Double authentication prompt when accessing Exchange Control Panel published through ISA Server 2006

1. Introduction

Recently I worked in a case in collaboration with Exchange team where the messaging administrator was experience a double authentication prompt while accessing the Exchange Control Panel through OWA. Exchange Control Panel is a new feature of Exchange 2010, to read more about it access the article New Features and Improvements in Exchange Server 2010.

 

2. Background

First you need to understand that the Exchange Publishing Wizard on ISA Server 2006 doesn’t add the /ecp vdir like TMG 2010 does (see figure below from TMG 2010).

The solution for ISA Server 2006 is to add the /ecp/* manually after creating the OWA Publishing rule.

 

3. Why it was failing?

In this particular scenario there was two publishing rules sharing the same listener and the same public name:

Rule Number	Name	Destination	Affinity
1	Outlook Anywhere	Exchange Farm	IP-Based
2	OWA Publishing rule	Exchange Farm	Session-Based

In this case the administrator added the /ecp/* in the Outlook Anywhere rule as well. What it was happening was that when accessing OWA the rule that was processed was rule number 2, but when the user clicked on the Options to launch Exchange Control Panel (within OWA), ISA had to re-evaluate the request for the /ecp/* path, since the evaluation is top down it was hitting the rule number 1 first and recreating the connection (due the affinity), hence it re-prompt for authentication.

Enjoy your Exchange 2010 Publishing !!