With ISA server 2006 we have a feature called password change which allows the user to change his password externally. This feature is allowed with Forms based authentication on ISA server. It is most commonly in use with OWA publishing and share point publishing, where user authentication is done using Forms based authentication.I would start with requirements to allow password change using FBA through ISA server.Then I would discuss about the configurations required on the ISA server.Password change feature behaviour before ISA server 2006 sp1 and after sp1. First of all requirements
Requirements
Certificates
A ldaps(secure ldap) connection is required by ISA server to connect to domain controller and then allow password change. Secure SSL connection has its requirements and in this case it is as follows
1. Server authentication certificate on the Domain controller and subject name of the certificate should match the name of the FQDN of the domain controller so in our case it should be corpa06.corpa.local.
2. Issuing certificate authority certificate should be installed on domain controller as well as on ISA server in the computer Trusted certificate authority store.
Ports
In case you have a firewall between ISA server and domain controller then port 636 TCP is required to be open on that firewall. So we need certificates and port 636 TCP open to allow password change feature to work.
Configuration On ISA Server
FBA with AD
I would use my post for OWA publishing as example to keep the size of this post as minimum possible. We know that we configure authentication on the listener under the authentication attribute/tab. We configured FBA with Windows Active Directory for our OWA publishing rule. If we open the properties of the listener used we will see different tabs and one of them says Forms, under this tab we can enable password change feature by enabling the checkbox for it as own below.sh
After enabling password change feature when we will try to access OWA we will get FBA page with option to change password shown in figure below.
If we check this as I have done above, we would get redirected to password change page after entering the user credentials on the FBA page as shown below.
On the password change page we can change the password. This is how it is supposed to work and it does work that way. But due to certain security requirements this behaviour was altered after the ISA server 2006 sp1 and we need to follow certain steps to get it to work.
FBA With LDAP
In this scenario enabling the password change feature would be done by checking the same check box under the forms tab(i.e allow user to change password) as was done and shown in FBA with AD scenario above. We need to configure LDAP server set for LDAP authentication and its explanation and implementation is beyond the scope of this post however you can refer to http://technet.microsoft.com/en-us/library/bb794854.aspx#AppendixB and http://technet.microsoft.com/en-us/library/bb794854.aspx#LDAPsrv after doing that you would choose FBA with LDAP under authentication tab of the listener
and LDAP server set should be configured as shown below( following settings are as per my own setup/owa post)
In the above figure for password change to work we will clear the checkbox that uses global catalog option and check the box that uses secure connection to connect to ldap servers and then add user credentials of a domain user in the edit box provided.
What are we doing here? We are disabling the usage of Global catalog and we are using secure ldap connection and configuring a domain account to be used to bind to ldap server to allow password change.
Once we have configured this we are ready to allow users to change password using ldap authentication as well.
Password change feature and SP1
FBA with LDAP
Password change feature was there with ISA server 2006 but after installing ISA server 2006 sp1, I saw some scenarios where we use FBA with LDAP as authentication method on the Listener and on domain controller we have configured user to change password on next logon but when that user logs on using FBA and checks the box to change password then he does not get redirected to password change form. In order to resolve this we need to run a script mentioned in this following article http://support.microsoft.com/kb/957859 after installing the hotfix package mentioned in this article link . This issue was in cases where FBA was used with LDAP authentication. This change in sp1 was done to prevent certain authentication attacks. You can visit http://technet.microsoft.com/en-us/library/cc514301.aspx for more information about changes in service pack 1.
Another important point that I would like to add about FBA with LDAP after sp1 ,if user password has expired and user logs on using FBA page without checking the change password checkbox then user would not get redirected to password change form as LDAP provider does not have any way to detect that password has expired. So for a user whose password has expired and if he wants to change his password then he needs to check the password change checkbox on the FBA page to get the password change form and change it.
FBA with Windows Active Directory
After sp1 if a user's password has expired and he tries to logon using FBA then ISA server would validate the user and when finds out that its password has expired redirects the user to password change form where user can change the password.
