Enable Windows Integrated security.

Hi,
1) When we create a new data source in SQL Server Report Server, for credentials we have an option to use windows integrated. When I choose this and click on test connection, I get an error "the connection was either timed out or lost".
Any help in this regard will be highly appreciated.
2) Some tech net articles suggest to enable Kerberos authentication. I donot know how to enable Kerberos for a reporting server. 
Need help please.
Thanks,
Bhawna.

Hello Bhawna,
Kerberos Authentication is needed in the so called "double hop" scenarios. Enabling it for SSRS is easy and is covered in the following technet article - http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx.
The question, however, is do you really need it - of your RS and DB Engine (data source) are on the same server, then you do not need this. If you are using multi-tier architecture, then Kerberos might be the thing you need. So - where is your data placed?
Ivan
Ivan Donev MCITP SQL Server 2008 DBA, DB Developer, BI Developer

Similar Messages

  • Fdm, create app with enabling "Windows Integrated Security"

    currently, we need to enter UserID and Password each time we create a new fdm app on the web. we also cannot sign into the Workbench client.
    how do we configure the system, so that we can create applications WITH enabling "Windows Integrated Security", so that we can use the same password to sign into the Workbench client.
    thanks.
    Edited by: user642786 on Feb 7, 2011 9:35 PM
    Edited by: user642786 on Feb 8, 2011 11:54 AM

    os admin takes care of this.

  • JAX-WS web service client and Windows integrated Security authentication

    I am currently developing a JAX-WS web service client running on WebLogic 10.3.2.0. The client is connecting to exchange web service running on IIS.
    Everything works well when EWS is configured with Http basic authentication.
    The problems started when I changed the autentication method on EWS from Http basic authentication to Windows integrated Security authentication.
    The client is then unable to authenticate to the web service. Every request made to EWS returns with the message : Invalid HTTP server response [401] - Unauthorized.
    I tried using an authenticator like this one:
    static class RetrieveWSDLAuthenticator extends Authenticator
    private String username, password;
    public RetrieveWSDLAuthenticator(String user, String pass)
    username = user;
    password = pass;
    @Override
    protected PasswordAuthentication getPasswordAuthentication()
    return new PasswordAuthentication(username, password.toCharArray());
    and setting it as the default authenticator :
    Authenticator.setDefault(new MyAuthenticator("username", "password"));
    but the method getPasswordAuthentication() was not even called.
    Is there a way to make a JAX-WS client works with Windows integrated Security ?

    WIS is not suppported on WLS JAX-WS. You'll need to use other authentication mechanisms such as http basic (which you tried already), or message-level security such as UNT, or SAML.
    Regards,
    Pyounguk

  • Windows Integrated Security with SSRS, Sharepoint 2013 and SSAS over http

    I have the following setup and problem:
    Sharepoint 2013 with SSRS in Sharepoint integrated mode
    SSAS 2012 SP1 with http access (IIS + msmdpump) enabled on the same box as SSAS
    Every component I have tried works fine with this (PerformancePoint, .bism connections, SSIS packages etc.), connecting over http using Kerberos and windows integrated authentication.
    SSRS (.rsds) connections in Sharepoint fail a connection test when using the same http connection string + Windows integrated authentication which works for everything else. The error is: "Unsupported data format: -> Microsoft.ReportingServices.DataExtensions.AdomdTestConnectionException:
    Unsupported data format:"
    SQL server profiler shows that the windows username is reaching the SSAS server is all cases.
    Kerberos delegation is set up for SSAS and is working.
    Switching the .rsds connection to saved credentials (same user as I tried with Windows integrated auth) works fine and SQL server profile logs look the same as the Windows integrated case.
    So, everything seems to work with Kerberos + http apart from SSRS ... any idea welcome. I did read that SSPI is not supported for http connections but then again, there are sites which give examples of exactly such connection strings. I can't find any
    mention of this case or exact problem anywhere ...

