Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OWA doesn't get past log in screen with ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
OWA doesn't get past log in screen with ISA 2006 - 8.Dec.2006 9:49:06 AM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
I'm setting up OWA using Exchange 2003 and ISA 2006. We have a single Exchange server in our domain, but is not a DC. The ISA server is set up in the DMZ and is not a domain member. After entering the domain\username and password on the OWA site, the page just sits there. It looks like it's trying to go to the next page but never does.
I followed Thomas Shinder's instructions for "LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access" parts 1 - 4. I was able to log in ONCE off-site, but haven't been able to log in since. I didn't change anything from the time I was able to log in to when I couldn't. I actually happened within minutes. :)
I've tested LDAP with ldap.exe to my DC's. It connects.
Does anybody have a suggestion of what I need to check? I've posted this on isaserver.org as well. I didn't get any responses. 
Thanks for any help.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 8.Dec.2006 3:18:29 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
pjhutch, I've read the documentation you suggested. I've set up RPC/HTTP on the back-end (only) Exch server. I'll have to find where Thomas Shinder gives more explanation on creating the "OWA and RPC/HTTP web publishing rule." I don't know if I need to modify the OWA rule I already have, or not.
Rob, I checked and FBA is not enabled on the Exch server. I still have hope that it is something simple I need to correct.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 11.Dec.2006 1:00:25 PM
|
|
|
robgolding63
Posts: 118
Joined: 29.May2006
From: Nottingham, England
Status: offline
|
To test whether there is a certificate problem, type the URL for your webmail into internet explorer, on the ISA box. You should get the login, with NO prompts, warnings, or messages about the certificate. If you do, then it won't work. The certificate should be issued by the CA on your domain (usually), of which the exchange and ISA servers are members - so they trust it automatically.
Hope that helps,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 11.Dec.2006 1:16:22 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
I typed the webmail URL into my ISA server. It did not redirect the address (it does externally), but said the web page was under contruction. There was a certificate present. I checked the certificate. It said it was "OK." The expiration date was 11-30-2008.
I typed the address with /exchange, and it immediatly brought up a windows log on box entitled "connect to <webmail address>" I logged in successfully.
So that means the certificates are OK?
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 11.Dec.2006 1:20:13 PM
|
|
|
robgolding63
Posts: 118
Joined: 29.May2006
From: Nottingham, England
Status: offline
|
Yep that means the certificate is OK. As long as you were typing the external URL in the ISA server. By recommendation, there should be an entry in the hosts file, that redirects, for example, mail.goldcs.co.uk to 172.16.10.1 (or the IP of the mail server). Note that the ISA server will need to be restarted for this to take effect. Then in the publishing rule you type the external hostname as the name of the mail server, so the certificate name matches (otherwise the ISA server will not connect, as it thinks it is a different machine).
If all this is correct, then there is something else wrong, and I'm going to need a bit more information to try and sort this one out.
Good Luck!
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 11.Dec.2006 3:35:22 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
Rob,
According to your last post, it seems you need a bit mor information. My first post gives a general view of my network, and what instructions I followed.
I have a PIX firewall. I have port 636/tcp, and 443/tcp open from the ISA server to the Exchange server, and port 443/tcp open from anywhere to the ISA server. I also have port 636/tcp for LDAPS to one of my domain controllers, in case the Exchange which is not a DC is not good enough. All servers are Windows 2003.
Ask whatever questions will help you sort this one out, or point me in the right direction.
Thanks so much for your help.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 11.Dec.2006 3:39:58 PM
|
|
|
robgolding63
Posts: 118
Joined: 29.May2006
From: Nottingham, England
Status: offline
|
OK, reading through your first post again, I've spotted a clue! The fact that it just hangs, and doesn't log in, I think is quite significant. The problem I was describing (the one I had), was where the page simply refreshed, and the user was prompted for login info again.
With yours timing out, it sounds like LDAP can't get through (even though you say using ldap.exe can connect), is the DC you specified in the LDAP servers list referred to by name or IP - if it is by name, check you can resolve it via hosts file or DNS. I don't use LDAP auth. myself, as my ISA machine is a member of the domain, so that is all I can suggest so far, but it may be a step in the right direction!
Sorry I can't offer more help just yet, I'll try and do some research!
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 12.Dec.2006 3:34:19 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
The DC in the LDAP servers list referred to by name. I'm using hosts entries to resolve names to IP addresses. It resolves to the correct IP address. I tested all my hosts entries, the Exchange server, one of the DC's, and the external website address.
Thanks for your willingness to help. I'll keep looking at LDAP documentation.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 13.Dec.2006 11:32:48 AM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
LDAP must be working. I've tried loggin in and intentionally put in the wrong password, it tells me the password is incorrect. It wouldn't do that if it wasn't authenticating, right? I've tried logging in with a user account that does not have permission. It gives the "page cannot be displayed" page. But when I try to log in with an account that has permission with the right password, it just sits there. Is it a rule problem?
I only have a few rules in the ISA server: the OWA rule, done according to Shinder's instructions; a rule allowing that server to surf the Internet; and a rule allowing LDAPS connections between the ISA server and a DC and the Exchange server.
What could be the problem?
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 13.Dec.2006 11:36:43 AM
|
|
|
robgolding63
Posts: 118
Joined: 29.May2006
From: Nottingham, England
Status: offline
|
OK, so it's authenticating correctly. The problem is when it actually tries to do the exchange stuff. Have you tried doing it from the ISA server itself? Also, try watching the logs while you attempt a login (you can filter by denied connection). This will give you an idea of where the traffic is being blocked.
Good luck!
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 13.Dec.2006 11:55:24 AM
|
|
|
pjhutch
Posts: 3034
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
1. Is the Exchange server on the DMZ or on the internal network?
2. Can you use OWA internally? Can use you use OWA on the Exchange server itself or the ISA server itself?
3. Are you using OWA with SSL? Did you include port 443 for https on isa?
See also:
http://support.microsoft.com/kb/327843/en-us
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 15.Dec.2006 11:13:31 AM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
I've checked my firewall logs. I see traffic from outside to my ISA server on port 443. I see traffic from my ISA server to the specified DC on port 636. There is no other related traffic. ? I don't have anything coming from my ISA server to my Exchange server on port 443. It's not even trying to connect.
That should help me diagnose my problem, but I don't know where to look. Does that spark any ideas for anybody else?
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 15.Dec.2006 11:34:17 AM
|
|
|
pjhutch
Posts: 3034
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
What authentication methods have you enabled for OWA on Exchange? We just have Basic Auth on the /exchange virtual directory.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 15.Dec.2006 2:33:58 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
On the /exchange virtual directory I have Integrated Windows authentication and Basic authentication checked. Do you think I need to uncheck "Integrated Windows authentication?"
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 15.Dec.2006 4:37:00 PM
|
|
|
KThompson
Posts: 13
Joined: 8.Dec.2006
Status: offline
|
PJ
I unchecked the "Integrated Windows Authenticatoin" and it did the same thing it's been doing. Sitting there after putting in the correct password.
|
|
|
|
|
RE: OWA doesn't get past log in screen with ISA 2006 - 16.Dec.2006 10:54:18 AM
|
|
|
pjhutch
Posts: 3034
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
Would it be possible to undo all the changes on ISA and start again 'cause nothing seems to be working....
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
. Anyway, under the protocols folder in ESM, go to HTTP, and HTTP Virtual Server (I think), then go on the properties and turn Forms Based Authentication off. 