ISA server 2006 has ldap authentication which is used in scenarios when ISA server is not part of the domain and needs to authenticate a user from an ldap server(domain controller) to provide access to various services published through ISA server e.g. Exchange services, share point,web publishing. when ISA server is required to authenticate users using ldap authentication then a simple ldap protocol is required. But in case if you are publishing a service like OWA and use FBA with LDAP authentication and want to use password change feature provided with the FBA then you need ldaps connection with the domain controller. In case of ldaps connection we need to have server authentication certificate installed on the domain controller and issuing certificate authority certificate installed on the domain controller and ISA server.
In this post I would discuss how we can generate a server authentication certificate to be installed on the domain controller. Name of my lab setup domain controller is corpa06.corpa.local and we need to generate a certificate that will be issued to this name.
I have my CA installed on my domain controller itself. So what I would do to generate a server authentication certificate is open up browser on domain controller and open this URL in it http://localhost/certsrv and then I would get following window
then click on request a certificate link and you would get following page
click on advance certificate request we will get following page
click on create and submit a request to this CA link and we will get following page
change certificate template to web server with private key exportable as shown below
also fill in the values corresponding to your organisation , most important part is name field and I have put corpa06.corpa.local name which is my domain controller's name and entered other field values as example. Next check the box Mark keys as exportable and store certificate in the local computer certificate store and then and certificate friendly name as shown below in second part of the above page
Then click on submit and you will get a prompt asking you if you want to request the certificate now click on yes on that mine is a enterprise CA so i got my certificate issued immidiately else you need to go to the CA and issue the certificate from there . After certificate is issued you would get following page
then click on install certificate and it first prompt us if we want to add the certificate,say yesand it would install the certificate in the computer personal store on the domain controller. It can be verified in the certificate MMC as shown below(highligheted certificate)
if we double click on this certificate we will see following window
which certificate issued to domain controller for server authentication. Let us also look at the certification path
which shows the issuing certification authority and name of the server to whom the certificate is issued.
So this is how we would generate a server authentication certificate to be used in ldaps connection for password change feature.
Although we know that we can configure the address ranges on the ISA server using different methods e.g. using adapter,add ranges or add private ranges from the three private range options.
But I would like to emphasize on the usage of first option to define the address ranges of the internal network.Because it uses the routing table on the ISA server to create the address range. In other words it adds those address ranges which ISA really knows on his internal network.
Let us say we have following routing table on the ISA server
Here we can see there is a persistent route for 192.168.1.0 network and we can also see that in order to reach this network ISA need to send traffic to 192.168.0.10 router(next hop). In other words ISA has know how of this network and way to reach it. And this is what we should have for the networks which are behind the ISA server and we want them to configure as ISA server's internal network i.e. routes to all the networks on ISA server which are behind ISA server.
So lets go ahead and add address ranges using add adapter option lets open the internal network properties
and go to addresses tab
then click on Add adapter button then you would get following screen
In this screen we can see that we have NICs listed, both internal and external. if we highlight a NIC we would be able to see the routing information for that NIC. Then choose the internal NIC in this case its CorpA, when we highlight it we can see we have the address range as per the routing table on the ISA server.
As a result we would see above address range as the internal network for ISA server. Now let me talk about the reason why I or some one would prefer this approach.
Let us now assume that we do not have persistent route in the above mentioned routing table. Then instead of using Add adapter button we use button Add range and add range 192.168.0.0-192.168.1.255 in the address range. After using this approach we will start getting alerts saying you have a address range for which you do not have route through the internal network card and and packets or traffic from that traffic would be dropped as spoofed. That is what would happen packets from that network would be dropped as spoofed.
In order to avoid such misconfiguration and problems as its effect we can use the approach discussed here initially, which would insure that we are defining those networks as internal for which we have routes on the ISA server.
