule, you will only need to authenticate once. The Incoming Web Requests listener will prompt you, and then it sends the credentials to the Web server.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 17.Jan.2003 5:30:00 AM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
Hi Tom

Thanks for the reply. I think the reason why i was seing a log on box for OWA, even when i had enable delegation of basic authentication on the Web Publishing Rule, is becaue i run Exchange 5.5 and 5.5 has a logon page, where as Exchange 2k does not. Just thought i would throw this one out there.

(in reply to tshinder)
Post #: 17
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 17.Jan.2003 5:56:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Skip,

That might be it. I don't know much about the 5.5 OWA log on specifics.

Thanks!
Tom

(in reply to tshinder)
Post #: 18
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 24.Jan.2003 1:22:00 PM   
rralston

 

Posts: 18
Joined: 22.Jul.2002
From: Boston, MA
Status: offline
I have Feature Pack 1 installed, with OWA via SSL working. Both ISA and the OWA server have SSL certs. Web listener has Basic Auth only, with SSL cert selected.

The OWA pub rule has "Require SSL and 128bit" selected, along with "allow delegation" selected and a Universal Security Group selected for the "Applies To". The OWA server has Basic Auth and "Require SSL/128bit" selected on all appropriate virtual directories.

When a user on the Internet enters the correct URL, i.e., "https://FQDN/exchange", everything happens correctly. However, if "http" is typed, instead of "https", ISA is still prompting for Basic Authentication credentials. I captured a network trace of the interaction, and it is definitely using just port 80, normal HTTP. After entering credentials 3 times, it eventually fails with "Server requires authentication..."

My expectation is that ISA would immediately reject the "http" request to the site since SSL was selected as required in the pub rule and therefore never present a credentials box.

Is this a problem with the way ISA handles this situation, or is it a configuration problem (hopefully)?

Thanks for any help.

Rob Ralston

(in reply to tshinder)
Post #: 19
RE: Discussion for Using ISA Server Feature Pack 1 to F... - 24.Jan.2003 3:35:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

Its a configuration problem. If you don't use HTTPS, then you won't even be asked for authentication, you'll just see the error that says you need to use HTTPS.

HTH,
Tom

(in reply to tshinder)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Discussion for Using ISA Server Feature Pack 1 to Forward Basic Authentication Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts