• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 675
  • Last Modified:

Login loop when using SecurID to protect an ISA published OWA 2007

I'm having problems publishing an OWA 2007 site using ISA 2006 with SecurID.
I've followed the instructions to the letter. When I configure it to use normal FBA, everything works fine. As soon as I configure it to use SecurID, I get into a loop.
I get to the RSA authentication form and see that I get authenticated succesfully but shortly after, I get back to the authentication form.
In the ISA log is see the following (I've changed the IP and names to protect the innocent ;) but they are correct):

Allowed Connection ISASERVER 26-11-2007 15:52:03
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule: TPA In - OWA
Source: External (<externalIP>)
Destination: (<ExchangeserverIP>)
Request: GET http://mydomainname/exchange 
Filter information: Req ID: 08d05fb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: (SecurID)MyUserID

Seems like a cookie problem, but I can't figure out what's wrong. Can anyone please help?

  • 2
1 Solution
Keith AlabasterEnterprise ArchitectCommented:
Hi - surprised the request is on http but the rotocol is being seen aas https. Kerberos is easier but... Are yoiu bridging http to https on the ISA server?
If not, have you tried accessing with https://mydomainname.com/exchange?

Does this work internally or are you only using the RSA for external users?

Have you got all the updates for ISA2006?
MNH1966Author Commented:
I'm using a scenario where all external users connect through https to ISA, which connects http to Exchange. I want to avoid the load doing the ssl encryption/decrypt twice and my ISA and Exchange server are on the same (virtual) switch, so I think the "risks" are acceptable.

Using the /exchange url gives the same result. We're using Exchange 2007 only environement, so I believe even if the authentication worked correctly, /exchange would not return an OWA screen.

I've installed all the ISA 2006 updates, including the one providing support for Exchange 2007 publishing.
It's our intention to use RSA for external users but I've set up a listener for internal as well for testing purposes. When I use the same rule and listener without the RSA authentication, it works perfectly.
Any ideas?
Hi Maurice,

Im getting exactly the problem the same problem..Unfortunately im still searching for a solution and dont have anything to add..

I was just wondering if youve made any more progress..


MNH1966Author Commented:
I ended up using Kerberos Delegated authentication. Not my intention at first, but it works.
Now users authenticate against the ISA, which in turn is authorized to authenticate on behalf of the user.
I think the real solution would be some sort of configuration of RSA on the Exchange server itself, but I couldn't find any documentation on that. Maybe by now, there are better HowTo docs available... Haven't looked in a while...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now