ISA Delegation breaks OAB downloads

We have had a few cases where customers were not able to download their OAB files externally due to mis-configurations on their ISA servers. By default an Exchange 2007 server's OAB Virtual Directory will have the following authentication method set:

ExternalAuthenticationMethods : {WindowsIntegrated}

Integrated Windows authentication uses the NTLM, Kerberos, and Negotiate authentication mechanisms. These are secure forms of authentication because the user name and password are hashed before being sent across the network.

ISA has a very cool feature called Authentication Delegation. By using this feature the ISA Server will forward the client's request to the Outlook Web Access server, and authenticates itself to the Outlook Web Access server using the client's credentials. The Outlook Web Access server will revalidate those credentials, typically using the same authentication provider.

NOTE: The Web server must be configured to use the authentication scheme that matches the delegation method used by ISA Server.

ISA Server has the following Authentication Delegation methods. After ISA validates the credentials, you can configure publishing rules to use one of the following methods to delegate the credentials to the published servers:

  • No delegation, and client cannot authenticate directly
  • No delegation, but client may authenticate directly
  • Basic
  • NTLM
  • NTLM/Kerberos (Negotiate)
  • SecurID
  • Kerberos constrained delegation

If you are not careful and setup your delegation rules incorrectly they will not match your web server, specifically the OAB Virtual Directory you will fail to download the OAB. If you check your ISA Server you will see the following ISA Event ID:

Event ID: 21314
ISA Server tried to delegate credentials, but the Web site does not accept the credentials provided by the authentication delegation scheme configured in the Web publishing rule PUB: E2007 Outlook Anywhere. Verify that the credentials delegation scheme configured in the Web publishing rule matches an authentication protocol enabled on the published Web site.

How To Fix

1. Make sure your ISA delegation rules match your OAB Virtual directories ExternalAuthenticationMethods.