Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  ISA Central  »  Blog article: Password Changes and Notification When the 2006 ISA Firewall uses LDAP Authentication

Password Changes and Notification When the 2006 ISA Firewall uses LDAP Authentication

I’ve been playing with the new ISA Firewall’s new LDAP authentication feature set and I have to admit that I’m impressed. The new feature solves a problem I’ve seen over the years that required a complex RADIUS network to be designed. That problem was how to pre-authenticate users at the ISA Firewall when those users belong to multiple domains which have no trust relationships with one another.

In ISA 2004, the solution was to install a RADIUS proxy and then configure policies that enabled the RADIUS proxy to forward the authentication requests to the appropriate RADIUS servers. The procedure isn’t documented anywhere and if you try to find useful information on how to configure RADIUS proxies and proxy policies on the www.microsoft.com web site, you’ll find yourself sad and disappointed.

The new LDAP pre-authentication support in the 2006 ISA Firewall solves this problem and makes supporting multiple domains behind the ISA Firewall very easy to configure. However, there is one tricky situation that you should know about, and that’s related to password management. The new ISA Firewall includes new support for password changing and password change notifications that appear right in the log on form. However, if you use LDAP authentication, you need to jump through a few hoops.

First take a look at the salient dialog box, as seen in the figure below:

In order to support password changes and password notification, you need to use LDAPS for a secure connection between the ISA Firewall and the domain controller. You also have to disable the User Global Catalog (GC) setting.

For LDAPS to work, you need to install a machine certificate on the DC and then install the CA certificate of the CA that issued the DCs machine certificate into the ISA Firewall’s Trusted Root Certification Authorities machine certificate store. This isn’t too terribly difficult, but if you’re not aware of the situation you’ll wonder what happened with password management for your OWA users.

This week I’m starting a multipart series on how to make this all work by showing you how to pre-authenticate users that are trying to connect to two different Exchange Server located behind an ISA Firewall. Each Exchange Server will belong to a different domain and the domains don’t trust each other, and LDAP authentication will be used at the ISA Firewall to pre-authenticate the incoming connections.

I hope you like the series and that it helps you get your ISA Firewalls deployment more quickly and easily. Remember, no other solution can protect your Exchange Servers better than an ISA Firewall! And you can take that to the bank :)

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — ISA Firewalls

This entry was posted on Monday, September 18th, 2006 at 8:26 am and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Password Changes and Notification When the 2006 ISA Firewall uses LDAP Authentication”

  1. Giuliano Says:

    September 5th, 2007 at 3:27 pm

    The one thing Microsofot does not clearly says about LDAP Authentication is that it’s *** limited to web publishing ***.
    It would be great being able to provide outbound web access to multiple untrusted domains.

    In the following paper it’s not clear: www.microsoft.com/technet/isa/2006/authentication.mspx.

    You have to discover it by yourself when trying to insert LDAP in an access rule and then only find it among unsupported configurarion, as you can extract from
    http://www.microsoft.com/technet/isa/2004/plan/uns...cation

    LDAP Authentication in ISA Server 2006
    - Problem: LDAP authentication is not supported in outbound Web access scenarios.
    - Cause: In ISA Server 2006, LDAP authentication is available only as an authentication method in reverse proxy Web publishing scenarios. LDAP authentication is not available in ISA Server 2004.
    - Solution: NO WORKAROUND.

    :_(

  2. Roberto Says:

    May 23rd, 2008 at 7:04 am

    We are now almost a year further. Have anyone ever found a workaround for LDAP authentication for outbound Web access scenarios.

    Need this solution very urgent

    Kind regards

  3. tshinder Says:

    May 23rd, 2008 at 7:06 am

    Hi Roberto,
    There is no way to use LDAP auth for outbound authentication. You’ll have to use RADIUS if you don’t want to use integrated Windows authentication.

    HTH,
    Tom

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center