GNOME Bugzilla – Bug 415922
Cannot connect to Exchange 2003 behind ISA Server 2004 using Forms-based Auth
Last modified: 2007-08-13 14:30:21 UTC
Please describe the problem: ISA Server 2004 has a built-in forms-based authentication (FBA) to authenticate users before they reach the Exchange 2003 running Outlook Web Access (OWA). This ISA FBA page is slightly different from the regular OWA page. For instance, it calls to CookieAuth.dll?Logon instead of owaauth.dll Steps to reproduce: 1. Setup ISA Server 2004 similar to http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain-Part2.html 2. Add Exchange connector account to Evolution 3. Enter OWA URL, username, and password. Actual results: Authentication fails when setting up a new Exchange connector account after entering OWA URL, username, and password. Expected results: Authentication would be successful and ISA Server would allow traffic to be passed to Exchange Server. Does this happen every time? Yes. Other information: patch to follow
Created attachment 84207 [details] [review] Patch to add ISA Server 2004 compatibility into exchange connector This adds check for CookieAuth.dll action during forms-based authentication. It also makes sure the action URI isn't encoded to https://www.example.com/CookieAuth.dll%3fLogon which makes the POST fail (should be CookieAuth.dll?Logon)
Can you attach E2K_DEBUG trace from Evolution when trying to connect to the server? I need these logs to compare with the other logs that I have w.r.t CookieAuth.dll.
Created attachment 84433 [details] E2K_DEBUG=10 log of logging into a CookieAuth.dll server Here is a log at E2K_DEBUG=10 when logging into a server using CookieAuth.dll after applying the patch.
Thanks for the logs, Kenny. However, I would like to see the same log from unpatched version. TIA.
Created attachment 84454 [details] E2K_DEBUG=10 log of unpatched session logging into CookieAuth.dll server This is a debug session log trying to log into a CookieAuth.dll server without the patch.
Created attachment 84751 [details] E2K_DEBUG=10 log of logging into a 2nd CookieAuth.dll server This is a 2nd patched log on a different server
Created attachment 84752 [details] E2K_DEBUG=10 log of logging into a 2nd CookieAuth.dll server (unpatched) Note I am including this as it differs from Kenny's unpatched log
For testing I added Kenny's patch directly into the SOURCE and an entry in the SPEC file from the evolution-data-server-1.8.3-3.fc6.src.rpm as patch 21 and created a new rpm. This worked okay and I was able to access email properly (had tried before and couldn't): http://www.mail-archive.com/evolution-hackers@gnome.org/msg01242.html
Comment on attachment 84752 [details] E2K_DEBUG=10 log of logging into a 2nd CookieAuth.dll server (unpatched) CalDAV Eplugin starting up ... evolution-shell-Message: Killing old version of evolution-data-server... ** (evolution:21338): DEBUG: mailto URL command: evolution --component=mail %s ** (evolution:21338): DEBUG: mailto URL program: evolution libnm_glib_nm_state_cb: dbus returned an error. (org.freedesktop.DBus.Error.ServiceUnknown) The name org.freedesktop.NetworkManager was not provided by any .service files (evolution:21338): e-utils-WARNING **: Cannot resolve symbol 'org_gnome_new_mail_config' in plugin '/usr/lib/evolution/2.8/plugins/liborg-gnome-new-mail-notify.so' (not exported?) BBDB spinning up... GET HTTP/1.1 E2k-Debug: 0x8d06a50 @ 1173962548 Host: webmail.someuni.nl Accept-Language: en-US, en Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAwAAAA User-Agent: Evolution/1.8.3 301 OK E2k-Debug: 0x8d06a50 @ 1173962548 Date: Thu, 15 Mar 2007 12:34:37 GMT Location: https://webmail.someuni.nl/exchange X-Powered-By: ASP.NET Server: Microsoft-IIS/6.0 Connection: Keep-Alive Content-Length: 165 Content-Type: text/html GET /exchange/ HTTP/1.1 E2k-Debug: 0x8d06b70 @ 1173962549 Host: webmail.someuni.nl Accept-Language: en-US, en Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAwAAAA User-Agent: Evolution/1.8.3 302 Moved Temporarily E2k-Debug: 0x8d06b70 @ 1173962551 Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT Location: https://webmail.someuni.nl/CookieAuth.dll?GetLogon?url=%2Fexchange%2F&reason=0 Connection: close Content-Length: 0
Comment on attachment 84752 [details] E2K_DEBUG=10 log of logging into a 2nd CookieAuth.dll server (unpatched) ignore this as this is the patched log
Committed to SVN Head and trunk.
Closing this since the patch was committed.
If we find that it is a Exchange 2003 server behind an ISA Server 2004 proxy, why are we giving an auth error? ---code--- } else if (strstr (location, "/owalogon.asp") || strstr (location, "/CookieAuth.dll")) { if (e2k_context_fba (ctx, msg)) goto try_again; *result = E2K_AUTOCONFIG_AUTH_ERROR; ---code--- shouldn't it be something like: *result = E2K_AUTOCONFIG_EXCHANGE_2003