ISA SERVER AUTHENTICATION

I recently migrated my ISA server to a new piece of hardware by exporting the entire configuration from the old server and importing into the new server.  Yes the server name and IP addresses all remained the same...just new physical hardware.  The server is part of an Active Directory domain and I had a SharePoint publishing rule in the configuration that was configured for form-based authentication to the client that worked fine before the migration.  Basically Internet users would be prompted with the ISA Server 2006 login screen and after putting in their username/password they were properly directed to the SharePoint site.

After the migration it appears that if a user tries to login to that same screen, the screen reappears with an error indicating...

"You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again."

I'm thinking there is a problem talking back to a domain controller or the authentication configuration got mangled somehow but I need to figure it out quick.  Any troubleshooting ideas?  I'm going to DL and install the BPA and see if it sheds any light on this.

Thanks,

Dave
LVL 1
ModernAgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Few more details mate.

BPA output would be useful - remember you need .net 1.1
Open the ISA gui - select monitoring - logging - click start query.
Anything there when an access attempt is made?

Keith
0
ModernAgeAuthor Commented:
oddly enough the entries appear blank with detail for the attempts to access the SharePoint site as I am clearly aware of the Internet IP I'm coming in from .  If it helps I have a 5719 error in the System Event Log but I have no problems accessing the SYSVOL shares of both domain controllers (single forest btw).

I think something is screwed up with the web proxy somehow.  For the record I couldn't get the "integrated" method to work either aside from the Form-based configuration I had for that rule in the first place.  It clearly is not passing the authentication request to the domain controller for completion.

Wierdly I cannot RDP the ISA server for anything even though the system policy is configured correctly however I can manage with the MMC from my Internal network so I'm not sure what gives there.

Going to install the BPA now.

Dave
0
lamaslanyCommented:
Do you use certificates?  I hope so but you make no mention :)
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Keith AlabasterEnterprise ArchitectCommented:
So you have both system policies configured? remote manangement for TS and mmc? Thats cool.
what rule dou you have for internal to internal? 5719 is normally associated with kerberos issues as i am sure you know.

Are you running Enterprise version? Open the gui, click monitoring - configuration - does the CSS show clean & green or is it yellow?

Under monitoring - alerts - anything shown here?
0
ModernAgeAuthor Commented:
running BPA...check in a minute...no certificates yet as I'm trying to get it running bare bones first before I introduce certificate complexities...yikes!

Standard Edition but I do want to upgrade, can that be done in place?
0
Keith AlabasterEnterprise ArchitectCommented:
You wouldn't want to, to be frank. The Enterprise version needs a CSS instance set up using an ADAM model. The config would not import en masse to the EE as it would be missing elements such as arrays, pre & post rules etc etc.
0
Keith AlabasterEnterprise ArchitectCommented:
As an aside, yours is the first I have ever heard of when a straight export - import has failed when the server name & domain are the same. i have heard of weird happenings for moving between different names/domain models suuch as droppped rules that use AD groups, for exa,ple, as you'd expect but not identoical environments. i take it you back also to the same service pack level/patch updates etc?

Also, what is the server OS and patch? Tell me you are not on 2003 R2 sp2? If you are PLEASE tell me you have turned the RSS features off etc lol :)
0
Keith AlabasterEnterprise ArchitectCommented:
How is it going?
0
ModernAgeAuthor Commented:
running R2 SP2...RSS features?   Maybe my mind is screwed at this point so maybe I'm a bit slow...lol

Nothing has changed on this end though I could provide info from the BPA output if that would help.
0
Keith AlabasterEnterprise ArchitectCommented:
Have a look at this link Dave. May help you out here. This ha been the cause of the most common issues reported over the past few months. God knows what possessed MS to turn this on by default.
http://support.microsoft.com/kb/927695
0
ModernAgeAuthor Commented:
I'll have a look...that looks like it may fix some known issues but may not be related to what I'm experiencing.  For what it is worth, I can access my Exchange 2007 Outlook Web Access with no problems (non-SSL) for the time being just fine so authentication must be working to some extent.  Does the ISA product compatibility update change the actual ISA server version?
0
Keith AlabasterEnterprise ArchitectCommented:
Not sure - can't unistall it to tell :)
0
ModernAgeAuthor Commented:
yep...just can't get the SharePoint going for some reason...portal works fine internally
0
ModernAgeAuthor Commented:
Basically when I have the form-based authentication turned on on the ISA server itself for publishing that SharePoint site, the ISA authentication screen appears (when connecting from the Internet) and when I put in my username and password, the screen simply reappears to try to login again with the following error displayed...

