If you're going to be using FBA on the ISA server, then I believe you need to disable forms-based authentication on both the Exchange 2003 FE and 2010 CAS.
See here: ISA 2006 SP1 Configuration with Exchange 2010 http://msexchangeteam.com/archive/2009/12/17/453625.aspx These are from two different sections of the document, but is where I basing my information off of. In addition if utilizing ISA Pre-Authentication, the Exchange 2003 Front-End Servers are configured as follows: 1. The /exchange OWA virtual directory has been configured with Basic Authentication and/or Windows Integrated Authentication and not Forms Based Authentication. 2. SSL is required. 7. If leveraging ISA Pre-Authentication, on Exchange 2010 CAS within the "Internet Facing AD Site", you will disable forms-based authentication by executing the following cmdlets: * Set-OWAVirtualDirectory cas2010\OWA* -BasicAuthentication $true -WindowsAuthentication $true * Set-ECPVirtualDirectory cas2010\ECP* -BasicAuthentication $true -WindowsAuthentication $true From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, September 03, 2010 10:30 AM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 Michael. I enabled FBA on the 03 server. Restarted IIS. Went to OWA on the 10 server, entered credentials for an 03 user and it just timed out. That also broke owa access for folks out on the internet authenticating through ISA to the 03 server. FBA login is enabled on the ISA server. Now this may or may not be important info. We are using a wildcard cert from digicert, it that makes any difference. My biggest problem is figuring out where the problem is, ex 03, 10 or the ISA. Should FBA be enabled on both exchange servers and not on ISA? I would have thought that FBA should be enabled on ISA and not on either exchange server. Any more pointers or suggestions appreciated. Glen. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, September 02, 2010 2:21 PM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 If you want pass-through auth to work (single-sign-in) you're going to have to enable FBA on the 2003 server. All your 2003 users are auth'ing through the 2010 server, right? That is, when you connect to OWA, you get a 2010 OWA login screen. If your mailbox is on the 2010 server, you stay on the 2010 server. If it's on the 2003 server, you get redirected to the 2003 server. That's how it's supposed to work... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Thursday, September 02, 2010 2:14 PM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 It isn't. If I enabled that, what would happened when users connect via ISA with FBA enabled on ISA? I sure it was setup following some MS guide and I'd hate to break something that has been working for so long. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, September 02, 2010 1:39 PM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 Sounds like FBA isn't enabled on the 2003 server. It needs to be. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Thursday, September 02, 2010 1:37 PM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 Michael or anyone else. Question re this procedure. If using ISA between the 2 exchange servers and the big bad internet, and so FBA is disabled on the exchange servers can this work. FBA is enabled on the ISA server. It seems to almost work, If logging onto a 2003 account via the 2010 server owa url, I get prompted to login twice, and after entering the credentials the second time, I login fine. Both exchange servers are single server setups. Or is there a better way of doing this during the co-existence period? Thanks. Glen. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 11, 2010 8:57 AM To: MS-Exchange Admin Issues Subject: RE: OWA Question during transition to Exchange 2010 If you correctly set up your Exchange 2010 server, it will redirect Exchange 2003 users to the Exchange 2003 server. A couple of excerpts from an article I had published earlier this year: Next, configure the Exchange 2003 OWA URL that Exchange 2010 will use to refer OWA clients whose mailboxes are hosted on the Exchange 2003 server, to that server. For this example, open an EMS session and enter: Set-OWAVirtualDirectory Clark2008\OWA* ` -Exchange2003URL "https://legacy.clarksupport.com"; .... As mentioned earlier, Forms-Based Authentication (FBA) must be set on the Exchange 2003 server for OWA to allow for seamless transfers from the Exchange 2010 server. Using the Certificates MMC or the Exchange 2010 EMC, you should now export the SSL certificate that we created earlier in this article to a PFX file (ensuring that you export the private key!). Copy the PFX file to the Exchange 2003 server and import the key there, also using the Certificates MMC. Using the IIS Management Console, modify the properties of the Default Web Site to use the new SSL key. This will allow the "old" Exchange to accept both the legacy name (legacy.clarksupport.com in this example) and the current name (mail.clarksupport.com in this example) until DNS is updated. Once the update has happened, execute "iisreset" or reboot the old server to begin using the new certificate. .... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Chris Pohlschneider [mailto:chris.pohlschnei...@hollowayusa.com] Sent: Wednesday, August 11, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: OWA Question during transition to Exchange 2010 We have a facility that is currently running Exchange 2003 SP2 with an OWA site of mail.company.com in their own forest. This facility has a trust to an Exchange 2010 Resource forest. The URL for this facility points to their Exchange 2003 server to serve up the OWA requests. We are moving mailboxes from Exchange 2003 to Exchange 2010 and would like to keep the mail.company.com URL link the same for the users of this facility. However, I am trying to figure out the best way to keep this link working so that users can still go to one link, regardless of where there mailbox is located and be able to sign in. Once all users are moved over to the Exchange 2010 server, we are going to transition the link to point to the Exchange 2010 server, but until then, I would like to keep this link intact and not change anything during our transition. I am trying to find some articles about this situation, but not really coming up with anything that makes sense. Any input on this topic is appreciated. Chris Pohlschneider Holloway Sportswear Network Administrator chris.pohlschnei...@hollowayusa.com 937-494-2559 --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
