Comments on: Exchange 2007 OWA via ISA RSA – Authentication Delegation http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/ Just another IT guy! Fri, 12 Mar 2010 09:57:15 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Elan Shudnow http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8318 Elan Shudnow Fri, 09 Oct 2009 02:10:38 +0000 http://www.shudnow.net/?p=1153#comment-8318 The listener is set to RSA, correct? When you set it to All Users, you're essentially bypassing pre-authentication for the listener for those other rules. When you have it set to Authenticated Users, you're forcing the client to perform pre-authentication which would fail due to those services not supporting RSA authentication. Whenever I bypass pre-authentication for a rule, I always do two things: 1. Set the authentication delegation on the rule to have clients authenticate directly to Exchange. 2. Set it to allow All Users. The listener is set to RSA, correct? When you set it to All Users, you're essentially bypassing pre-authentication for the listener for those other rules. When you have it set to Authenticated Users, you're forcing the client to perform pre-authentication which would fail due to those services not supporting RSA authentication.

Whenever I bypass pre-authentication for a rule, I always do two things:
1. Set the authentication delegation on the rule to have clients authenticate directly to Exchange.
2. Set it to allow All Users.

]]> By: Elan Shudnow http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8317 Elan Shudnow Fri, 09 Oct 2009 02:10:16 +0000 http://www.shudnow.net/?p=1153#comment-8317 The listener is set to RSA, correct? When you set it to All Users, you're essentially bypassing pre-authentication for the listener for those other rules. When you have it set to Authenticated Users, you're forcing the client to perform pre-authentication which would fail due to those services not supporting RSA authentication. Whenever I bypass pre-authentication for a rule, I always do two things: 1. Set the authentication delegation on the rule to have clients authenticate directly to Exchange. 2. Set it to allow All Users. The listener is set to RSA, correct? When you set it to All Users, you're essentially bypassing pre-authentication for the listener for those other rules. When you have it set to Authenticated Users, you're forcing the client to perform pre-authentication which would fail due to those services not supporting RSA authentication.

Whenever I bypass pre-authentication for a rule, I always do two things:
1. Set the authentication delegation on the rule to have clients authenticate directly to Exchange.
2. Set it to allow All Users.

]]> By: Una http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8302 Una Tue, 06 Oct 2009 00:54:23 +0000 http://www.shudnow.net/?p=1153#comment-8302 Hi Elan, I've run into an issue with creating a second site on the CAS - forms-based authentication is set on the Exchange directory and is required for a 3rd party application and installing a second CAS is not an option at this stage. Going back to using the same web listener - the only way I can get it to work is setting users to All Users on the AS & OA ISA publishing rule. Authenticated Users does not work. Is there a setting I'm missing? Kind Regards Una Hi Elan, I've run into an issue with creating a second site on the CAS – forms-based authentication is set on the Exchange directory and is required for a 3rd party application and installing a second CAS is not an option at this stage. Going back to using the same web listener – the only way I can get it to work is setting users to All Users on the AS & OA ISA publishing rule. Authenticated Users does not work. Is there a setting I'm missing?
Kind Regards
Una

]]> By: Una http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8286 Una Fri, 02 Oct 2009 00:16:49 +0000 http://www.shudnow.net/?p=1153#comment-8286 Thanks for your help Elan, OWA is authenticating to the RSA without the need to specify a domain. I've decided to go the more secure option and purchase a new cert for OWA, hosting it on a new site and leave AS and OA as is using LDAPS for authentication. Kind Regards Una Thanks for your help Elan, OWA is authenticating to the RSA without the need to specify a domain. I've decided to go the more secure option and purchase a new cert for OWA, hosting it on a new site and leave AS and OA as is using LDAPS for authentication. Kind Regards Una

]]> By: OWA 2007 Anmeldung - MCSEboard.de MCSE Forum http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8284 OWA 2007 Anmeldung - MCSEboard.de MCSE Forum Thu, 01 Oct 2009 13:03:28 +0000 http://www.shudnow.net/?p=1153#comment-8284 [...] [...] [...] [...]

]]> By: Elan Shudnow http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8281 Elan Shudnow Wed, 30 Sep 2009 20:13:09 +0000 http://www.shudnow.net/?p=1153#comment-8281 Yes Yes

]]> By: Elan Shudnow http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8280 Elan Shudnow Wed, 30 Sep 2009 20:12:56 +0000 http://www.shudnow.net/?p=1153#comment-8280 Yes. Yes.

]]> By: Una http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8277 Una Wed, 30 Sep 2009 04:42:44 +0000 http://www.shudnow.net/?p=1153#comment-8277 Thanks for the quick reply. Does this also work if ISA has been installed in a workgroup and not connected to the domain? Thanks for the quick reply. Does this also work if ISA has been installed in a workgroup and not connected to the domain?

]]> By: Elan Shudnow http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8276 Elan Shudnow Tue, 29 Sep 2009 23:46:26 +0000 http://www.shudnow.net/?p=1153#comment-8276 You could use the same listener if you set your rule to not require ISA Pre-Authentication by setting its Authentication Delegation to Allow Clients to Authentication Directly. This will trump listener authentication. Otherwise, yes, you need a new listener with a new certificate. You could use the same listener if you set your rule to not require ISA Pre-Authentication by setting its Authentication Delegation to Allow Clients to Authentication Directly. This will trump listener authentication. Otherwise, yes, you need a new listener with a new certificate.

]]> By: Una http://www.shudnow.net/2009/07/01/exchange-2007-owa-via-isa-rsa-authentication-delegation/comment-page-1/#comment-8273 Una Tue, 29 Sep 2009 20:53:58 +0000 http://www.shudnow.net/?p=1153#comment-8273 Hi Elan, Thank you for the RSA blog. I have a question re ActiveSync once I've implemented OWA using RSA. Before I purchase another certificate, I would like to confirm my ActiveSync site will need to change? Because I need a new web listener for ActiveSync I will need a new certificate and site name for ActiveSync? In other words, ActiveSync can no longer use webmail.company.com but would have to be configured for mobile.company.com? Hi Elan, Thank you for the RSA blog. I have a question re ActiveSync once I've implemented OWA using RSA.

Before I purchase another certificate, I would like to confirm my ActiveSync site will need to change? Because I need a new web listener for ActiveSync I will need a new certificate and site name for ActiveSync? In other words, ActiveSync can no longer use webmail.company.com but would have to be configured for mobile.company.com?

]]>