ActiveSync clients are unable to authenticate with ISA Server/Forefront TMG using SecurID

re: ActiveSync clients are unable to authenticate with ISA Server/Forefront TMG using SecurID

acolada — Fri, 12 Aug 2011 11:40:34 GMT

Greetings everyone.

Had a similar problem and got it working. In my case it's not about RSA SecurID, but FBA with normal Windows Authentication.

It's about the User-Agent property on the firewall, which actually has a *SonyEricsson* string in it mapped to xhtml, not basic(requiered for activesync). So instead of 401 code, the phone gets a 302 redirect to a form. So it nevers falls to baisc, because it interprets the phone as a browser with form processing capabilities.

forums.isaserver.org/.../tm.htm

msdn.microsoft.com/.../ff826787(v=vs.85).aspx the property explained in detail

msdn.microsoft.com/.../ff826786(v=vs.85).aspx here you find the actual script to insert a new mapping, let's say a SonyEricssonJ108*.

like this: "cscript ericsson.vbs SonyEricssonJ108* Basic"

It's necessary to modify the order of the string with moveup property:

msdn.microsoft.com/.../ff826798(v=vs.85).aspx

something like this: "cscript order.vbs 12" This moves up mapping number 12, to position 11. You have to move it to position 5 though, to take precedence over the existing generic SonyEricsson mapping.

To list the existing mappings:

msdn.microsoft.com/.../ff826793(v=vs.85).aspx

So it's a Microsoft problem, at least when ISA and TMG are involved and you want to use FBA with fallback to basic(which is a common configuration nowadays for exchange publishing rule)

Good luck.

re: ActiveSync clients are unable to authenticate with ISA Server/Forefront TMG using SecurID

NKJaiswal — Wed, 05 May 2010 13:22:05 GMT

Yes You Can use RSA SecurID With Array that are in Workgroup.

re: ActiveSync clients are unable to authenticate with ISA Server/Forefront TMG using SecurID

Itworkedinthelab — Thu, 29 Apr 2010 22:52:57 GMT

i have asmall question

can i use secureid with a 2 member array that are in a workgroup?

icurrently have ent array of isa 2006 with the users being prompt twice once for the secureid and then again at the front end ex 2003 servers(dont ask me why thats what the customer has)

and im not sure if workgroup array's will work with the rsa authetication form(single sign on) when they are not domain joined?

thanks

re: ActiveSync clients are unable to authenticate with ISA Server/Forefront TMG using SecurID

Kremersp — Tue, 20 Apr 2010 10:59:08 GMT

I was looking for this information. Thanks for the clarification.

Are there any plans to get ISA/TMG to support RSA and basic authentication on the same listener/IP/DNS name?

Most companies prefer to use a single name for OWA, ActiveSync and Outlook Anywhere, although authentication requirements/methods may vary per service.