Tuesday, June 24, 2008

How do ISA figure out which authentication to use?

So you have published your Exchange server and your are using forms based authentication (FBA). But when you use Outlook Anywhere or ActiveSync (MSRPC), it bypasses FBA. Why does it do that and how does that work?

Well, thanks to my coworker Claus-Ole Olsen, I got the question answered. ISA uses the User-Agent header/string to decide whether it will actually use FBA or not! You can also select different forms based on the value - for different device capabilities.

The ISA GUI tells you it uses FBA, but you just cannot trust that as the User-Agent header will modify the rule!

Read it all here on TechNet Microsoft Internet Security and Acceleration Server 2006 Managing User-Agent Mappings, including scripts for viewing and setting the values.

If you want to avoid the VBScript, you can use PowerShell. This is Get-IsaUserAgentMapping.ps1 -

 

param([switch]$pretty)
$root=new-object -com fpc.root
$isaArray=$root.GetContainingArray()
$mappings=$isaarray.ruleelements.UserAgentMappings |
select PersistentName,UserAgent,Description,Enabled,@{n="FBAFormsType";e={
# For values, see http://technet.microsoft.com/en-us/library/bb794715.aspx
switch ($_.FBAFormsType) { 0 {"HTML 4.01"} 1 {"cHTML"} 2 {"XHTML-MP"} 3 {"Basic"} }
}},order
if ($pretty.isPresent) {
$mappings | Sort Order | Format-Table -auto UserAgent,Description,Enabled,FBAFormsType,Order
}
else {
$mappings
}

 


Adding and modifying is left as an exercise for yourself ;)

No comments: