Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Login loop when using SecurID to protect an ISA published OWA 2007

Posted on 2007-11-26
4
Medium Priority
?
671 Views
Last Modified: 2008-11-17
Hi,
I'm having problems publishing an OWA 2007 site using ISA 2006 with SecurID.
I've followed the instructions to the letter. When I configure it to use normal FBA, everything works fine. As soon as I configure it to use SecurID, I get into a loop.
I get to the RSA authentication form and see that I get authenticated succesfully but shortly after, I get back to the authentication form.
In the ISA log is see the following (I've changed the IP and names to protect the innocent ;) but they are correct):

Allowed Connection ISASERVER 26-11-2007 15:52:03
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule: TPA In - OWA
Source: External (<externalIP>)
Destination: (<ExchangeserverIP>)
Request: GET http://mydomainname/exchange 
Filter information: Req ID: 08d05fb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: (SecurID)MyUserID

Seems like a cookie problem, but I can't figure out what's wrong. Can anyone please help?

Regards,
Maurice
0
Comment
Question by:MNH1966
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361888
Hi - surprised the request is on http but the rotocol is being seen aas https. Kerberos is easier but... Are yoiu bridging http to https on the ISA server?
If not, have you tried accessing with https://mydomainname.com/exchange?

Does this work internally or are you only using the RSA for external users?

Have you got all the updates for ISA2006?
0
 
LVL 9

Author Comment

by:MNH1966
ID: 20363864
I'm using a scenario where all external users connect through https to ISA, which connects http to Exchange. I want to avoid the load doing the ssl encryption/decrypt twice and my ISA and Exchange server are on the same (virtual) switch, so I think the "risks" are acceptable.

Using the /exchange url gives the same result. We're using Exchange 2007 only environement, so I believe even if the authentication worked correctly, /exchange would not return an OWA screen.

I've installed all the ISA 2006 updates, including the one providing support for Exchange 2007 publishing.
It's our intention to use RSA for external users but I've set up a listener for internal as well for testing purposes. When I use the same rule and listener without the RSA authentication, it works perfectly.
Any ideas?
0
 

Expert Comment

by:jmergulhao
ID: 21311212
Hi Maurice,

Im getting exactly the problem the same problem..Unfortunately im still searching for a solution and dont have anything to add..

I was just wondering if youve made any more progress..

Cheers

John
0
 
LVL 9

Accepted Solution

by:
MNH1966 earned 0 total points
ID: 21312690
I ended up using Kerberos Delegated authentication. Not my intention at first, but it works.
Now users authenticate against the ISA, which in turn is authorized to authenticate on behalf of the user.
I think the real solution would be some sort of configuration of RSA on the Exchange server itself, but I couldn't find any documentation on that. Maybe by now, there are better HowTo docs available... Haven't looked in a while...
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question