none
ISA 2006 / RSA 7.1 / OWA 2003

    Domanda

  • Hi All,

    I am trying to setup RSA authentication with ISA 2006, RSA Security Console 7.1 and OWA 2003 on Windows 2003.

    We have been using OWA with LDAP authentication successfully and now need to change to RSA. I have edited the listener rule on the ISA server and am now seeing the OWA HTML form requesting the username and RSA PIN.

    I have setup the RSA appliance and have created the node secret.

    When attempting to authenticate with OWA using RSA I can see from the RSA perspective that the PIN is accepted. I can see this from the Authentication Activity Monitor.

    The issue I have is that when authenticating I receive a "The page cannot be displayed" page - Error code: 500 Internal Server Error. The parameter is incorrect. (87)

    I assume that I've either got something wrong in the listener or on the IIS settings on the OWA virtual folder.

    I cant find a guide or list of what settings need to present with my particular configuration: ISA 2006, OWA 2003, IIS 6 (Server 2003)

    Any advice would be most appreciated.

    Thanks,

    Ben

    martedì 19 giugno 2012 15:52

Tutte le risposte

  • Hi,

    Thank you for the post.

    Please check the publishing rule, ensure “To” tab to match with Public name and set ISA delegation to “Basic Authentication” and see if it works.

    Regards,


    Nick Gu - MSFT

    mercoledì 20 giugno 2012 02:58
    Moderatore
  • Hi,

    This is a complex configuation, you could start from here: http://blogs.technet.com/b/isablog/archive/2008/10/29/walk-through-for-rsa-securid-delegation-for-isa-server-2006.aspx

    And to avoid any known issues, follow below 2 KBs:

    http://support.microsoft.com/kb/925165/en

    http://support.microsoft.com/kb/935206/en

    Regards,

    James Yi

    mercoledì 20 giugno 2012 07:03
  • Hi,

    Thanks for your replies.

    Nick, I checked the publishing rule and it was setup as you described.

    I've also taken a look at the two KB articles. My ISA server only has one NIC. I also am pretty sure that the RSA component is working fine. When authenticating against the OWA login page I can see from the RSA activity monitor if the attempt is successful or not. Entering a wrong RSA code will result in the OWA login page rejecting the authentication request.

    I have made the following changes since reading the articles suggested by James:

    On the Authentication Tab for the Listener on ISA I have removed the "Collect additional delegation credentials in the form" tick from the box. Users will not have Active Directory passwords (they are all PKI users) so do not want the Active Directory credentials box.

    In the Authentication Delegation Tab I have changed the authentication method from Basic Authentication to RSA SecurID. (Basic Authentication was no longer present after removing the "Collect additional delegation credentials in the form" tick from the box.)

    When I authenticate successfully now I get an OWA page saying that Authentication has been successfull and will be redirected.

    I then get "The page cannot be displayed" Error 403 Forbidden.

    It still looks like that somewhere either in the ISA rule or on the IIS permissions that something isnt configured correctly.

    Do I need to install any RSA components onto the Web server, in this case the Exchange Web Front End server? All I've done so far is to copy the sdconf.rec file to the ISA server and setup authentication from there.

    Thanks,

    Ben


    • Modificato BenBrazil mercoledì 20 giugno 2012 11:04
    mercoledì 20 giugno 2012 10:21
  • Congratualtions, you've made a good progress.

    I am not sure about RSA part, but I don't remember you need to install RSA components on web server.

    At least, you should successfully use "sdtest.exe" to test authentication from ISA to RSA authen manager

    http://blogs.technet.com/b/isablog/archive/2008/02/07/walk-through-for-rsa-securid-authentication-for-isa-server-2006-part-2-isa-array-members-preparation.aspx

    "When I authenticate successfully now I get an OWA page saying that Authentication has been successfull and will be redirected", I guess, you made the redirection on CAS side to http://xxx, you could try to modify the redirection to "http://xxxx/exchange" , or you could type http://xxxxx/exchange from external IE brower.


    • Modificato JamesYi giovedì 21 giugno 2012 01:40 other
    giovedì 21 giugno 2012 01:40
  • Hi,

    thanks for the reply.

    From what I've been reading, if you want to have just RSA authentication without AD credentials you need to install the RSA web authentication agent of the IIS front end server. I've installed this on the front end server and have secured the website using RSA. When I access OWA from the front end server, ie not through the ISA, I receive an RSA login page. I can successfully authenticate with RSA and get to OWA.

    However if I attempt to login though the ISA I still get the ISA authentication page and again can successfully authenticate with RSA. After this I get the page cannot be displayed error. A Wireshark trace on the front end server shows that no traffic is received from the ISA server when using RSA authentication. However, when using LDAP authentication through the ISA I am able to authenticate and get to OWA. There must be something wrong with the rules on the ISA. All I am changing though on the ISA is the authentication method and not any redirection. We do use an additional rule on the ISA to redirect the traffic to /exchange. I have tried changing the authentication method on this rule to RSA but still have no luck.

    Any advice on what to do next would be appreciated.

    Thanks,

    Ben

    giovedì 21 giugno 2012 20:10