CWA through ISA 2006 and KCD RRS feed

  • Question

  • I already have OWA and SharePoint proxying through ISA 2006, using Kerberberos Constrained Delegation. It took a lot of fiddling, but It works great now. External users auth to ISA with forms, internal users also go through ISA and use Integrated, for the same URLs (split horizon DNS).

    I cannot see how I can do the same thing with CWA, the documentation all seems to suggest you should just pass authentication through to the CWA server, or they give an example fo using SSO with LDAP. Delegating auth to the CWA server would seem to be less secure on the face of it, given all the docs ive read about OWA and SharePoint proxying.

    Is there any way to pre-auth at ISA 2006 and use SSO alongside SharePoint and OWA with KCD from ISA to the backend CWA box?
    Monday, August 10, 2009 2:32 PM

All replies

  • Hi

    According to your question, l learn that you want to external user pre-auth go through ISA, and then access to the backend CWA box. If I misunderstand your issue, please tell me.

    Per the MS OCS documentation, it is highly recommended that external users first go through a reverse proxy server. CWA is compatible with most of reverse proxy servers on the market. If you use SSO authentication then you must use MS ISA server 2006 with SSO enabled on the Web listener.

    You can refer to below link:



    Hope this helpful!


    Monday, August 17, 2009 10:46 AM
  • Hi Gavin, you understand correctly. However my users then have to authneticate twice - once to ISA and once to CWA. I cannot get ISA to authenticate the users with a Form Based Auth (FBA) and then delegate these with basic auth to the CWA server. I have tried setting it up as per the SSO example (but using AD as the authentication source rather than LDAP).

    Best Regards,


    Saturday, August 22, 2009 4:13 PM
  • One workaround I've used in that situation is to publish the CWA as an internal server (with Windows Auth configured) and let ISA use KCD to the box (provided SPN's are set up correctly). If kerberos is causing the problem you could always fall back to basic or NTLM between ISA and CWA. The MS doc should work but I haven't seen it work with all modalities (including desktop sharing) yet. Be aware that when you publish via ISA with FBA you lose the ability to invite anonymous participants to CWA desktop sharing sesions. I hope that helps.

    Friday, August 28, 2009 6:11 AM
  • Thanks LK23, im really struggling to get KCD working, even using an "Internal" CWA site. Should I have just Integrated authentication enabled, no forms?

    Then non-IE clients get an error saying the browser doesn't support the authnetication type. It's like CWA ignores the fact that ISA has already authenticated the user with FBA and passed it some credentials using Kerberos Constrained Delegation and negotiates directly with the clients browser. I've successfully setup SharePoint, OWA, OutlookAnywhere and Autodiscover all using KCD so im (reasonably) sure of how it all works and have the SPN's and ADUC Delegation tabs configured to what I believe is correct.

    I've had to install various ISA hotfixes to get these others working properly on my NLB'd ISA array. Most notably the one to disable Kerberos authentication *from the cilent*, so NTLM and below only. But that doesnt affect KCD from ISA to the backend servers.

    Any ideas? I'm really stuck.
    Thursday, October 1, 2009 10:12 PM