ISA SERVER AUTHENTICATION
I recently migrated my ISA server to a new piece of hardware by exporting the entire configuration from the old server and importing into the new server. Yes the server name and IP addresses all remained the same...just new physical hardware. The server is part of an Active Directory domain and I had a SharePoint publishing rule in the configuration that was configured for form-based authentication to the client that worked fine before the migration. Basically Internet users would be prompted with the ISA Server 2006 login screen and after putting in their username/password they were properly directed to the SharePoint site.
After the migration it appears that if a user tries to login to that same screen, the screen reappears with an error indicating...
"You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again."
I'm thinking there is a problem talking back to a domain controller or the authentication configuration got mangled somehow but I need to figure it out quick. Any troubleshooting ideas? I'm going to DL and install the BPA and see if it sheds any light on this.
Thanks,
Dave
After the migration it appears that if a user tries to login to that same screen, the screen reappears with an error indicating...
"You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again."
I'm thinking there is a problem talking back to a domain controller or the authentication configuration got mangled somehow but I need to figure it out quick. Any troubleshooting ideas? I'm going to DL and install the BPA and see if it sheds any light on this.
Thanks,
Dave
ASKER
oddly enough the entries appear blank with detail for the attempts to access the SharePoint site as I am clearly aware of the Internet IP I'm coming in from . If it helps I have a 5719 error in the System Event Log but I have no problems accessing the SYSVOL shares of both domain controllers (single forest btw).
I think something is screwed up with the web proxy somehow. For the record I couldn't get the "integrated" method to work either aside from the Form-based configuration I had for that rule in the first place. It clearly is not passing the authentication request to the domain controller for completion.
Wierdly I cannot RDP the ISA server for anything even though the system policy is configured correctly however I can manage with the MMC from my Internal network so I'm not sure what gives there.
Going to install the BPA now.
Dave
I think something is screwed up with the web proxy somehow. For the record I couldn't get the "integrated" method to work either aside from the Form-based configuration I had for that rule in the first place. It clearly is not passing the authentication request to the domain controller for completion.
Wierdly I cannot RDP the ISA server for anything even though the system policy is configured correctly however I can manage with the MMC from my Internal network so I'm not sure what gives there.
Going to install the BPA now.
Dave
Do you use certificates? I hope so but you make no mention :)
So you have both system policies configured? remote manangement for TS and mmc? Thats cool.
what rule dou you have for internal to internal? 5719 is normally associated with kerberos issues as i am sure you know.
Are you running Enterprise version? Open the gui, click monitoring - configuration - does the CSS show clean & green or is it yellow?
Under monitoring - alerts - anything shown here?
what rule dou you have for internal to internal? 5719 is normally associated with kerberos issues as i am sure you know.
Are you running Enterprise version? Open the gui, click monitoring - configuration - does the CSS show clean & green or is it yellow?
Under monitoring - alerts - anything shown here?
ASKER
running BPA...check in a minute...no certificates yet as I'm trying to get it running bare bones first before I introduce certificate complexities...yikes!
Standard Edition but I do want to upgrade, can that be done in place?
Standard Edition but I do want to upgrade, can that be done in place?
You wouldn't want to, to be frank. The Enterprise version needs a CSS instance set up using an ADAM model. The config would not import en masse to the EE as it would be missing elements such as arrays, pre & post rules etc etc.
As an aside, yours is the first I have ever heard of when a straight export - import has failed when the server name & domain are the same. i have heard of weird happenings for moving between different names/domain models suuch as droppped rules that use AD groups, for exa,ple, as you'd expect but not identoical environments. i take it you back also to the same service pack level/patch updates etc?
Also, what is the server OS and patch? Tell me you are not on 2003 R2 sp2? If you are PLEASE tell me you have turned the RSS features off etc lol :)
Also, what is the server OS and patch? Tell me you are not on 2003 R2 sp2? If you are PLEASE tell me you have turned the RSS features off etc lol :)
How is it going?
ASKER
running R2 SP2...RSS features? Maybe my mind is screwed at this point so maybe I'm a bit slow...lol
Nothing has changed on this end though I could provide info from the BPA output if that would help.
Nothing has changed on this end though I could provide info from the BPA output if that would help.
Have a look at this link Dave. May help you out here. This ha been the cause of the most common issues reported over the past few months. God knows what possessed MS to turn this on by default.
http://support.microsoft.com/kb/927695
http://support.microsoft.com/kb/927695
ASKER
I'll have a look...that looks like it may fix some known issues but may not be related to what I'm experiencing. For what it is worth, I can access my Exchange 2007 Outlook Web Access with no problems (non-SSL) for the time being just fine so authentication must be working to some extent. Does the ISA product compatibility update change the actual ISA server version?
