Microsoft KB Archive/935206

= When an external user tries to access OWA that is published in ISA Server 2006, the user does not receive the OWA forms-based authentication page =

Article ID: 935206

Article Last Modified on 5/25/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition

-



SYMPTOMS
When an external user tries to access the Microsoft Office Outlook Web Access (OWA) Web site, the user receives an RSA SecurID authentication form. Then, the user sends the correct credentials in the RSA form to Microsoft Internet Security and Acceleration (ISA) Server 2006. However, the user does not receive an OWA forms-based authentication page.

Note This problem also occurs when you use other validation methods. For example, when you use the Windows (Active Directory) validation method, this problem occurs.

This problem occurs if the following conditions are true:
 * Microsoft Exchange Server 2003 is configured to use OWA forms-based authentication.
 * OWA is published in ISA Server 2006.
 * In the Web listener that the OWA Web publishing rule uses, the HTML Form Authentication authentication method and the RSA SecurID authentication method are configured.
 * In the OWA Web publishing rule, the Authentication Delegation option is set to No delegation, but client may authenticate directly.



CAUSE
This problem occurs because of a design change in ISA Server 2006.



RESOLUTION
Note You can only use this resolution if following conditions are true:
 * You publish Exchange Server 2003 OWA in ISA Server 2006.
 * You publish OWA by using a standard Web publishing rule instead of by using the New Exchange Publishing Rule Wizard.
 * The publishing rule does not enable Single Sign-On (SSO).
 * In the HTTP configuration of the OWA Web publishing rule, the Verify normalization option is disabled.

To resolve this problem, apply a hotfix package, and then run a Microsoft Visual Basic script on the computer that is running ISA Server 2006. To do this, follow these steps:  Apply the hotfix package that is described in the following Microsoft Knowledge Base article:

937103 Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated May 14, 2007

 Start Notepad.  Copy the following script into a Notepad file. ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED.

Const SE_VPS_GUID = &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; Const SE_VPS_NAME = &quot;EnableHotfix935206&quot; Const SE_VPS_VALUE = true

Sub SetValue

' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed. Dim array      ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(SE_VPS_NAME) End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, saved!&quot; End If       End If    Else WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, no change!&quot; End If

End Sub

Sub CheckError

If Err.Number <> 0 Then WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description Err.Clear End If

End Sub

SetValue  Save the file as a Visual Basic script file by using the .vbs file name extension. For example, save the file by using the following name:

 Copy the  file to the computer that is running ISA Server 2006, and then double-click the file.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
In the Applications Settings tab of the OWA Web publishing rule, the Published server logoff URL text box is empty. This behavior is not a problem. However, after you apply this hotfix, ISA Server uses the following standard logoff URL:

?cmd=logoff

<div class="references_section">