 
You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again.
 
Any ideas?
0
Keith AlabasterEnterprise ArchitectCommented:
Two possibilities I can think of.

Why do you want forms based authentication on the Sharepoint publishing rule? On mine, I pass this through to the Sharepoint server to authentiocate. I only have FBA on my OWA publishing rule (as far as I recall) as far as ISA is concerned.
0
ModernAgeAuthor Commented:
well pass through should be ok...FBA support for browsers other than IE...correct?  I suppose I can make sure everyone uses IE.  What's wierd is that it worked before the migration to the new hardware and now it does not.  What would your recommended settings be for the SharePoint rule then...leaving SSL out of the picture for the time being?  It appears the authentication is failing at the ISA server level...what is the best method to get ISA out of the authentication picture?

Dave
0
ModernAgeAuthor Commented:
OK...I configured the listener for HTTP authentication (basic and integrated) per some documentation I found on the web.  I configured the published rule authentication to No delegation but client may authenticate directly.  Is that adequate?  Here is the browser error I get after being prompted with a logon pop-up for authentication from the Internet...

Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)
0
ModernAgeAuthor Commented:
more information about the SharePoint server itself.  Obviously it is NAT'd however the web site is configured for integrated security only.  This particular domain has a split DNS so the Internet sees the public address and the internal users see the private address.  Name resolution is not an issue internally or externally at this point.
0
Keith AlabasterEnterprise ArchitectCommented:
Hey Dave - just got in.

Yes, I would expect the Sharepoint to be set for authenticated users only.
What is natting the Sharepoint? The ISA server or something between ISA and the SP box?
Split DNS? No problem there.

ISA out of the loop for authentication is how you have it - the client can authenticate directly with the service.

In the IIS log on the Sharepoint server, do you see any entries for access attempts?
0
ModernAgeAuthor Commented:
only the ISA server between the Internet and the SP box...I'll look at the IIS log on the SP box but that configuration is pretty much how my OWA is going to another server and it works fine, I get the Exchange OWA 2007 web login screen and can authenticate with no problems whatsoever but SP does run on a different machine so I'll take a look.  FYI...this is one forest, one domain so nothing complex with trusts, etc.

Dave
0
ModernAgeAuthor Commented:
I haven't dropped the ball on this...just reviewing my configuration on both ends to make sure this should be working flawlessly.

Dave
0
Keith AlabasterEnterprise ArchitectCommented:
:)
0
ModernAgeAuthor Commented:
there are no issues using SharePoint on the internal network whatsoever...only through ISA
0
ModernAgeAuthor Commented:
well I'm not sure what happened but it is working properly again....go figure.
0
Keith AlabasterEnterprise ArchitectCommented:
LOL - bet you rebuilt it :)
0
ModernAgeAuthor Commented:
no but I can reflect what I changed within the publishing rule
0
Keith AlabasterEnterprise ArchitectCommented:
Come on Dave, the suspense is killing me. What did you change?
0
Keith AlabasterEnterprise ArchitectCommented:
If this call is self-answered - please use the report abuse button and request it be PAQ - points refunded.

Keith
0
ModernAgeAuthor Commented:
what do you mean self-answered?
0
Keith AlabasterEnterprise ArchitectCommented:
Thought you had worked out the issue on this question yourself :)

**well I'm not sure what happened but it is working properly again....go figure.** if the issue fixed itself or you fixed it then we normally delete those questions and refund your points. Ypou initiate the process by using the report abuse button or simply a ccep[ting your own answer
0
ModernAgeAuthor Commented:
yes...so is there anything I need to do on my part?
0
Keith AlabasterEnterprise ArchitectCommented:
You can either wait on the 'cleanup volunteers' to pick this up and recommend a refund OR hit the report abuse button and ask for it to be closed or you can post a request (0 points) in the community Support section asking for it to be refunded to you.
0
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.