    For information, this was fixed by applying the .NET 4.5.1 patch as advised by MS support. Now http connections from integrated mode SSRS work ok.

  • Hanging while accessing a page with Windows Integrated security?

    Here is the code I am trying:
    HttpMethodBase method = null;
    try {   
    HttpClient client = new HttpClient();
    client.getState().setCredentials(AuthScope.ANY,
    new NTCredentials(userName, pwd, host, domain) );
    System.out.println(httpServiceURL);
    method = new GetMethod(httpServiceURL);
    method.setDoAuthentication( true );
    int status = client.executeMethod(method);
    System.out.println(status + "\n" + method.getResponseBodyAsString());
    This code works fine on stand alone java application, but when I deploy it to Weblogic.. it just hangs at GetMethod. No exception, nothing..
    when I change that to
                   method = new GetMethod();
                   method.setFollowRedirects(true);
                   method.setPath(httpServiceURL);
    It is failing at executeMethod().
    any suggestions? Thanks,

    This Weblogic... is it running as a Windows service? Under what user profile? Presumably the authentication would be based on that user profile.

  • Connect to DataBase programmatically with Integrated Security in SharePoint - which account credentials are used?

    Hi to All!
    I have a simple question. I connect to DataBase programmatically, using SqlConnection and Integrated Security in connection string. It works! But I cannot understand -  which account credentials are used? My Windows account(under which I was logged
    in) or NetworkService Account, or something else?
    If I was logged in as FBA user in SharePoint - what in this case?

    Hi MaryBath,
    When you use integrated security = true it means the same as integrated security = SSPI and in this case the current Windows account credentials are used for authentication and if you set the integrated
    security = false you have to provide UserName and Password . so for your question it uses the current windows account credentials.
    here is the Microsoft link for the same...
    https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(VS.71).aspx
    If your code is executing on server in SharePoint (in webparts or features or application page). it will take the windows account of the server to connect to the database because all are executing on server not on client machine. your
    login credentials has nothing to do with it.
    Note: there are 2 authentication Windows Authentication and SQL Authentication so make sure that on database windows authentication is enabled (it will only work when windows authentication is enabled....
    Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

  • SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has be

    Hello, I have a sql 2005 server, and I am a developer, with the database on my own machine.  It alwayws works for me but after some minutes the other developer cant work in the application
    He got this error
    Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 192.168.1.140]
    and When I see the log event after that error, it comes with another error.
    SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.1.140]
    He has IIS5 and me too.
    I created a user on the domain called ASPSYS with password, then in the IIS on anonymous authentication I put that user with that password, and it works, on both machines.
    and in the connection string I have.
    <add key="sqlconn" value="Data Source=ESTACION15;Initial Catalog=GescomDefinitiva;Integrated Security=SSPI; Trusted_Connection=true"/>
    I go to the profiler, and I see that when he browses a page, the database is accesed with user ASPSYS, but when I browse a page, the database is accesed with user SE\levalencia.
    Thats strange.
    The only way that the other developer can work again on the project is to restart the whole machine. He has windows xp profession, I have windows 2000.
    If you want me to send logs please tellme

    Well here's my problem, maybe you can help. Intermittenly I get a login failed when connecting to a db engine through Server Management Studio using Windows authentication. When this happens the following entries are generated on the server's application event log:
    Event Type:        Error
    Event Source:    MSSQLSERVER
    Event Category:                (4)
    Event ID:              17806
    Date:                     1/14/2009
    Time:                     10:41:31 AM
    User:                     N/A
    Computer:          <server name>
    Description:
    SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: <ip address>]
    Event Type:        Failure Audit
    Event Source:    MSSQLSERVER
    Event Category:                (4)
    Event ID:              18452
    Date:                     1/14/2009
    Time:                     10:41:31 AM
    User:                     N/A
    Computer:          <server name>
    Description:
    Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: <ip address>]
    I've already ensured that the server is set to mixed authentication mode. Oddly enough, the workaround that I've found is that if I remote desktop into the server, log in and then log back out, Management Studio is suddenly able to connect again. No idea why it works. 
    As I said before, it is intermitten. Some days it errors on login, other days it doesn't and there are no configuration changes between them. Also, both client and server are in the same domain and same site so there is no VPN or anything in between. I'm really quite stumped. Any help would be great, or if you can point me in the right direction of where to look. Thank you in advance!