This article is to show case how you would configure kerberos constrained delegation method for authentication delegation .We would use the OWA publishing post as reference. Although this method is used in scenarios where you are using Client SSL certificate for authentication on the listener as there is no way to delegate the user credentials to the published server other then this method in such scenarios. In our case we know that we are using form based authentication method on the listener and we have other ways to delegate the user credentials to the published server for authentication to happen on the published server such as basic authentication as we have already done in the OWA publishing post. But we can use keberos constrained delegation method as well . I m doing this to elaborate what is required to configure KCD(kerberos constrained delegation) if we want to.
Real action starts at domain controller where we have our ISA server's computer object as shown below open its properties
go to the delegation tab as shown below choose the third option "Trust this computer for delegation to specified service only and under it choose option "Use any authentication protocol"
Then click on Add button and you would get following window
click on Users or computers and type the CAS server's name then do checkname and then click on Ok
we will get following window
choose service as http and then click on Ok and we will have following window.
Apply and save the settings.
We will then register the spn for this service for CAS server and we would use setspn command to do that. We will use windows support tools and its command prompt run command >setspn -A http/corpa08 corpa08
In this I used netbios name of the CAS server for spn registeration. We can also use FQDN . Then you can also use command setspn -L corpa08 to see the registered spns for corpa08 as shown below.
Then we will make change in our OWA publishing rule to use Kerberos Constrained Delegation method for Authentication Delegation. We also need to configure spn used by the ISA server for kerberos constrained delegation in this case it is http/corpa08.
Rest remains same in terms of authentication in our existing rule, listener shows we are using FBA with AD authentication on listener as shown below
For users we have all authenticated users.
Now lets go ahead and test this from an external client machine as shown below
and here we are with our inbox.
I know you wont see any emails as this user recieved none as yet.
I have come across many scenarios where admins were not sure how to do address assignment for their VPN clients with ISA server 2006 as vpn server. So I thought of clearing the air about this topic.
Note. For those who are still wondering what address assignment? Then let me answer you that, its the assignment of IP addresses to the vpn clients who would make vpn connections.
We know that we have only two ways to do address assignment for vpn client access.
a. Use internal DHCP server.
b. Use static pool of IP addresses.
DHCP server.
When we use DHCP server option then we are using a slot of subnet of internal network for vpn clients and in such scenarios internal network machines and VPN clients are part of same subnet and you do not have any routing issues. But in that case you have to remove the slot given to vpn clients from internal network address range from the ISA server internal network properties. Best way to do that is to follow my post http://blogs.technet.com/sooraj-sec/archive/2009/12/04/setting-internal-network-address-ranges-as-per-the-routing-table-on-the-isa-server.aspx to create your internal network after using DHCP server for address assignment for vpn client access as it will only use the available addresses for the internal network .
Static pool.
In this scenario lets assume that we have internal network as 192.168.0.0-192.168.0.255 and you want to use static pool option. In that case you have two ways to go about it.
1. Exclude the IP range that you are going to assign to vpn clients from the internal network address range i.e. let us say we are going to use 192.168.0.15-192.168.0.50 for vpn clients then we will have to exclude this range from internal network addresses and then internal network address range would become as 192.168.0.0-192.168.0.14 and 192.168.0.51-192.168.0.255
2. Use altogether a different range for vpn clients e.g. 10.0.0.0-10.0.0.25 .ISA server has a default network rule which provides route relationship between vpn clients and internal network. But this to work internal network clients must use ISA server as route to send traffic back to these vpn clients.
Pass through authentication or by passing the authentication on the ISA server is used in certain cases or situations where admins want to go only with the authentication on the published server. To elaborate on that I would once again take the example of my OWA publishing post(please refer to it in case you have not or if you are not familiar with it) In my OWA publishing post what i am using is FBA(form based authentication) on the listener and in my publishing rule I have mentioned users have to be all authenticated users and authentication delegation that i am using in that is Basic authentication. Now let me explain what that means again so that you would know that by using these attributes what you have asked ISA to do. You told ISA to present a user with FBA page when he wants to access OWA and then get him authenticated using windows active directory method(domain controller of the domain) for more explanation on that please refer to my post about authentication with ISA server. Once user is authenticated forward the credentials to the CAS server in basic authentication format where CAS server would get the user authenticated from domain controller and then after authentication provide him access to his inbox.
