FW_H_TimeOWA

  • Article

To configure settings for forms-based authentication

  1. In the console tree of ISA Server Management, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. Expand Web Listeners, and then double-click the applicable Web listener to open its properties.

  4. On the Forms tab, click Advanced.

  5. Under Cookie Settings, you can provide a name for the cookie that ISA Server provides to the client after forms-based authentication has succeeded. From the drop-down list, you can select whether the cookies are persistent (continue to exist on the client after the session ends) on all computers, only on private computers, or never.

  6. For Ignore browser IP address for cookie validation, set whether you want to allow clients to use the same cookie from different IP addresses. For example, when requests from a single client may appear to come from different IP addresses, such as when there is a load balancer between a client and ISA Server.

  7. Under Client Security Settings, select one of the following options:

    • Treat as maximum idle time—To set a time-out based on the amount of time that the client is idle.
    • Treat as maximum session duration—To set a time-out based on the session length. Then provide time-outs for public and private computers, which will be used to establish the maximum idle time or maximum session length.
    • Apply session timeout to non-browser clients—to apply the session time-out period to clients that are not browser-based (such as Outlook RPC/HTTP and ActiveSync).

Note

For more information about authentication in ISA Server, see "Authentication Concepts in ISA Server 2006" at the Microsoft ISA Server TechCenter Web site (https://www.microsoft.com).
For information on customizing forms, see ISALink_Forms.
To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

Important

When a session reaches the time-out threshold, clients are required to log on to the session by using their user credentials.
When you configure a time-out for forms-based authentication, we recommend that the time-out be shorter than that imposed by the published server. If the published server times out before ISA Server, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by ISA Server as configured on the form setting.
Use persistent cookies to allow opening documents from Microsoft Windows SharePoint Services without the need to reauthenticate.
Note the following security issues related to persistent cookies:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.