Solved

Login loop when using SecurID to protect an ISA published OWA 2007

Posted on 2007-11-26
4
660 Views
Last Modified: 2008-11-17
Hi,
I'm having problems publishing an OWA 2007 site using ISA 2006 with SecurID.
I've followed the instructions to the letter. When I configure it to use normal FBA, everything works fine. As soon as I configure it to use SecurID, I get into a loop.
I get to the RSA authentication form and see that I get authenticated succesfully but shortly after, I get back to the authentication form.
In the ISA log is see the following (I've changed the IP and names to protect the innocent ;) but they are correct):

Allowed Connection ISASERVER 26-11-2007 15:52:03
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule: TPA In - OWA
Source: External (<externalIP>)
Destination: (<ExchangeserverIP>)
Request: GET http://mydomainname/exchange
Filter information: Req ID: 08d05fb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: (SecurID)MyUserID

Seems like a cookie problem, but I can't figure out what's wrong. Can anyone please help?

Regards,
Maurice
0
Comment
Question by:MNH1966
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361888
Hi - surprised the request is on http but the rotocol is being seen aas https. Kerberos is easier but... Are yoiu bridging http to https on the ISA server?
If not, have you tried accessing with https://mydomainname.com/exchange?

Does this work internally or are you only using the RSA for external users?

Have you got all the updates for ISA2006?
0
 
LVL 9

Author Comment

by:MNH1966
ID: 20363864
I'm using a scenario where all external users connect through https to ISA, which connects http to Exchange. I want to avoid the load doing the ssl encryption/decrypt twice and my ISA and Exchange server are on the same (virtual) switch, so I think the "risks" are acceptable.

Using the /exchange url gives the same result. We're using Exchange 2007 only environement, so I believe even if the authentication worked correctly, /exchange would not return an OWA screen.

I've installed all the ISA 2006 updates, including the one providing support for Exchange 2007 publishing.
It's our intention to use RSA for external users but I've set up a listener for internal as well for testing purposes. When I use the same rule and listener without the RSA authentication, it works perfectly.
Any ideas?
0
 

Expert Comment

by:jmergulhao
ID: 21311212
Hi Maurice,

Im getting exactly the problem the same problem..Unfortunately im still searching for a solution and dont have anything to add..

I was just wondering if youve made any more progress..

Cheers

John
0
 
LVL 9

Accepted Solution

by:
MNH1966 earned 0 total points
ID: 21312690
I ended up using Kerberos Delegated authentication. Not my intention at first, but it works.
Now users authenticate against the ISA, which in turn is authorized to authenticate on behalf of the user.
I think the real solution would be some sort of configuration of RSA on the Exchange server itself, but I couldn't find any documentation on that. Maybe by now, there are better HowTo docs available... Haven't looked in a while...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Account will not go away 3 25
exchange 2 35
SMTP to host name when only have IP field 3 37
Exchange 2010 to 2016 migration 1 20
Easy CSR creation in Exchange 2007,2010 and 2013
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now