Using the above configuration, your external OWA clients are able to successfully authenticate with ISA/TMG using their SecurID credentials and are able to connect to the internal OWA.
Next, you’d like to configure ActiveSync publishing. It is not uncommon for many administrators to simply use the existing OWA Web Listener and Publishing rule to configure ActiveSync publishing. Certificate, IP address and external name registration limitations are the most common reasons for making use of the existing OWA rule and listener when adding ActiveSync publishing. Most of the time, this is not an issue. As long as the following basic criteria are met:
However, after meeting the above criteria, you may find that the external ActiveSync clients are unable to connect and ISA/TMG may deny the connection attempt with error 12309:
Forms based authentication cannot be used by the ActiveSync client. By default, when form-based authentication cannot be used with a specific client, ISA Server requires Basic authentication instead. This is commonly referred to as “Fallback to Basic”. ISA/TMG makes the determination to fallback to basic by examining the User-Agent string presented by the client. If the User-Agent string is not accepted, ISA will challenge the client for Basic Credentials instead. However, ‘fallback to basic’ is not applicable when using Forms Based Authentication with a Validation Method of ‘RSA SecurID’, therefore the ActiveSync client will fail to authenticate with the ISA/TMG server.
For example, “Fallback to Basic” is applicable when the Forms Based Authentication validation method is ‘Windows (Active Directory)’. If the web listener is configured for Forms Based Authentication using the ‘Windows (Active Directory)’ validation method, ISA/TMG will “Fallback to Basic” and challenge the ActiveSync client for Basic credentials. The ActiveSync client will then provide Basic credentials to ISA/TMG. ISA/TMG will then validate the credentials and Delegate (provided the Publishing rules Delegation settings are set to Basic) the Basic credentials to the Exchange server.
ISA/TMG is unable to authenticate ActiveSync clients when the Web Listener is configured with Forms Based Authentication with the RSA SecurID Validation method.
NOTE: Please contact RSA support for details regarding the “RSA Web Agent” and how properly configure the “RSA Web Agent” software to authenticate ActiveSync client with SecurID.
Author Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team
Gabriel Koren, Forefront Security Edge Test Team
I was looking for this information. Thanks for the clarification.
Are there any plans to get ISA/TMG to support RSA and basic authentication on the same listener/IP/DNS name?
Most companies prefer to use a single name for OWA, ActiveSync and Outlook Anywhere, although authentication requirements/methods may vary per service.
i have asmall question
can i use secureid with a 2 member array that are in a workgroup?
icurrently have ent array of isa 2006 with the users being prompt twice once for the secureid and then again at the front end ex 2003 servers(dont ask me why thats what the customer has)
and im not sure if workgroup array's will work with the rsa authetication form(single sign on) when they are not domain joined?
Yes You Can use RSA SecurID With Array that are in Workgroup.
Had a similar problem and got it working. In my case it's not about RSA SecurID, but FBA with normal Windows Authentication.
It's about the User-Agent property on the firewall, which actually has a *SonyEricsson* string in it mapped to xhtml, not basic(requiered for activesync). So instead of 401 code, the phone gets a 302 redirect to a form. So it nevers falls to baisc, because
it interprets the phone as a browser with form processing capabilities.
msdn.microsoft.com/.../ff826787(v=vs.85).aspx the property explained in detail
msdn.microsoft.com/.../ff826786(v=vs.85).aspx here you find the actual script to insert a new mapping, let's say a SonyEricssonJ108*.
like this: "cscript ericsson.vbs SonyEricssonJ108* Basic"
It's necessary to modify the order of the string with moveup property:
something like this: "cscript order.vbs 12" This moves up mapping number 12, to position 11. You have to move it to position 5 though, to take precedence over the existing generic SonyEricsson mapping.
To list the existing mappings:
So it's a Microsoft problem, at least when ISA and TMG are involved and you want to use FBA with fallback to basic(which is a common configuration nowadays for exchange publishing rule)