OWA doesn't get past log in screen with ISA 2006

OWA doesn't get past log in screen with ISA 2006 (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access

Message

KThompson -> OWA doesn't get past log in screen with ISA 2006 (8.Dec.2006 9:49:06 AM)
I'm setting up OWA using Exchange 2003 and ISA 2006. We have a single Exchange server in our domain, but is not a DC. The ISA server is set up in the DMZ and is not a domain member. After entering the domain\username and password on the OWA site, the page just sits there. It looks like it's trying to go to the next page but never does. I followed Thomas Shinder's instructions for "LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access" parts 1 - 4. I was able to log in ONCE off-site, but haven't been able to log in since. I didn't change anything from the time I was able to log in to when I couldn't. I actually happened within minutes. :) I've tested LDAP with ldap.exe to my DC's. It connects. Does anybody have a suggestion of what I need to check? I've posted this on isaserver.org as well. I didn't get any responses. [&o] Thanks for any help.

pjhutch -> RE: OWA doesn't get past log in screen with ISA 2006 (8.Dec.2006 11:54:48 AM)
Try this article: http://www.internetaccessmonitor.com/eng/products/articles/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.php

robgolding63 -> RE: OWA doesn't get past log in screen with ISA 2006 (8.Dec.2006 11:58:58 AM)
I had this exact same problem. Hopefully I am now going offer you a quick fix! Is FBA enabled on the exchange server? If you have just got ISA 2006, then it probably is. Just turn it off, and that's it! It shouldn't be on if ISA is presenting the login screen, but I left it on after upgrading to ISA from a linux firewall, and caused myself hours of grief [:(]. Anyway, under the protocols folder in ESM, go to HTTP, and HTTP Virtual Server (I think), then go on the properties and turn Forms Based Authentication off. Good luck! Hope it works! Rob

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (8.Dec.2006 3:18:29 PM)
pjhutch, I've read the documentation you suggested. I've set up RPC/HTTP on the back-end (only) Exch server. I'll have to find where Thomas Shinder gives more explanation on creating the "OWA and RPC/HTTP web publishing rule." I don't know if I need to modify the OWA rule I already have, or not. Rob, I checked and FBA is not enabled on the Exch server. I still have hope that it is something simple I need to correct.

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 12:48:31 PM)
Would a certificate problem cause the problem I'm having? I had created a certificate on my Exchange server and copied it over to my ISA server the first time I tried to set up OWA. When I had a problem. I deleted the certificates and the rules and listeners I set up on the ISA server and started over. I followed Shinder's instructions step-by-step. Now when I look at the certificates installed. I have four on my Exchange server on the domain, and two on my ISA server. ? Is that right? The ISA server has two certificates in personal and trusted. Here's what I see... First ISA Certificate Issued to: external owa site address Issued by: external owa site address Expiration date: 11-2-2011 Intended purposes: <All> Friendly Name: <None> Certificate Template: Certificate Authority Second ISA Certificate Issued to: external owa site address Issued by: external owa site address Expiration date: 11-30-2008 Intended purposes: Server Authentication Friendly Name: Default Web Site Certificate Template: Web Server The Exchange server has these two certificates plus a computer certificate issued to all domain controllers and this one: Issued to: external owa site address Issued by: external owa site address Expiration date: 11-2-2008 Intended purposes: Server Authentication Friendly Name: SSL Certificate for OWA Certificate Template: Web Server Any help on this would be grately appreciated.[:D]

robgolding63 -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 1:00:25 PM)
To test whether there is a certificate problem, type the URL for your webmail into internet explorer, on the ISA box. You should get the login, with NO prompts, warnings, or messages about the certificate. If you do, then it won't work. The certificate should be issued by the CA on your domain (usually), of which the exchange and ISA servers are members - so they trust it automatically. Hope that helps, Rob

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 1:16:22 PM)
I typed the webmail URL into my ISA server. It did not redirect the address (it does externally), but said the web page was under contruction. There was a certificate present. I checked the certificate. It said it was "OK." The expiration date was 11-30-2008. I typed the address with /exchange, and it immediatly brought up a windows log on box entitled "connect to <webmail address>" I logged in successfully. So that means the certificates are OK?

robgolding63 -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 1:20:13 PM)
Yep that means the certificate is OK. As long as you were typing the external URL in the ISA server. By recommendation, there should be an entry in the hosts file, that redirects, for example, mail.goldcs.co.uk to 172.16.10.1 (or the IP of the mail server). Note that the ISA server will need to be restarted for this to take effect. Then in the publishing rule you type the external hostname as the name of the mail server, so the certificate name matches (otherwise the ISA server will not connect, as it thinks it is a different machine). If all this is correct, then there is something else wrong, and I'm going to need a bit more information to try and sort this one out. Good Luck! Rob