When we want to by pass ISA server authentication and want only our CAS server to authenticate the user. Then we can do this by configuring listener with No authentication as shown below
and in the webpublishing rule under the users tab you have following
and authentication delegation in the publishing rule as shown below
After having set the rule and the listener as show above we have configured ISA not to authenticate the user and let the CAS server authenticate the user.This is how you would configure Pass through authentication on the ISA server.
I have seen admins going for it in scenarios where they want to present the form from there CAS server to the user and dont want ISA server form to be presented to the user.
some back ground on this....
I would like to mention a important point here that if you have configured your CAS server with FBA and you are also configuring ISA server's OWA publishing rule's listener to use FBA then this combination would not work. In such situations recommendation is to use basic authentication on CAS server and keep FBA on the ISA server. But in such situation our external users would get FBA page while accessing OWA but internal network users would get basic authentication prompt for OWA access within internal network. There are two options or solutions in this situation
a. configure ISA server OWA publishing rule's listener to listen on internal NIC for OWA requests and point all internal machines(configure DNS name resolution on the internal DNS server) to ISA server's internal NIC for OWA access (considering you have two NICs on ISA one internal and other External. For single NIC ISA server all that would be required is on internal DNS server point OWA to ISA server's NIC).
b. Keep Form based authentication on the CAS server and configure pass through authentication on the ISA server. But doing that you have only single point authentication not two point.
I happened to remember another example where we can use it and that is with websites on which we dont want to use any authenticationi.e. neither from web server norISA server.
So its a matter of choice ,whichever way you want to go.
I will discuss authentication with ISA server 2006 in reverse proxy scenario(publishing services e.g. exchange services like OWA,Activesync,outlook anywhere, or website publishing). ISA server can be configured to authenticate users while trying to access above mentioned services published through ISA server. If ISA server is configured to authenticate a user it gets the user to authenticate from a authenticating server e.g. a domain controller. Authenticating servers can be domain controller as mentioned earlier,a radius server,RSA server,ldap server(a domain controller once again but ldap authentication is used in this case).
so its like shown below
Authenticating server(internal)-------ISA server<------(((((internet))))))----External User
Authentication methods
Different Authentication methods are available on ISA server 2006
And authentication validation methods used are
To simplify the explanation of how this works together lets take one combination in consideration i.e. Form based authentication with authentication validation method as windows active directory(one of the simplest and quiet commonly used).
Windows active directory method can be used when ISA server is part of the domain of which user is a member.So lets take an example of OWA publishing discussed in my earlier post. A user who is member of the domain and wants to access OWA externally . He is on internet and opens browser on his machine and enters public domain name used to access OWA e.g https://mail.corpa.com/owa then the request comes to the ISA server. ISA server would see what is the authentication method selected and in this example we are using Form based authentication so ISA server would present user with Form based authentication page. Then user enters his domain credentials and submits them and this is sent to ISA server and ISA server after recieving them would send them to the domain controller of the domain as it knows that authentication validation method used is windows active directory. Then domain controller validates the user and provides validation information to the ISA server. Depending upon this validation input from the domain controller i.e. user is valid or not access is allowed to the user. After validation user is able to see his inbox.
I have not discussed a component called "Authentication Delegation" in above explanation as it requires separate dedicated explanation or post but for now lets remember that authentication delegation on the publishing rule is configured as per authentication method used on the published server in this case authentication method on OWA directory hosted on the CAS server and its basic authentication in our case. So we used basic authentication for authentication delegation.
