Help and Support

Article ID: 935206 - Last Review: May 25, 2007 - Revision: 2.2

When an external user tries to access OWA that is published in ISA Server 2006 or in Windows Essential Business Server 2008, the user does not receive the OWA forms-based authentication page

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When an external user tries to access the Microsoft Office Outlook Web Access (OWA) Web site, the user receives an RSA SecurID authentication form. Then, the user sends the correct credentials in the RSA form to Microsoft Internet Security and Acceleration (ISA) Server 2006 or to Windows Essential Business Server 2008. However, the user does not receive an OWA forms-based authentication page.

Note This problem also occurs when you use other validation methods. For example, when you use the Windows (Active Directory) validation method, this problem occurs.

This problem occurs if the following conditions are true:
  • Microsoft Exchange Server 2003 is configured to use OWA forms-based authentication.
  • OWA is published in ISA Server 2006 or in Windows Essential Business Server 2008.
  • In the Web listener that the OWA Web publishing rule uses, the HTML Form Authentication authentication method and the RSA SecurID authentication method are configured.
  • In the OWA Web publishing rule, the Authentication Delegation option is set to No delegation, but client may authenticate directly.
Back to the top

CAUSE

This problem occurs because of a design change in ISA Server 2006 or in Windows Essential Business Server 2008.
Back to the top

RESOLUTION

Note You can only use this resolution if following conditions are true:
  • You publish Exchange Server 2003 OWA in ISA Server 2006 or in Windows Essential Business Server 2008.
  • You publish OWA by using a standard Web publishing rule instead of by using the New Exchange Publishing Rule Wizard.
  • The publishing rule does not enable Single Sign-On (SSO).
  • In the HTTP configuration of the OWA Web publishing rule, the Verify normalization option is disabled.
To resolve this problem, apply a hotfix package, and then run a Microsoft Visual Basic script on the computer that is running ISA Server 2006 or Windows Essential Business Server 2008. To do this, follow these steps:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    937103  (http://support.microsoft.com/kb/937103/ ) Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated May 14, 2007
  2. Start Notepad.
  3. Copy the following script into a Notepad file.
    ' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableHotfix935206"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
  4. Save the file as a Visual Basic script file by using the .vbs file name extension. For example, save the file by using the following name:
    Enable_935206.vbs
  5. Copy the Enable_935206.vbs file to the computer that is running ISA Server 2006 or Windows Essential Business Server 2008, and then double-click the file.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

In the Applications Settings tab of the OWA Web publishing rule, the Published server logoff URL text box is empty. This behavior is not a problem. However, after you apply this hotfix, ISA Server or Windows Essential Business Server 2008 uses the following standard logoff URL:
?cmd=logoff
Back to the top

REFERENCES

For more information about authentication in ISA Server 2006, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/bb794722.aspx (http://technet.microsoft.com/en-us/library/bb794722.aspx)
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Windows Essential Business Server 2008 Standard
Back to the top
Keywords: 
kbtshoot kbexpertiseinter kbprb KB935206
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations