Posts Tagged ‘ntlm’

How to configure Exchange 2007 and ISA with FBA and NTLM, without loosing ActiveSync on the way

Basicly we are here, because we want to use Forms Based Authentication (FBA) for our Outlook Web Access (OWA) users in Exchange 2007, while still using NTLM/Kerberos authentication for Outlook Anywhere (OA), wich in turn means less entering of the users password, while still not killing our ActiveSync clients since they only run Basic authentication.

Confused? let me try and make it easier.

  • We prefer FBA for OWA, it is just more nice for the user to get a webpage to login to their OWA.
  • We prefer NTLM for OA, it gives less password prompts and well it sounds safer than basic authentication
  • We still want ActiveSync with Basic, but it fails if we use NTLM on our connection as well so we need to seperate them

ISA Rules

What is the solution? Well its rather simple, we configure our services to use the authentication as we prefer, but we need to do some configuring of public DNS, Public IP’s and ISA to get all 3 authentication schemes to work at the same time. Basicly NTLM and Forms Based Authentication just does not mix. If you use FBA on a listener in ISA it will always fallback to Basic authentication if the client does not support FBA. It is not possible to use NTLM and FBA on the same ISA 2006 listener.

I have added screenshots of the important bits of the configuration in the bottom, and You should have all the required info to get it working, but You will need some basic knowledge of how to setup up Exchange 2007, ISA 2006 with Exchange 2007, etc. Read the rest of this entry »

How to fix missing PPTP Interfaces from RRAS console in ISA 2006 and stop a memory leak in the process

All PPTP VPN interfaces in ISA 2006 (sp1) disappeared from the Routing and Remote Access Service console, this problem was a cool problem both because it was challenging but also due to the unexpected results and solutions we found.

The first google attempt at finding a solution told us to try the following workaround – Not recommended!

  • Run the following command: C:\> netsh int ip reset c:\resetlog.txt

Well this solution might fix the problem here and now, but you might as well turn to the good old solution of restarting your server every time it fails, because this solution will do the following.

  • Enable DHCP and remove all IP configuration of all interfaces.
    Not the smartest move on a server, and you are stuck with having to retype all your settings again.
  • Most likely the problem will reappear again, since it does not fix the problem.

Now looking deeper into the error, we started looking at event logs – nothing here to help us (let us know if you had any usefull info here for this error). Then we tried various other things, including looking at a snapshot of the memory usage (you can just open taskmgr.exe) and found something surprising. Wspsrv.exe was using more memory handles than all other processes combined on the machine. A memory leak! It has been several years since I ran into a memory leak, it used to be the most common problem for programmers to avoid, but I rarely see them any more. Read the rest of this entry »

How to install a SSL certificate backup file on Exchange 2007 and still have time for facebook

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file (PKCS#12, P12. PFX). You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

  • mail.sole.dk and/or owa.sole.dk – for Outlook Web Access
  • autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
  • MYSERVER01 and MyServer01.domain.local – and any other internal servername that will be using the certificate

Personally I setup servers to respond only to OWA and ActiveSync on the mail./owa. domain, and use all other services like Outlook Anywhere, etc. on the autodiscover. address, this way I can use Forms Based Authentication/Basic with my OWA/ActiveSync website, and NTLM with my other services. You can see more information about this from my previous blogs here. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them – and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL, I co-authored the manual) Read the rest of this entry »