How above information fits in our explantion for authentication for OWA access? It comes in picture after domain controller has validated the user, then user credentials are forwarded by ISA server to CAS server in basic authentication format for authentication from the CAS server. CAS server then gets the user validated and from the domain controller and then after validation provides inbox to the user. Now this completes the picture after including the authentication delegation in our explanation. So what is happening here, we are validating user twice. At first ISA server does the authentication (gets the validation done from a authenticating server e.g. domain controller). Then CAS server does it(asks the domain controller to validate the user) i.e. "Two point authentication"
You can also by pass the ISA authentication and get the user to validate from the CAS server making it only one point authentication if you want to and if you have such requirement. I have seen many scenarios where administrators wanted that. I will explain how you can configure pass through authentication(i.e. by pass authentication on ISA) on the ISA server in a separate post.
All other combinations have above process in common although method of taking user credentials would change and validating method and server would change. But process would stay the same ie. ISA would get request for access and ISA server would look at the method used to ask for credentials from user and then method of validation and accordinly would send request to authenticating server.
Authenticating servers also demand an explanation so let me explain in brief that each authenticating server would have certain requirements so that it can validate the user.Windows active directory method demands that ISA server should be part of the domain similary other methods have there own requirements. Ldap method has its own requirements like creating ldap server set and using that to authenticate the user from domain controllers. Depending upon the existing resources and requirements administrators make choices of which authentication validation they would like to use. e.g. if ISA server is part of the domain you might like to use windows active diectory method.But in case ISA server is not part of the domain then you might like to go for Ldap authentication or Radius Authentication each has its own requirements. if you have RSA server on your network you might like to use RSA SecureId method and as i said each method has its own requirements. I would write dedicated posts for each one of them for more explanation. Thats how authentication on ISA server works.
ISA server and OWA publishing are like two best friends and it is something most administrators like to configure on ISA Server, infact it is also true for other exchange services like Activesync and Outlook anywhere.
In this post I would explain OWA publishing
Requirements:
Certificates for SSL connection
A. On CAS/Front End exchange server
As we are going to use ssl connection for OWA access we would require certificate to establish the SSL channel. We need to install a certificate on the CAS( IIS) server and bound to the default website and Issued to the website name.Since CAS(IIS) server is internal to network and internal users would also access it and most probably would use internal name of the server to access OWA internally so better approach would be to use FQDN of the CAS server to issue certificate to, in my case it is issued to CorpA08.corpa.local.
We need to install the rootCA certificate on the CAS server in the computer trusted authority store
Note: I m taking the best approach route here since I am not using SAN certificate or wild card certificates ,moreover we are only focusing on OWA in this post. I will write another post about what possible combinations we can have about the certificate that we can have on the CAS server.
B. On ISA server
We need to install a certificate on the ISA server and issued to the website name in this case it is issued to mail.corpa.com
We need to install the rootCA certificate on the ISA server in the computer trusted authority store
In this walk though we will first go through the OWA publishing wizard and where we will need to create listener for the web publishing rule we would go through that and then complete the publishing rule.
So we would launch the OWA publishing wizard as shown below
choose exchange web client access publishing rule and we will have the following screen
Give name to the rule and move next we will get what services to select and version of exchange server
in my case I m using Exchange server 2007 and publishing OWA so I chose exchange server 2007 and selected OWA and after selecting OWA other options would grey out
and moving next we will get following
choose first option since we are not publishing a web farm and move next
since we will use SSL connection so lets choose first option for ssl and move next
Then enter the name(FQDN) of the CAS server for internal site name and its IP address then move next
Then enter the public name that we are going to use externally to access OWA in my case its mail.corpa.com and move next
Now we will create the listener to be used in this publishing rule ,click on new and we will get following screen
name the listener and then move next
use ssl since we are going to choose ssl connection
Choose External network where we are going to listen for the OWA requests and then clisck on the select IP addresses button to choose the IP address on the External NIC as shown below
highlight the IP address and then click on the add button to add the IP address as shown below
then click on OK and then we will get the following screen to select the certificate to be used for SSL connection
click on select certificate and we will get following screen where we will choose the certificate corresponding to our public name for OWA which is mail.corpa.com.
