Link to home
Start Free TrialLog in
Avatar of _pete_k
_pete_k

asked on

Publishing Exchange 2007 Outlook Anywhere with ISA 2006 using NTLM authentication

Hi, I am unable to get Outlook Anywhere working when publshed via ISA 2006 using ISA for delegated NTLM authentication. It works fine using Basic authentication and its also ok on NTLM if I connect straight to a Client Access Server. Ive cheked IIS RPC, CAS and ISA Publishing authetication methods but I am unable to get this to work. I have tried following many articles inclding the Microsoft publishing articles but NTLM authentication will not work.
Has anyone actually managed to get this to work using ISA and NTLM?
Thanks for any replies!
ASKER CERTIFIED SOLUTION
Avatar of Bibbleq
Bibbleq
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of _pete_k
_pete_k

ASKER

Hi, Thanks for the reply

Ideally I would have liked to have had OWA using FBA published on the same listener but I'd come to a conclusion this will not work using as it falls back to basic but not NTLM (confirmed by what you have just said - thanks!). As this is the case I can get another address (and another cert) for the OA listener.

NTLM authentication appears to work if I create a straight web publishing rule that performs no authentication on the ISA server and allow it to authenticate directly with the CAS server. (using a separate address and listener from OWA)

Is it possible to have ISA authenticate the client using NTLM? Presumably I'd need to set the the listener to HTTP Authentication/Integrated and use Kerberos constrained delegation? Is there a better way or will authentication need to be perfomed by the CAS server.

Avatar of _pete_k

ASKER

I should also add, It seems to work ok using the same listener and IP address if I allow it to authenticate directly with the client access server.
Hi,
Glad you got it sorted, if you just forward the traffic to the CAS then yeah you could get away with just one IP i belive but you loose the benefit of the ISA.

To save money on the cert you could always use a private CA to issue the cert as any machines that will be using outlook anywhere should be under your control so you can install the root cert (as opposed to web mail that has to be available from any computer)
You could test it using a free cert from rapidssl (vaild for 30 days) - I use them all the time.