[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 480
  • Last Modified:

Publishing OWA 2007 via ISA 2006 for true SSO

Hi
I've been trying to publish OWA 2007 via ISA server 2006, so that I can achieve true single Sign On (SSO) for clients that are a member of the Active Directory forest. The scenario is as follows:

3 domain forest, with empty root, resource domain (lets call that Domain A) , and an accounts & workstations domain (lets call that Domain B). ISA and Exchange are in Domain A, users & their workstations in Domain B. I want it so that when a user accounts logs onto a computer in Domain B, using an account form Domain B, they can open an IE browser and go straight in to OWA over SSL without being prompted again to authenticate. I've managed to configure Outlook Anywhere to do this, but not OWA. I thought this was possible, but I can't find much on the web about it, and I've had trouble when trying to work it through myself.

Does anyone know whether this can be achieved using the setup I have?

Many thanks
0
tbennett35
Asked:
tbennett35
  • 2
1 Solution
 
tbennett35Author Commented:
Does anyone have any idea? Surely its a simple yes it can work or no it cant (with work, obviously), for those in the know?
0
 
tbennett35Author Commented:
As an update to this, I have managed to get a bit further with some assistance form a colleague.

To ease the confsion, let's remove ISA from the mix an talk about local access inside the firewall...

I have been able to get certifictae authentication working, and when the OWA link is clicked, OWA presents a certificate selection box (this solution requires that every using accessing OWA via this method has a client auth certificate). When the user certificate is selected, OWA opens without any further prompt for credentials, however there is still a prompt for that cert (even if there's only one user cert on the machine for the user). This solution also works via ISA too, but the whole cert prompt thing might confuse some people out there in 'userland'.

Certs selection and ISA aside (i.e. inside the firewall again), and now looking at seamless access, I have put the OWA site into the intranet zone in Internet Explorer, and I can now acces OWA without any prompt for credentials. This, however, is with the MSExchangeOWAAppPool running under Local System, rather than a specific account as it will need to do in the scenario I will be using which (in my live setup) uss multiple CAS servers. I have tried creating a new account, registering an SPN for that account, and using it to run MSExchangeOWAAppPool, but then I get a failure (I can give the failure message if required but its quite extensive). I've tested various leels of access with this account, putting in IIS_WPG group, the local Distributed COM Users group, and also making it both a Domain Admin and an Exchange Org admin (for testing purposes only), but seamless access to OWA, while the app pool runs under the new account, is not achieved and the error is beiing still received. if I revert the App pool back to Local System, I can access OWA seamlessly once more.

Does anyone know what rights the identity under which the MSExchangeOWAAppPool  is run, actually needs?

Thanks

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now