  • SPNego - Windows integrated Single-Sign On not working - How to debug?

    Dear board,
    I've tried to configure SPNego - Windows Integrated SSO with no sucess yet. We do use SAP EP7 on Windows Server 2003 64bit with MS AD 2003. The following is done:
    - Service Account is created, authentication works when done on pupose
    - SPNego wizard completed sucessfully, WebAs Java restarted
    - IE6: Windows integrated Logon is activated, IE shows Intranet when accessing the portal url ( I can't modify the IE Security Settings yet, but as we do use KERBEROS outside of SAP as well, my assumption was settings are fine)
    - UID in windows, EP and ECC are equal
    When I access the portal URL, I am prompted for used id and password. How can I trace methodically what is wrong? Some kind of checklist with links, url or SAP Notes would be great. I've also read references to a test application as well as some diag / trace tool.
    Please post thoroughly as I am rather new to this topic and still missing important terms and knowledge.
    Kind regards and thanks in advance,
    Richard

    Dear board,
    after the service principal name registration was done (once again maybe) the error message disappeared in the SPNego wizard when I retrieve the Principal in Step 2,  the test resolution works as before in step 3 of the wizard.
    At the moment, the error message in the central log file is still unchanged. Acquiring crendetials for realm xxx.xxx.org failed, no valid credentials provided.
    #1.5 #001A4BAF485A0079000000040000207000043C8446E8BA7E#1192438730203#com.sap.engine.services.security.authentication.logincontext#sap.com/irj#com.sap.engine.services.security.authentication.logincontext#J2EE_GUEST#0####d8ce7ab07afc11dc8d93001a4baf485a#Thread[Thread-307,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Authentication#Plain###LOGIN.FAILED
    User: N/A
    Authentication Stack: com.sun.security.jgss.accept
    Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
    1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
    #1.5 #001A4BAF485A00580000007F0000207000043C8446E8C109#1192438730203#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/irj#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#J2EE_GUEST#0####d8ce7ab17afc11dc8f50001a4baf485a#SAPEngine_Application_Thread[impl:3]_29##0#0#Error##Java###Acquiring credentials for realm XXX.XXX.ORG failed
    [EXCEPTION]
    #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
    Any ideas? I haven't used the diag tool yet, is there any other reasonable way how to debug the setup?
    Kind regards and many thanks,
    Richard

  • Integrated Security results in Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' after code deployment

    Sometimes, when we deploy new code to the server, we're getting the following error:
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
    we're using windows authentication and in our connectionstring use integrated security.
    Only after restarting the server, the application can connect to the DB again. restarting IIS or recycling the application pool doesn't help.
    Our application pool is configured using ApplicationPoolIdentity and we would like to keep it as such.
    Any idea what we can do to prevent this error from occurring almost every time we deploy code?
    Thanks

    Hi amisol,
    Thanks for your post here.
    For your issue is related with asp.net security ,i suggest that you can post your issue to the link below:
    http://forums.asp.net/25.aspx/1?Security
    Best Regards,
    Kevin Shen.

  • 0xc000035b error during windows integrated login

    I've been trying to setup an ADFS SQL farm. I've been running into an issue when trying to authenticate a use using Windows Integrate Authentication. I get it in all the browsers that I've tried (IE, Firefox, Chrome). What's happening is that the HTTP challenge
    box keeps popping up. I put in valid credentials (I've entered them in in various forms, UPN, domain\username, etc.), but the system never accepts them and keeps challenging until I cancel or I get a 401. When I look into the logs I see the following:
    An account failed to log on.
    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: portaluser1
    Account Domain: vo
    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xc000035b
    Sub Status: 0x0
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: CROBISON-PC
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process:
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    During the setup of the ADFS SQL farm, I got a warning about the service principle name being already taken by some other AD object. Upon further investigation, that error is appearing because the setup is trying to assign an SPN to a domain user that is
    already assigned to the machine in the AD. So, I found ADFS docs that show how to manually assign an SPN to a service account. Still no go. 
    So here is a run down on how ADFS is being accessed. We have a reverse proxy that all web traffic is going through. The ADFS server farm (a farm of one server) is behind this reverse proxy. I've tried assigning SPNs to the service account that ADFS is running
    under that reflect external and internal DNS names. Can anyone shed some light on this? Windows integrated auth works great when I setup a stand-alone server and don't have to do all the service account stuff.

    Hallis:
    I have a web application running on Azure, the ADFS server is published to the internet using TMG.
    When accessing the application from my internal network everything works as expected. I see from the logs that the user is loggen on using Kerberos. This works for both domain joined computers and others.
    But, when accessing the application from outside my internal network I get the same behaviour as you described.
    The only difference in these scenarios is the reverse proxy. When it fails NTLM is used, when it works Kerberos is used. Maybe ADFS does not support NTLM?
    pagefaulted:
    I'm having the same issue except replace a reverse proxy with a F5 Bigip. Anyone out there have any solutions or at least explain why it is failing?
    Hi all,
    I've encountered the same issue a few of you mentioned above, when using a reverse proxy. In my case, the solution was to turn off Extended Protection (see
    Configure Extended Protection in IIS 7.5 or
    Windows Extended Protection) on the LS folder, or to configure it to match your use scenario and not perform channel-binding token (CBT) checking.
    To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access
    Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the “/adfs/ls” folder, double-click the
    Authentication icon, then right-click Windows Authentication and select
    Advanced Settings… On the Advanced Settings dialog, choose Off for
    Extended Protection.
    HTH, 
    -Ran

  • Reseting the Hashed Password after enabling Windows File Sharing

    Disclaimer: you'll need a good bit of knowledge about OS X, UNIX, and encryption to understand what I'm talking about.
    All right, so normally OS X hashes user passwords using a salted SHA1 encryption. It uses shadowing so that you can't obtain the actual hash value using "% nidump passwd".
    BUT, if you enable Windows File Sharing, all that changes. OS X re-hashes your password using the much less secure LANMAN encryption. This allows Windows machines to access your files. (LANMAN is what Windows used to encrypt passwords up through Windows ME. Later versions of Windows use NTLM instead, which is stronger.) This is why, the first time you enable Windows File Sharing, OS X warns you that enabling the feature will require your password to be stored in a less secure manner; it's downgrading the hash from SHA1 to LANMAN.
    My question is: I'm done sharing files with idiot Windows users - how do I force OS X to go back to storing my password using SHA1?
    Thanks guys.
    -Bryan

    Thanks biovizier. You're absolutely right, deleting the extra text after ";shadowHash;" and then reseting the password for the user's account does seem to force OS X to rehash the password using SHA1.
    Just in case someone else has this question in the future, here's how to verify that your password is hashed in SHA1:
    Log in as Root and open the /private/var/db/shadow/hash folder. You'll see files with long, weird names. You'll also see an XML file (with the extension *.state) for each of the files with long, weird names. The XML file contains several tags that tell OS X information about the hashed password - things like when it last logged on, when it was created, how many times login failed, etc.
    We're interested in the other files - the ones that don't end in ".state"
    To verify that SHA1 is being used, open the long, weird files in textedit. You should see something like this:
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000
    There should be a few more zeros; I've cut some out here to save space.
    What should NOT exist, is the following:
    57Y083D243109VGR45Z4B65812R8M087H65HJ8OK95T89L8JHL9000000000
    000000000000000000000000000000000000000000000000000000000000
    0000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X00000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000
    The second Hashed value does not start with zeros. This hash value is not SHA1. It is the less secure encryption method required for compatability with Windows.
    If your hash file opens with zeros, you're using SHA1. Otherwise, follow Biovizier's procedure: Open NetInfo, select the user account whose password needs to be changed back to SHA1, look at the "authentication_authority" value, make sure the value is set to ;ShadowHash; and that no additional text follows that string, then reset the affected account's password. You can then log back in as root and re-check the hash files using textedit and you should find that the hash file opens with solid zeros instead of letters and numbers.
    Do NOT manually edit the hash files in textedit. One of those files is the hash for the Root password. If you change that hash file, your root password will no longer work (because when you type MYPASSWORD, OS X will hash that string and find that the hashed value no longer matches the stored hash value in /private/var/db/shadow/hash and OS X will therefore reject your password as incorrect) and you will quickly find yourself locked out of your computer for good.
    And finally, just in case you have the computing power of the NSA and are thinking about running the hashes I've listed here: A) They aren't the right length; I've left some characters out and B) I randomly substituted different alphanumerics in for the ones in my real hashes with no rhyme or reason.
    Which brings me to another point: NEVER post your hashes online. Yes, it takes a TON of computing power to break them, but still, they're hidden away for a reason!
    Anyway, I hope this helps other security buffs out there.
    I'm going to make a suggestion to Apple that OS 10.5 be changed so that when you unclick "windows file sharing" the OS immediately rehashes your password in SHA1 again.
    -Bryan

  • SQL Server JDBC integrated security question

    I'm assuming that the only way to create a connection to SQL Server using the JDBC driver is using IntegratedSecurity=false and not IntegrateSecurity=true? I can see the arguments for having it only work with false, but I just wanted to make sure so I can clear any questions up regarding security with our client's DBA. Thanks.

    Hi Matt,
    It is possible to use integrated security with ODI, you need to have the JDBC driver and the sqljdbc_auth.dll file in your drivers directory.
    Your JDBC url will look like this: jdbc:sqlserver://localhost:1113;integratedSecurity=true
    It is detailed in a note on Metalink (568070.1), here is an extract:
    To implement the solution:
    1. Copy the "sqljdbc_auth.dll" file into ODI "/drivers" Folder on the computer where the JDBC driver is installed.
    2. In ODI "/bin/odiparams.bat" configuration file, set the "java.libary.path" system property to specify the directory of the "sqljdbc_auth.dll" file, as follows:
    set ODI_ADDITIONAL_JAVA_OPTIONS="-Djava.library.path=c:\oracle\oracledi\drivers" or, if ODI_ADDITIONAL_JAVA_OPTIONS has already been set, add "-Djava.library.path=..." to the existing string, as follows:
    set ODI_ADDITIONAL_JAVA_OPTIONS="-Duser.language=en" "-Duser.country=US"
    "-Djava.library.path=c:\oracle\oracledi\drivers"
    3. If using an Agent started with "agent.bat" or "agentscheduler.bat" commands, the Agent should be stopped and restarted (in order to take into account the new Java settings).
    4. If using an Agent started as Windows Service, then:
    Stop the Agent Service.
    Remove the Agent Service with "agentservice -r" command.
    Edit the "snpsagent.conf" file (from ODI "/tools/wrapper/conf" Directory).
    Add the Java Library Path to specify the Directory of "sqljdbc_auth.dll" File, as
    follows:
    wrapper.java.library.path.2=c:\oracle\oracledi\drivers
    Recreate the Windows Service with "agentservice -i" command.
    Start the Windows Service.
    Thanks,
    Julien