Not sure - can't unistall it to tell :)
ASKER
yep...just can't get the SharePoint going for some reason...portal works fine internally
ASKER
Basically when I have the form-based authentication turned on on the ISA server itself for publishing that SharePoint site, the ISA authentication screen appears (when connecting from the Internet) and when I put in my username and password, the screen simply reappears to try to login again with the following error displayed...
You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again.
Any ideas?
You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again.
Any ideas?
Two possibilities I can think of.
Why do you want forms based authentication on the Sharepoint publishing rule? On mine, I pass this through to the Sharepoint server to authentiocate. I only have FBA on my OWA publishing rule (as far as I recall) as far as ISA is concerned.
Why do you want forms based authentication on the Sharepoint publishing rule? On mine, I pass this through to the Sharepoint server to authentiocate. I only have FBA on my OWA publishing rule (as far as I recall) as far as ISA is concerned.
ASKER
well pass through should be ok...FBA support for browsers other than IE...correct? I suppose I can make sure everyone uses IE. What's wierd is that it worked before the migration to the new hardware and now it does not. What would your recommended settings be for the SharePoint rule then...leaving SSL out of the picture for the time being? It appears the authentication is failing at the ISA server level...what is the best method to get ISA out of the authentication picture?
Dave
Dave
ASKER
OK...I configured the listener for HTTP authentication (basic and integrated) per some documentation I found on the web. I configured the published rule authentication to No delegation but client may authenticate directly. Is that adequate? Here is the browser error I get after being prompted with a logon pop-up for authentication from the Internet...
Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)
Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)
ASKER
more information about the SharePoint server itself. Obviously it is NAT'd however the web site is configured for integrated security only. This particular domain has a split DNS so the Internet sees the public address and the internal users see the private address. Name resolution is not an issue internally or externally at this point.
Hey Dave - just got in.
Yes, I would expect the Sharepoint to be set for authenticated users only.
What is natting the Sharepoint? The ISA server or something between ISA and the SP box?
Split DNS? No problem there.
ISA out of the loop for authentication is how you have it - the client can authenticate directly with the service.
In the IIS log on the Sharepoint server, do you see any entries for access attempts?
Yes, I would expect the Sharepoint to be set for authenticated users only.
What is natting the Sharepoint? The ISA server or something between ISA and the SP box?
Split DNS? No problem there.
ISA out of the loop for authentication is how you have it - the client can authenticate directly with the service.
In the IIS log on the Sharepoint server, do you see any entries for access attempts?
ASKER
only the ISA server between the Internet and the SP box...I'll look at the IIS log on the SP box but that configuration is pretty much how my OWA is going to another server and it works fine, I get the Exchange OWA 2007 web login screen and can authenticate with no problems whatsoever but SP does run on a different machine so I'll take a look. FYI...this is one forest, one domain so nothing complex with trusts, etc.
Dave
Dave
ASKER
I haven't dropped the ball on this...just reviewing my configuration on both ends to make sure this should be working flawlessly.
Dave
Dave
ASKER
there are no issues using SharePoint on the internal network whatsoever...only through ISA
ASKER
well I'm not sure what happened but it is working properly again....go figure.
LOL - bet you rebuilt it :)
ASKER
no but I can reflect what I changed within the publishing rule
Come on Dave, the suspense is killing me. What did you change?
If this call is self-answered - please use the report abuse button and request it be PAQ - points refunded.
Keith
Keith
ASKER
what do you mean self-answered?
Thought you had worked out the issue on this question yourself :)
**well I'm not sure what happened but it is working properly again....go figure.** if the issue fixed itself or you fixed it then we normally delete those questions and refund your points. Ypou initiate the process by using the report abuse button or simply a ccep[ting your own answer
**well I'm not sure what happened but it is working properly again....go figure.** if the issue fixed itself or you fixed it then we normally delete those questions and refund your points. Ypou initiate the process by using the report abuse button or simply a ccep[ting your own answer
ASKER
yes...so is there anything I need to do on my part?
You can either wait on the 'cleanup volunteers' to pick this up and recommend a refund OR hit the report abuse button and ask for it to be closed or you can post a request (0 points) in the community Support section asking for it to be refunded to you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BPA output would be useful - remember you need .net 1.1
Open the ISA gui - select monitoring - logging - click start query.
Anything there when an access attempt is made?
Keith