Short and simple question: Should this configuration work, am I just missing something stupid or do we need to rethink the entire architecture? Should Exchange 2013 directly internet-facing CAS be able to redirect 2007 mailbox users to ISA-published Exchange 2007 OWA without double authentication in coexistence scenario?

I have a Exchange 2007 environment which works just fine:
- Two CAS servers and two mailbox servers
- OWA and AS are published to internet with an ISA 2006 gateway.
- ISA is configured to have FBA authentication on web listener, doing LDAP auth from two domains (the same domain where the Exchange servers are and an another domain in different forest) and delegating to Exchange as basic auth.
- On Exchange FBA is disabled for OWA, Basic and Integrated enabled.

Now we would like to introduce an Exchange 2013 server to the environment, switch client access over to it and have users accessing their OWA emails on the Exchange 2007 mailboxes before the mailboxes are transferred to Exchange 2013. ISA 2006 will be decommissioned together with the Exchange 2007 environment and Exchange 2013 will be directly internet facing, but at least the first attempt to get this to work failed.

We have two separate single-name certificates, let's call them mail.company.com and mail2007.company.com. The later one is for the legacy email, and first one is used and has been used for the actual client connections.

- mail.company.com is assigned to Exchange 2013 CAS, mail2007.company.com to ISA server listener.
- DNS records to mail.company.com are switched to point to Exchange 2013 CAS public IP, mail2007.company.com to ISA public IP.
- ISA rules were updated to accept the mail2007.company.com host name and multiple different authentication configurations were tried.
- Exhange 2007 OWA and other virtual directories were updated to use mail2007.company.com as the external URL.

I could get Exchange 2013 OWA to authenticate the user and forward the connection to ISA FBA, but with any configuration I couldn't get rid of double authentication. Disabling ISA FBA and letting client authenticate with Exchange directly didn't work out any better.

• Edited by stnz 11 hours 0 minutes ago