  • Can't enable Windows Defender - used McAfee removal tool - Y580

    I can't enable Windows Defender.  I get the message "Windows Defender has been turned off and isn't monitoring your computer."  So I used the McAfee removal tool, then rebooted my PC, but I still can't enable it. 
    Perhaps my laptop came with security software other than McAfee and I just don't remember uninstalling it?  Does anyone know if an Ideapad Y580 comes with software other than McAfee?  Or has any idea how I can enable Windows Defender?
    TIA

    cmkurup wrote:
    I keep getting a message to use the action center where the link to enable defender is disabled. Please help.
    Hi cmkurup,
    I am unsure from your description exactly which setting for WD is disabled in the Action Center.
    Perhaps some screenshots will help me explain what I think the problem may be.Scroll down to Option 2 here: http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html
    Review your settings, and see if that tutorial helps.
    ===============
    Oops, we posted at the same time. Glad you fixed your problem. I'll leave my info here for anyone else who needs it.
    ThinkPad: T530 / X1 Gen 2 / Helix - Yoga: Tablet 2 Pro (Win) / Yoga 3 Pro
    If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
    Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.
    Microsoft MVP - Consumer Security
    SpywareHammer

  • Windows 7 Security Audit Failure message 6281 & Security Kernel

    OS:  Windows 7 Home Premium Ver 6.1 Build 7601 SP 1
    Toshiba Satellite C655
    I received a Windows 7 Security pop-up saying there was a Kernel mismatch and asked if I wanted to proceed.  Not thinking - i hit yes.  Looking through the Security Audit Log - I found an audit failure with 6281 System Integrity Error.  I
    am assuming they are related.
    Any idea what have I done and what do I need to check/do to recover?
    Thanks

    Hi,
    Please upload us the full error messages here, we need more information to narrow down the cause. Then check into
    Event Viewer, see if any other errors logged.
    Besides, check to see if there are any devices have new drivers need to update.
    Mostly this error is caused by the "Realtek Audio HD driver", please check to see if we have any related devices.
    Reference:
    Windows 7 freeze after shutdown
    Best regards
    Michael Shao
    TechNet Community Support

  • Exchange 2013 CU1 Outlook Web App LogOff with Basic or Windows Integrated Authentication

    Hi all,
    Exchange 2013 CU1 has a new OWA LogOff behaviour when Basic or Windows Integrated Authentication is configured. When clicking the LogOff Button you receive the message "Close All your Browser Windows.." but OWA does not sign out. This is not the
    case when using Formbased Authentication...
    The problem in our case is the OWA publishing over the Internet via TMG. When publishing via TMG, only Basic and NTLM authentication is supported. This means you have to change the Authentication for the OWA Virtual Directory to basic or Windows Integrated.
    OK so far, now we can use the TMG Authentication Form. but... TMG is not able to Catch the OWA LogOff. So we will still receive "Close all your Browser Settings.." and no log out from OWA.
    It is a known issue that TMG cannot catch the OWA Logoff with the Exchange 2013 CU1 Release..So my Question:
    Does anyone get that "Real LogOut" fixed via TMG or directly on the CAS Server for Exchange 2013 CU1?
    I know another possibility is to activate Form Based Authentication on the CAS Servers and external users directly authenticate against the CAS Server without pre-authentication at TMG Level, but this of course does not provide the highest security
    we can have.

    Hi SLShare,
    As far as I know, if there is no TMG involved, with Exchange 2013 when the user signs out of mail, the authentication tokens are cleared and the user will be presented with the
    Login Screen.  There will not be a need to click on "Close Window" or any other pop ups that may appear.
    Therefore, you may ask the TMG forum about this question and see whether there are still some other workaround we can temporary bypass this issue. For your convenience:
    Forefront TMG and ISA Server Forum - TechNet - Microsoft
    http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
    Thanks,
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Simon Wu
    TechNet Community Support

Maybe you are looking for