• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

OWA 2003 / 2010 co-exist problem - E2k3 users need to enter password twice to logon.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access >> OWA 2003 / 2010 co-exist problem - E2k3 users need to enter password twice to logon. Page: [1]
Login
Message << Older Topic   Newer Topic >>
OWA 2003 / 2010 co-exist problem - E2k3 users need to e... - 7.Sep.2010 12:18:49 PM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Our Exchange 2010/2003 has the following configuration.


ISA2006 (FBA)
  |
  |
CAS/HT (Array)
  |
  |-------------------- E2k10 Mailstores
  |
E2k3 Front End
  |
  |
E2k3 Back End



Exchange 2010 users can logon to their mailbox fine.

When Exchange 2003 users to logon, they will first need to enter the correct credential once to redirect to legacy.e2k3-front-end.org first, then have to enter the logon credential again to logon to OWA 2003.  Is this normal?  Is there any way to setup ISA/CAS so Exchange 2003 users only need to enter logon credential once?  

Thanks
Andy
Post #: 1
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 12:36:19 PM   
bnaguiar

 

Posts: 9
Joined: 31.Aug.2010
Status: offline
Hi Andy,

In a coexistence scenario (E2k3 and E2K7) you need to install the CAS server and decommission the legacy Front-end servers as they are unable to access the new Mailbox servers. I am not sure if with Exchange 2010 this is the same approach, but I would think so. What is the URL for both OWA services?
Hope this help.
Cheers,
Bruno

(in reply to AndyHWC)
Post #: 2
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 12:52:16 PM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
We are testing E2k3 and E2k10 coexistence scenario in the lab, there is no E2k7 server in the environment..

E2k7 CAS supports OWA with E2k3 mailboxes but E2k10 doesn't.  When an E2k3 users reach ISA, It proxy to E2k10 CAS.  E2k7 CAS will then redirect the user to legacy.owa.com which point to the old E2k3 FE. 

E2k10 URL is our primary public facing OWA URL (was previously used by E2k3).   e.g. email.ourdomain.com

E2k3 legacy URL is a new temporary URL pointing to E2k3 frontend.  e.g. legacy.ourdomain.com.

(in reply to bnaguiar)
Post #: 3
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 2:45:45 PM   
John Weber

 

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
Sounds like you need to change the e2k3 FE servers to integrated auth instead of a FBA,

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to AndyHWC)
Post #: 4
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 3:02:05 PM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Hi John,

The E2k3 FE is not using FBA.  It is using basic auth.  I tried enable Integrated Auth from IIS Admin but I still needed to enter logon credential twice.

Thanks,

quote:

ORIGINAL: John Weber

Sounds like you need to change the e2k3 FE servers to integrated auth instead of a FBA,

(in reply to John Weber)
Post #: 5
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 3:18:08 PM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
When you want to enable authentication on E2k3, it has to be done from within the system manager (expand the server\protocols\http) and from there you can set the authentication method properly. Exchange uses a process called DS2MB that synchronizes the authentication and configuration from Exchange (essentially Active directory or Directory Service (DS)) into IIS (essentially the IIS metabase (MB)). Change the authentication of the Exchange VDir in ESM to integrated.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to AndyHWC)
Post #: 6
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 7.Sep.2010 3:23:36 PM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Integrated Auth is grayed out on ESM.

and fwiw, legacyredirecttype is set to default "Silent".

< Message edited by AndyHWC -- 7.Sep.2010 4:16:55 PM >

(in reply to de.blackman)
Post #: 7
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 13.Sep.2010 11:25:59 AM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Anyone use ISA 2006 and upgrade from Exchange 2003 can confirmed this limitation? Is there a workaround so E2k3 user only need to enter logon credential once?

thanks

(in reply to AndyHWC)
Post #: 8
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 23.Sep.2010 5:04:39 AM   
Gotink

 

Posts: 13
Joined: 13.Sep.2010
Status: offline
You should use "Integrated Authentication" on your web page and set Internet explorer to "Automatic Logon" (in IE options, Security)
Probably you have to add the website to trusted sites.

(in reply to AndyHWC)
Post #: 9
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 29.Sep.2010 10:50:13 AM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Problem solved, need to enable SSO on the listener.
--------------------

Not sure what you mean by "set Internet explorer to "Automatic Logon" (in IE options, Security) ".

Do you mean Integrated Auth on the CAS servers or the Exchange 2003 Frontend?

I have basic and integrated enabled on the CAS servers.  When I use Integrated only on the CAS, I got below error from IE:

"Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) "


Here is the auth methods on each servers:

ISA 2006:
Listener uses FBA, LDAP as authentication validation method.
OWA 2003/2010 rule authentication:  Basic authentication, same listener

CAS:
Authentication on OWA and ECP: Basic, Integrated

2003 FE
Authentication on Exchange: Basic, Integrated

< Message edited by AndyHWC -- 29.Sep.2010 7:10:28 PM >

(in reply to Gotink)
Post #: 10
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 30.Sep.2010 2:23:12 AM   
Gotink

 

Posts: 13
Joined: 13.Sep.2010
Status: offline
When Integrated Authentication is set on the server, the client (Internet explorer) must try to single sign-on. Default security in IE does not do that when the server is on "Internet".
In IE Options Security you can modify this behavior by modifing the security settings of "Internet" or by adding this site to the trusted sites.

(in reply to AndyHWC)
Post #: 11
RE: OWA 2003 / 2010 co-exist problem - E2k3 users need ... - 30.Sep.2010 8:40:55 AM   
AndyHWC

 

Posts: 12
Joined: 7.Apr.2008
Status: offline
Problem solved, turns out I need to enable SSO on the ISA 2006 listener.

Thanks

(in reply to Gotink)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access >> OWA 2003 / 2010 co-exist problem - E2k3 users need to enter password twice to logon. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter