ISA 2004: Forms-Based Authentication and RADIUS

  • Article

Forms-Based Authentication in ISA 2004 is a nifty new feature that emulates Exchange 2003's FBA authentication option (and allows you to put it out front of OWA versions prior to 2003 - that is, you can use ISA 2004 to provide FBA authentication for Outlook Web Access from Exchange 2000 or Exchange 5.5).

We have a planning guide on how you can configure an OWA installation using ISA 2004 here. Key takeaways: the /exchange/ (OWA default) virtual directory needs Basic authentication enabled on it (so please, use SSL between ISA and the OWA server), and FBA should *not* be enabled at the Exchange level if you're using it at the front end.

Dr Tom came up with an ingenious way around the limitation of a single advanced authentication type via what appears to be a single listener, so that you can have your kayak and heat it too. (If you're searching for this post later, remember: the only post that had the words FBA, RADIUS and KAYAK in it).

But I'm not here to share that knowledge with you, I'm here to surreptitiously draw your attention to this KB article on adding RADIUS to the mix over here. (A while back I lost interest in trying to sneak the longest KB article title ever past the content team, but it looks like someone else has had a crack at it, with pretty successful results: "You cannot use the RADIUS authentication protocol when you use the Outlook Web Access (OWA) Forms-Based Authentication on a Web publishing rule to publish an internal Web site such as OWA in ISA Server 2004" - yes, that's just the title (which I've requested be shortened to something like "Enabling FBA with RADIUS".)

The short version of the article above is that by default, FBA expects ISA to be a member of a domain in order to authenticate user accounts. Once the hotfix above is applied, a registry setting becomes available that allows you to authenticate FBA requests using RADIUS, which means ISA can sit happily out front as a non-domain member. You can't apply Windows group membership as the Firewall rules are being traversed (all we get back from RADIUS is a yes/no, not a user token containing group membership information), but when you consider you're still allowing only pre-authenticated pre-authorized traffic via pre-defined paths, well, *shrug*.

You just configure your FBA rule, then set a registry key to enable RADIUS authentication for that rule: in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters , create a value called OwaAuthenticatesUsingRadius as a  Dword, and set the value to 1.

So, if the above sounds like something you're interested in doing, go check out the guidance at the top, Tom's bits, and then the KB article.

Questions? (You have 30 days to post 'em).