?
Solved

Login loop when using SecurID to protect an ISA published OWA 2007

Posted on 2007-11-26
4
Medium Priority
?
667 Views
Last Modified: 2008-11-17
Hi,
I'm having problems publishing an OWA 2007 site using ISA 2006 with SecurID.
I've followed the instructions to the letter. When I configure it to use normal FBA, everything works fine. As soon as I configure it to use SecurID, I get into a loop.
I get to the RSA authentication form and see that I get authenticated succesfully but shortly after, I get back to the authentication form.
In the ISA log is see the following (I've changed the IP and names to protect the innocent ;) but they are correct):

Allowed Connection ISASERVER 26-11-2007 15:52:03
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule: TPA In - OWA
Source: External (<externalIP>)
Destination: (<ExchangeserverIP>)
Request: GET http://mydomainname/exchange 
Filter information: Req ID: 08d05fb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: (SecurID)MyUserID

Seems like a cookie problem, but I can't figure out what's wrong. Can anyone please help?

Regards,
Maurice
0
Comment
Question by:MNH1966
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361888
Hi - surprised the request is on http but the rotocol is being seen aas https. Kerberos is easier but... Are yoiu bridging http to https on the ISA server?
If not, have you tried accessing with https://mydomainname.com/exchange?

Does this work internally or are you only using the RSA for external users?

Have you got all the updates for ISA2006?
0
 
LVL 9

Author Comment

by:MNH1966
ID: 20363864
I'm using a scenario where all external users connect through https to ISA, which connects http to Exchange. I want to avoid the load doing the ssl encryption/decrypt twice and my ISA and Exchange server are on the same (virtual) switch, so I think the "risks" are acceptable.

Using the /exchange url gives the same result. We're using Exchange 2007 only environement, so I believe even if the authentication worked correctly, /exchange would not return an OWA screen.

I've installed all the ISA 2006 updates, including the one providing support for Exchange 2007 publishing.
It's our intention to use RSA for external users but I've set up a listener for internal as well for testing purposes. When I use the same rule and listener without the RSA authentication, it works perfectly.
Any ideas?
0
 

Expert Comment

by:jmergulhao
ID: 21311212
Hi Maurice,

Im getting exactly the problem the same problem..Unfortunately im still searching for a solution and dont have anything to add..

I was just wondering if youve made any more progress..

Cheers

John
0
 
LVL 9

Accepted Solution

by:
MNH1966 earned 0 total points
ID: 21312690
I ended up using Kerberos Delegated authentication. Not my intention at first, but it works.
Now users authenticate against the ISA, which in turn is authorized to authenticate on behalf of the user.
I think the real solution would be some sort of configuration of RSA on the Exchange server itself, but I couldn't find any documentation on that. Maybe by now, there are better HowTo docs available... Haven't looked in a while...
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month8 days, 4 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question