Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Pb with authentication in owa

  • Filter
  • Time
  • Show
Clear All
new posts

  • Pb with authentication in owa

    Hi everybody
    I have a problem with owa
    When I try to log on owa ,Isa doesn't check my active directory on the domain controller
    But if I create an account in Isa it works
    In my listener properties I have selected authentication with windows active directory and basic authentication in my rule
    I have outlook 2007 and isa 2006
    (sorry my english is not very good )

    thanks for your help

  • #2
    Re: Pb with authentication in owa

    Is ISA a domain member?

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: Pb with authentication in owa

      hi thanks for your help

      no it isn't


      • #4
        Re: Pb with authentication in owa

        It needs to be setup for something like LDAP then. Make sure it can get through your firewall tcp 389?

        Have a look here:

        the rest of the article is great too.

        Please read this before you post:

        Quis custodiet ipsos custodes?


        • #5
          Re: Pb with authentication in owa

          yes i saw this tips and i tried it's the same problem
          I can see the log in isa it is not denied but it doesn't works

          To explain since the begining
          My boss took a microsoft tech to make that and before it worked

          The tech changed the settings for install rpc over http and outlook anywhere and he told me that we have to create each account in isa server
          and i'm sure it's not true

          thanks for your reply


          • #6
            Re: Pb with authentication in owa

            You are correct. ISA should authenticate from AD.
            I think you will need to post the details of your current setup.
            How many listeners do you have setup and how many external IP?

            Please read this before you post:

            Quis custodiet ipsos custodes?


            • #7
              Re: Pb with authentication in owa

              i have two listeners and only on external ip
              the first listener for the http 80 et the second for https 443

              listener exchange

              network external
              Connections enable ssl connection on ports 443
              Certificats installed in isa )
              Authentication HTML form authentication
              Authentication Validation methode Windows (active directory)
              and i tried with LDAP
              Forms nothing
              SSo enable single sign on
              sso domains

              thanks a lot for your help andy


              • #8
                Re: Pb with authentication in owa

                I would make a backup of ISA then disable the current listener and copy it so you can edit it without changing what you boss has put in. You will need to specify LDAP as per the article.
                Can you test OWA from the ISA server to It should resolve to your internal Exchange server from the ISA so make sure it does with no cert prompts. We can setup secure LDAP as well. Can you make sure any firewall between them is setup with port 2172 (LDAPS) allowed between ISA and the DCs

                For the LDAP bit:
                • Click Edit on this Listener and select the Authentication tab.
                • Click the configure validation servers.
                • In the LDAP Server Set click Add
                • Type a Set Name
                • Click ‘add’ and type the IP address of one of your DCs in the name box and add a description with its name. If you wish you can use names and change the hosts file or use DNS to resolve these but this may increase latency slightly.
                • Add more servers if required.
                • In the Active Directory domain name line add in your domain name with a preceding full stop (.domain.local).
                • Choose OK to close
                • In the lower box Create a new expression of ‘*’ and the name of your LDAP Server Set.
                • Close and OK until you see your Web Listener again
                • Choose Next.
                • Select Basic Authentication and ‘Next’
                • Leave ‘All Authenticated Users’ and click ‘Next’ and ‘Finish’.
                • Right Click and select Properties of the newly created Publishing Rule
                • Select the ‘Web Farm’ tab and remove tick in ‘Forward Original Host Header’
                • Choose OK and Apply the configuration.

                I would then test it by opening monitoring, logging tab and clicking start query this should show failed connections etc.

                You could also try using LDP to connect from your ISA box inbound to your DCs if you have another firewall between them and your ISA. This would confirm LDAP connectivity.

                Don't forget it does take about 20 seconds sometimes for the config to be accepted and start working so give it a little time before you test.

                This is for /OWA access not /Exchange though.
                General tabs are:
                General: Name of Rule, Enable
                Action: Allow, Log requests
                From: External
                To:, forward original host header, requests appear to come from ISA (there is also an entry in the local hosts file for pointing to the INTERNAL ip of the Exchange CAS server.
                Traffic: HTTP,HTTPS
                Public Name: requests for the following web sites,
                Paths: /OWA/*
                Authentication: Negotiate Kerberos/NTLM,
                Application: Tick customized, Exchange, ?Cmd=logoff, As selected by thr user public/private)
                Link Translation: Apply
                Schedule: Always (whatever you want really)
                Users: All authenticated
                Bridging: Web Server redirect to SSL 443. (This depends on your requirements, you already have an http listener though).

                The listener itself would be similar to:
                General: Name of Listener
                Networks: External
                Connections: HTTP 80, SSL 443, redirect all from http to https (depends on your requirements again,.
                Certificates: Make sure you have the valid cert.
                Authentication: HTML Form and LDAP.
                Configure the Validation servers:
                Server Set: give it a name
                add in the IP or names of the servers in the list
                Active directory name: ".domain.local" note the extra full stop at the start.
                Connect to LDAP servers over secure connection only if you have enabled the 2172 port.
                Provide a valid domain\username and password
                Then in the final box after saving you need to enter the login expressions for the matching strings.
                *, DOMAIN\*, *@domain.local.* etc etc
                Forms: leave as it is.
                SSO: depends on requirements.

                Please read this before you post:

                Quis custodiet ipsos custodes?


                • #9
                  Re: Pb with authentication in owa

                  thanks a lot for your answer andy

                  i cannot test it for the moment
                  I hope i can do it the next week

                  i will keep you in touch

                  again thanks for your time .....