then click on select and we will see following screen then move next
and we get the screen to choose the authentication method
since I m using Form based authentication method so I chose HTML Form Authentication with windows (Active Directory) and then move next
since we are not using single sign on we would uncheck Enable SSO option and move next
and the we will get listener completion screen and here we will click on finish and will get following screen after choosing the newly created listener in the to be used in the rule then move next
we will get authentication delegation screen where we choose authentication method as per the authentication method used on the CAS server for OWA access in our case we have basic on the CAS server for OWA access so we are using Basic authentication, after choosing the method move next
on users page choose all authenticated as shown below and move next
finaly we will get the completion page shown below
click finish and we are ready to access OWA through the ISA server.
I recently worked on a case where ISA server administrator wanted to run SCW (security configuration wizard) on the ISA server. I created a lab to do repro of the scenario . So here I have walk through of running SCW on the ISA server. SCW is not installed on the ISA server (windows 2003 server on which ISA server is installed) by default. So we need to install it from the add remove programs->windows components.After the installation of SCW a folder (msscw) gets created at c:\windows\security. After installing it we need to download the package for ISA server, its link is http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en. This update adds the roles for ISA Server 2006 Standard Edition, ISA Server 2006 Enterprise Edition, and ISA Server Configuration Storage Server. After downloading it we need to run this package and extract the files from it. Then copy the two .xml files (isa.xml and isaloc.xml) to c:\windows\security\msscw\kbs folder but first take the backup of the existing files with same name then overwrite these two files.
Then copy the isascwhlp.dll file to c:\windows\security\msscw\bin folder. After adding these files at the respective folders we can start SCW wizard for ISA server.
Note: Please take backup of the server before performing the steps.
We can start by goint to start-administrative tools-SCW then we will see following screen
Then click next to proceed further and we will get following screen
in the above screen choose first option i.e. create a new security policy and move next and we will get following screen
mention the name of the server on which we are going to run the SCW in this case it is CorpA05 then move next
move next to configure SCW with role based service configuration i.e. only those services should be running which are as per the role on the server.
Then we will get following screen only choose ISA server role
Then we need to choose client features that we need ISA server to use in my case I used following
and
then choose the services that you want to keep in my case I chose following
1.
2.
3.
4.
5.
and additional services, in my case following services were there if you don't want any service you can uncheck that from the list
then we need to specify what we would do with unspecified services we have two options either leave the startup mode of the service as it is or disable it.in my case I chose to disable such services.
then verify the service changes below
Then make sure we skip following as shown in following screen
then we will go to following screen
then we will get following screen keep the second option unchecked to save the cpu cycles where cpu utilization is a constraint.
Then we would define what method ISA would to authenticate with remote computers depending upon how we want ISA to authenticate to remote computers where it make connection, we can make this choice. In this case I chose domain accounts.
Then how outbound authentication should happen using domain accounts keep both options checked.
Then for inbound calls to ISA server we can uncheck both the options shown below.
Then we will get Registry changes summary as below
Then configure the Audit policy
Depending upon our requirement we can choose the option and in my case I chose third option to audit successful and failed activities.
Then we will get audit policy summary as below
Then we will save the security policy as below
and we will get to following screen where we will define the location for the policy to be saved , we know that we can use this policy on another similar ISA server as baseline.
Then we will get the following screen where we can apply the policy now or later in my case i applied it right there.
then it starts getting applied
Then finaly we will get the completion sceen.
After completetion you can reboot the machine and test the connectivity and existing functionality on the ISA server.
After applying the SCW policy if you want to rollback the policy you can launch the SCW wizard again as follows
Then move next and choose the last option for Rollback
Then move next and we will get the following screen where we will choose the server(in our case ISA server) from where we are going to rollback the policy.
then we will get the following screen where it explains that last applied policy is going to be rolled back from the selected server.
Then we will get the completion screen.
Thats how our policy would get rolled back