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 3:35:22 PM)
Rob, According to your last post, it seems you need a bit mor information. My first post gives a general view of my network, and what instructions I followed. I have a PIX firewall. I have port 636/tcp, and 443/tcp open from the ISA server to the Exchange server, and port 443/tcp open from anywhere to the ISA server. I also have port 636/tcp for LDAPS to one of my domain controllers, in case the Exchange which is not a DC is not good enough. All servers are Windows 2003. Ask whatever questions will help you sort this one out, or point me in the right direction. Thanks so much for your help.

robgolding63 -> RE: OWA doesn't get past log in screen with ISA 2006 (11.Dec.2006 3:39:58 PM)
OK, reading through your first post again, I've spotted a clue! The fact that it just hangs, and doesn't log in, I think is quite significant. The problem I was describing (the one I had), was where the page simply refreshed, and the user was prompted for login info again. With yours timing out, it sounds like LDAP can't get through (even though you say using ldap.exe can connect), is the DC you specified in the LDAP servers list referred to by name or IP - if it is by name, check you can resolve it via hosts file or DNS. I don't use LDAP auth. myself, as my ISA machine is a member of the domain, so that is all I can suggest so far, but it may be a step in the right direction! Sorry I can't offer more help just yet, I'll try and do some research! Rob

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (12.Dec.2006 3:34:19 PM)
The DC in the LDAP servers list referred to by name. I'm using hosts entries to resolve names to IP addresses. It resolves to the correct IP address. I tested all my hosts entries, the Exchange server, one of the DC's, and the external website address. Thanks for your willingness to help. I'll keep looking at LDAP documentation.

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (13.Dec.2006 11:32:48 AM)
LDAP must be working. I've tried loggin in and intentionally put in the wrong password, it tells me the password is incorrect. It wouldn't do that if it wasn't authenticating, right? I've tried logging in with a user account that does not have permission. It gives the "page cannot be displayed" page. But when I try to log in with an account that has permission with the right password, it just sits there. Is it a rule problem? I only have a few rules in the ISA server: the OWA rule, done according to Shinder's instructions; a rule allowing that server to surf the Internet; and a rule allowing LDAPS connections between the ISA server and a DC and the Exchange server. What could be the problem?

robgolding63 -> RE: OWA doesn't get past log in screen with ISA 2006 (13.Dec.2006 11:36:43 AM)
OK, so it's authenticating correctly. The problem is when it actually tries to do the exchange stuff. Have you tried doing it from the ISA server itself? Also, try watching the logs while you attempt a login (you can filter by denied connection). This will give you an idea of where the traffic is being blocked. Good luck! Rob

pjhutch -> RE: OWA doesn't get past log in screen with ISA 2006 (13.Dec.2006 11:55:24 AM)
1. Is the Exchange server on the DMZ or on the internal network? 2. Can you use OWA internally? Can use you use OWA on the Exchange server itself or the ISA server itself? 3. Are you using OWA with SSL? Did you include port 443 for https on isa? See also: http://support.microsoft.com/kb/327843/en-us

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (13.Dec.2006 12:26:08 PM)
1. The Exchange server is on the internal network. 2. Yes, I can use OWA internally. I can use OWA on the ISA server itself. 3. I am using OWA with https. I have a rule that allows the ISA server to anyone using http, https, and ftp. I checked the logs from when I tried logging in with different accounts and different passwords. I first tried with an allowed user account (mine) and correct password. The first entry shown in the log is HTTPS, Denied Connection, by rule: OWA. ClientUsername was "anonymous." ? The detail showed: "12239 The server requires authorization to fulfill the request. Access to the Web server is denied." I saw where I tried to log in with an account that does not have OWA access. It showed the ClientUsername as (LDAP)username. I actually tried with two different user accounts that do not have permissions, only one showed up. The detail error was: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). [&:]

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (15.Dec.2006 11:13:31 AM)
I've checked my firewall logs. I see traffic from outside to my ISA server on port 443. I see traffic from my ISA server to the specified DC on port 636. There is no other related traffic. ? I don't have anything coming from my ISA server to my Exchange server on port 443. It's not even trying to connect. That should help me diagnose my problem, but I don't know where to look. Does that spark any ideas for anybody else?

pjhutch -> RE: OWA doesn't get past log in screen with ISA 2006 (15.Dec.2006 11:34:17 AM)
What authentication methods have you enabled for OWA on Exchange? We just have Basic Auth on the /exchange virtual directory.

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (15.Dec.2006 2:33:58 PM)
On the /exchange virtual directory I have Integrated Windows authentication and Basic authentication checked. Do you think I need to uncheck "Integrated Windows authentication?"

KThompson -> RE: OWA doesn't get past log in screen with ISA 2006 (15.Dec.2006 4:37:00 PM)
PJ I unchecked the "Integrated Windows Authenticatoin" and it did the same thing it's been doing. Sitting there after putting in the correct password.

pjhutch -> RE: OWA doesn't get past log in screen with ISA 2006 (16.Dec.2006 10:54:18 AM)
Would it be possible to undo all the changes on ISA and start again 'cause nothing seems to be working....

Page: [1] 2 next > >>