RE: OWA Publishing problem for ISA 2006- using SecurID

jms, Thanks a lot! That's exactly what it was. A soon as I deleted my
nodesecret in the registry and then cleared it on the RSA Admin server I
attempted to access OWA through RSA and it worked the very first time.
Thanks again.
--
Thanks,

Brad Loftus




"JMS" wrote:

Brad, that's the thing. If you do the SDTEST it won't work right. We were
on the phone with RSA doing that repeatedly. The tech asked us to just do it
via OWA for goofs to see if that fixed it and it did.

The reason, from what I can gather, is that SDTEST write the securid file to
a different location and the nodesecet is just set between the ACE and ISA
servers. In other words, it won't authenticate anyone via OWA because the
ACE server doesn't think it's supposed to.

Oh yeah, so when you do the OWA login to write the securid file, you have to
clear the nodesecret and some checkbox on the ACE server. Your RSA admin
should know what I mean. I'm not the ACE guy, so I just know what I know
from the phone calls and having the ACE dude on the phone.

We had that exact 100 Authentication error prior to this. Write back if
you're still having problems.

"Brad" wrote:

I was able to make all those configuration changes. The only
issue/difference that I had was that there was no securid file located
anywhere on my machine.

my error is: 100: Access denied. RSA ACE/Server rejected the passcode
that you supplied. Try again with a valid passcode.


I am able to successfully test RSA using the RSA SecurID test utility so my
nodesecret has been created successfully.

Now, when I test
--
Thanks,

Brad Loftus




"JMS" wrote:

Brad, here is how I have things configured:

ISA 2006 non domain member
OWA on front end servers
OWA set up for Basic Authentication inside of IIS.

The publishing rule is set for Basic Authentication on the Auth Delegation
tab. On the To tab I have Forward Original Header checked and Requests apper
from ISA button selected. Application settings, check Use Customized HTML
forms and put Exchange in the top line.

On the web listener, External and Internal networks are selected. I have
SSL used, so that box is checked and 443 for my port. I have the cert that I
exported from my OWA server. HTML forms chosen on the Auth tab w/ Collect
Additional delegation checked. On that tab, hit advanced and check Require
all users to Auth. On the RSA SecurID tab, I have nothing done on that page.
On the Forms tab, check the top checkbox and put Exchange in the box below.

To get RSA to work, first off, search your ISA box for a file named just
securid. Find all occurences and remove them. Then, the RSA admin needs to
configure the thing for your box to be trusted. He then gives you the
SDCONF.REC file you'll put in the Windows\System32 folder and also in your
Program Files\Microsoft ISA Server\sdconfig directories.

Then have someone log on to OWA from outside your network. When they do the
RSA auth that'll generate the securid file and put it in the right location.

That's how I got things to work. Let me know if this doesn't do it and I'll
try to help. I'm still a n00b on ISA, but this issue has given me plenty of
learning experience, so I think I can help you out.

"Brad" wrote:

That helped me with some minor setting changes but I'm still getting the same
problem where I'm unable to actually log in successfully. Not sure what is
going on for sure.
--
Thanks,

Brad Loftus




"JMS" wrote:

So here is what I am seeing.

Users are connecting to https://myowa.domain.com/exchange

They are getting this when connecting from an ISA Server labeled page:
106: The Web server is busy. Try again later.

They don't even get prompted at all for their SecurID login.

On the ISA server I did test connectivity to the RSA server using their test
tool. It connects and authenticates fine from the ISA server. The file from
the RSA server is copied to system32.

Here is all of what I think should be pertinent. If anyone needs more info,
please let me know and I'll post more details:

ISA 2006 Std server. Connecting to NLB OWA machines. 443 open to/from
these servers and the ISA server (which is in my DMZ). ISA server is not a
domain member.

Firewall policy for this is the first in the list. Details:
From: Anywhere
To: Applies to myowa.domain.com. Original host header is checked. Requests
from ISA server.
Traffic: HTTPS
Listener: Set to use the listener detailed below.
Public Name lists myowa.domain.com
Paths:
<Same as Internal> for /public/*, /Microsoft-Server-ActiveSync/, /Exchweb/*,
/Exchange/*. Also have it resolving / to /exchange so if someone forgets to
add /exchange it will automatically do so.
Authentication Delegation: No delegation, but client may authenticate
directly. I had it set to RSA SecurID but that did no good.
Application Settings: Nothing set on this page of interest, i.e. Customized
forms is unchecked.
Bridging: Web server picked and redirect to 443 checked.
Users: All Auth Users
Link Trans: Apply link translation to this rule is checked.

For the web listener:
Networks: External and Internal
Connections: Enable SSL checked and set to 443
Certificates: Point to the cert I got from my OWA machine. Installed fine.
Authentication: Set to HTML Form Auth and RSA SecurID are picked. Nothing
else on this page. On the advanced properties of this tab nothing is
selected beyond the defaults.
Forms: Nothing selected
SSO: Not enabled.

Sorry for the lengthy message, but I figured the extra detail may help.

.