[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Login loop when using SecurID to protect an ISA published OWA 2007

Posted on 2007-11-26
4
Medium Priority
?
669 Views
Last Modified: 2008-11-17
Hi,
I'm having problems publishing an OWA 2007 site using ISA 2006 with SecurID.
I've followed the instructions to the letter. When I configure it to use normal FBA, everything works fine. As soon as I configure it to use SecurID, I get into a loop.
I get to the RSA authentication form and see that I get authenticated succesfully but shortly after, I get back to the authentication form.
In the ISA log is see the following (I've changed the IP and names to protect the innocent ;) but they are correct):

Allowed Connection ISASERVER 26-11-2007 15:52:03
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.  
Rule: TPA In - OWA
Source: External (<externalIP>)
Destination: (<ExchangeserverIP>)
Request: GET http://mydomainname/exchange 
Filter information: Req ID: 08d05fb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: (SecurID)MyUserID

Seems like a cookie problem, but I can't figure out what's wrong. Can anyone please help?

Regards,
Maurice
0
Comment
Question by:MNH1966
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20361888
Hi - surprised the request is on http but the rotocol is being seen aas https. Kerberos is easier but... Are yoiu bridging http to https on the ISA server?
If not, have you tried accessing with https://mydomainname.com/exchange?

Does this work internally or are you only using the RSA for external users?

Have you got all the updates for ISA2006?
0
 
LVL 9

Author Comment

by:MNH1966
ID: 20363864
I'm using a scenario where all external users connect through https to ISA, which connects http to Exchange. I want to avoid the load doing the ssl encryption/decrypt twice and my ISA and Exchange server are on the same (virtual) switch, so I think the "risks" are acceptable.

Using the /exchange url gives the same result. We're using Exchange 2007 only environement, so I believe even if the authentication worked correctly, /exchange would not return an OWA screen.

I've installed all the ISA 2006 updates, including the one providing support for Exchange 2007 publishing.
It's our intention to use RSA for external users but I've set up a listener for internal as well for testing purposes. When I use the same rule and listener without the RSA authentication, it works perfectly.
Any ideas?
0
 

Expert Comment

by:jmergulhao
ID: 21311212
Hi Maurice,

Im getting exactly the problem the same problem..Unfortunately im still searching for a solution and dont have anything to add..

I was just wondering if youve made any more progress..

Cheers

John
0
 
LVL 9

Accepted Solution

by:
MNH1966 earned 0 total points
ID: 21312690
I ended up using Kerberos Delegated authentication. Not my intention at first, but it works.
Now users authenticate against the ISA, which in turn is authorized to authenticate on behalf of the user.
I think the real solution would be some sort of configuration of RSA on the Exchange server itself, but I couldn't find any documentation on that. Maybe by now, there are better HowTo docs available... Haven't looked in a while...
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question