When an external user tries to access OWA that is published in ISA Server 2006 or in Windows Essential Business Server 2008, the user does not receive the OWA forms-based authentication page

This article has been archived. It is offered "as is" and will no longer be updated.
Symptoms
When an external user tries to access the Microsoft Office Outlook Web Access (OWA) Web site, the user receives an RSA SecurID authentication form. Then, the user sends the correct credentials in the RSA form to Microsoft Internet Security and Acceleration (ISA) Server 2006 or to Windows Essential Business Server 2008. However, the user does not receive an OWA forms-based authentication page.

Note This problem also occurs when you use other validation methods. For example, when you use the Windows (Active Directory) validation method, this problem occurs.

This problem occurs if the following conditions are true:
  • Microsoft Exchange Server 2003 is configured to use OWA forms-based authentication.
  • OWA is published in ISA Server 2006 or in Windows Essential Business Server 2008.
  • In the Web listener that the OWA Web publishing rule uses, the HTML Form Authentication authentication method and the RSA SecurID authentication method are configured.
  • In the OWA Web publishing rule, the Authentication Delegation option is set to No delegation, but client may authenticate directly.
Cause
This problem occurs because of a design change in ISA Server 2006 or in Windows Essential Business Server 2008.
Resolution
Note You can only use this resolution if following conditions are true:
  • You publish Exchange Server 2003 OWA in ISA Server 2006 or in Windows Essential Business Server 2008.
  • You publish OWA by using a standard Web publishing rule instead of by using the New Exchange Publishing Rule Wizard.
  • The publishing rule does not enable Single Sign-On (SSO).
  • In the HTTP configuration of the OWA Web publishing rule, the Verify normalization option is disabled.
To resolve this problem, apply a hotfix package, and then run a Microsoft Visual Basic script on the computer that is running ISA Server 2006 or Windows Essential Business Server 2008. To do this, follow these steps:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    937103 Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated May 14, 2007
  2. Start Notepad.
  3. Copy the following script into a Notepad file.
    ' Copyright (c) Microsoft Corporation. All rights reserved.' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS' HEREBY PERMITTED.Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "EnableHotfix935206"Const SE_VPS_VALUE = trueSub SetValue()    ' Create the root obect.    Dim root  ' The FPCLib.FPC root object    Set root = CreateObject("FPC.Root")    'Declare the other objects needed.    Dim array       ' An FPCArray object    Dim VendorSets  ' An FPCVendorParametersSets collection    Dim VendorSet   ' An FPCVendorParametersSet object    ' Get references to the array object    ' and the network rules collection.    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo "New VendorSet added... " & VendorSet.Name    Else        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"            End If        End If    Else        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description        Err.Clear    End IfEnd SubSetValue
  4. Save the file as a Visual Basic script file by using the .vbs file name extension. For example, save the file by using the following name:
    Enable_935206.vbs
  5. Copy the Enable_935206.vbs file to the computer that is running ISA Server 2006 or Windows Essential Business Server 2008, and then double-click the file.

Hotfix removal information

Important Before you remove the hotfix that is mentioned in this article, you must run the following script.
' Copyright (c) Microsoft Corporation. All rights reserved.' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS' HEREBY PERMITTED.Const SE_VPS_GUID = ""{143F5698-103B-12D4-FF34-1F34767DEabc}""Const SE_VPS_NAME = ""EnableHotfix935206""Const SE_VPS_VALUE = falseSub SetValue()    ' Create the root obect.    Dim root  ' The FPCLib.FPC root object    Set root = CreateObject(""FPC.Root"")    'Declare the other objects needed.    Dim array       ' An FPCArray object    Dim VendorSets  ' An FPCVendorParametersSets collection    Dim VendorSet   ' An FPCVendorParametersSet object    ' Get references to the array object    ' and the network rules collection.    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo ""New VendorSet added... "" & VendorSet.Name    Else        WScript.Echo ""Existing VendorSet found... value- "" &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo ""Done with "" & SE_VPS_NAME & "", saved!""            End If        End If    Else        WScript.Echo ""Done with "" & SE_VPS_NAME & "", no change!""    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo ""An error occurred: 0x"" & Hex(Err.Number) & "" "" & Err.Description        Err.Clear    End IfEnd SubSetValue     
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
In the Applications Settings tab of the OWA Web publishing rule, the Published server logoff URL text box is empty. This behavior is not a problem. However, after you apply this hotfix, ISA Server or Windows Essential Business Server 2008 uses the following standard logoff URL:
?cmd=logoff
References
For more information about authentication in ISA Server 2006, visit the following Microsoft TechNet Web site:
Properties

Article ID: 935206 - Last Review: 01/16/2015 15:58:17 - Revision: 4.0

  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • kbnosurvey kbarchive kbtshoot kbexpertiseinter kbprb KB935206
Feedback