Re: RSA with OWA and FBA
- From: jerrygyoungii@xxxxxxxxx
- Date: 7 Mar 2006 12:28:32 -0800
Okay...
So RSA SecurID running on ISA doesn't support SSO. That's fine.
What about being able to ensure that only the user that authenticated
against RSA can log into OWA?
Right now, after a user authenticates against RSA, a totally different
user can authenticate against OWA. Is there anyway that this behavior
can be prevented?
If an RSA agent is installed on the OWA server directly, it prevents a
user different from the one that authenticated against RSA from logging
onto OWA. I'd really like to do the same thing at the ISA level,
though.
Thoughts?
LAN Hotfixer wrote:
This might indicate that Microsoft might not be that happy about RSA SecurID
on ISA 2004 to authenticate - before FBA.
At the same time it indicates that they do support it:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/unsupportedconfigs.mspx
Troubleshooting Unsupported Configurations in ISA Server 2004
Microsoft Internet Security and Acceleration Server 2004
Published: November 2, 2005
Problem: There are a number of limitations to be aware of when enabling RSA
SecurID authentication on ISA Server:
· When you configure RSA SecurID on a Web publishing rule, no other form of
authentication can be enabled.
· Outlook Web Access cannot be configured to use SecurID credentials. ISA
Server can forward the cookie to the Outlook Web Access server, but the
server will not do anything with it.
Cause: When you publish an Outlook Web Access server and enable RSA SecurID
on ISA Server, with forms-based authentication on the Exchange server, the
following occurs:
· Users will be prompted for an RSA SecurID password and PIN by ISA Server.
· After being authenticated by ISA Server, users will be prompted by
Exchange with the forms-based authentication page.
But maybe it is not that good a combination with 2 cookies.... from the ISA
2004 Help manual:
- On the RSA SecurID tab, verify that Send SecurID cookie to upstream server
is selected.
If you do not select this option, ISA Server removes the SecurID cookie from
the header, and invalid cookies are forwarded to the Outlook Web Access
server that is being published.
When ISA Server is configured to use SecurID authentication, forms-based
authentication will not function as expected, because forms-based
authentication requires its own cookie to identify the client. After the
client successfully authenticates to ISA Server and to the Outlook Web Access
server, Internet Explorer sends both cookies to ISA Server, on the same
cookie header. ISA Server removes the SecurID cookie from the header and
alters the remaining cookies so that they are invalid. The Outlook Web Access
server does not receive the required credentials, and presents the
forms-based authentication form to the client again.
--
LAN Hotfixer
"Henk Steunenberg (Ms)" wrote:
Hello,
isa 2004
only support FBA with exchange and OWA and does not support customizing of
owa and
rsa page.
regards,
Henk Steunenberg
"admin ken" <none@xxxxxxxxxxxxx> wrote in message
news:uraHt$PEGHA.3920@xxxxxxxxxxxxxxxxxxxxxxx
Can the integrated RSA features work with OWA w/ forms based
authentication in ISA 2004?
I know there is an issue with RADIUS and OWA FBA but there is a fix from
Microsoft, I wonder if there is any issue using RSA with OWA and FBA.
.
- Prev by Date: Re: Problems blocking Streaming media on ISA 2004
- Next by Date: Re: Changing ISA 2004 Server IP Address
- Previous by thread: Re: Problems blocking Streaming media on ISA 2004
- Next by thread: Re: ISA 2004 compression filter problem
- Index(es):
Relevant Pages
|
