Re: ISA2000 + Remote Outlook Web Access (Exchange 2003) - Multiple Login Prompts

Well, after many hours and days figuring this out, I think I finally
got it. It turns out that under the Site and Content rules of my ISA
server, I have specific AD security groups listed as to who can access
the internet. If your ISA server is setup that way (as to allow
specific people or groups access to the internet) it looks like it has
an authentication layer it examines in the hosts' packets. For
instance, and this is just my theory, that because the ISA server is
doing packet inspection on all outgoing network connections to ensure
that user can indeed connect, then there is probably some sort of
header information within the packet that carries authentication
information. However, when ISA is set to allow outgoing internet from
"Everyone", it doesn't exhibit this problem. So, what I think is
happening is that our Outlook Web Access server on the remote end
isn't using a forms authentication, it's using the NTLM/layered
integrated authentication, the ISA server on local end (where the
clients originate from) is stripping out NTLM/integrated
authentication header information once it "clears authentication",
therefore, you're getting multiple login prompts because ISA has
removed that header info, not realizing that there is more then just
local authentication happening.

This is how I solved this little dilemma. I created a destination set
within ISA 2000 that specifies all of our OWA mail sites. In the
folder path I just specifed "/*" so that we have a wildcard on any sub
directories. From that, I created another Site and Content rule that
allowed the "everyone" security object to that specific destination
set. In theory, it means that for any of our mail domains, it'll
allow unauthenticated web traffic. By security design, this isn't a
major foreseeable problem, however, if it ever becomes a problem,
we'll have to continue to investigate this issue/limitation/
inconvenience with ISA 2000. This fixed the problem for me. I tested
the fix and it's all working now. For the past two days I've had
users access the OWA site again, and no complaints of ever coming pop-
ups (crosses fingers).

I hope this helps out others as after 5 days of scouring the internet,
I haven't found a direct solution, just a lot of posts about how
people have had similar cases but no definitive answer. Feel free to
e-mail me if you have any further questions; otherwise, happy surfing!

.

Relevant Pages

  • RE: ISA 2004 and the internet connection
    ... I understand the issue to be: Internet access became ... slow after you upgrade ISA 2000 to ISA 2004 for a month. ... Open the ISA Server management console, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: cant ping gateway IP address
    ... Open ISA server, and find the "SBS Internet Access Rule", move it to the ... 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)
  • Re: Proxy Authentication
    ... still learning ISA and how to fully leverage it...the setting that you ... I do have a rule for internet access, where by certain groups and users are ... where I was mentioning the "admin" thing. ... > confusing the "per proxy listener" authentication (the option I am talking ...
    (microsoft.public.isa)
  • Re: RSA with OWA and FBA
    ... This might indicate that Microsoft might not be that happy about RSA SecurID ... Troubleshooting Unsupported Configurations in ISA Server 2004 ... SecurID authentication on ISA Server: ...
    (microsoft.public.isa)
  • RE: anonymous access rule and authetication rule
    ... the group access since it would evalute the "all users" rule first? ... Sorry, I love the ISA server, but still failry new with it. ... require authentication to fullfill your needs. ... I am trying to setup rules that will allow all users access to the internet ...
    (microsoft.public.isaserver)
Loading