Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
"All Authenticated Users" fails
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
"All Authenticated Users" fails - 10.Jan.2006 10:19:23 PM
|
|
|
cloggie
Posts: 3
Joined: 10.Jan.2006
Status: offline
|
Hi all,
I am relatively new to ISA 2004 firewalls, so when I recently installed an ISA 2004, I ran into a problem I'm not able to solve.
The ISA 2004 server is added to the AD domain and the Active Directory Authebtication is selected within the System Policy.
The workstations are configured as Web Proxy clients. When I configure the access-ruels with "All users" everything works fine. However, when I configure the rule to use "All Authenticated users" and requirine all users to authenticate on the Internal network, everything stops working. All users, except the Administrator, receive a time-out when they try to surf the Internet. They are not even asked for a username or password.
The weird thing is, the Administrator can browse websites and this account is also shown in the logfiles.
The Administrator account has the same IE settings as the average user and can work from a workstation from which a "normal" user can not. The only difference I can find, is that the Administrator is lcated in the Organizational Unit (OU) Users and all the other users are located in the OU Company B.V..
Can the use of different OU's have anything to do with this problem or is it a configuration item I missed?
Thanks.
Best regards,
Cloggie
|
|
|
|
|
RE: "All Authenticated Users" fails - 11.Jan.2006 12:29:35 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
quote:
The Administrator account has the same IE settings as the average user
What are these EXACT settings? If using DHCP based Web Proxy Autodiscovery, then this is a design limitation of that config - only local admins can request DHCP Autodiscovery through Web Proxy Auto Discovery.
If you're not using DHCP based Autodiscovery, post the config and we'll try to sort it out. Also, if you haven't already, read Stefaan's excellent article on WPAD in case you're using it - http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html
|
|
|
|
|
RE: "All Authenticated Users" fails - 17.Jan.2006 2:13:11 AM
|
|
|
kellyho67
Posts: 6
Joined: 17.Jan.2006
Status: offline
|
Couple of things I ran into.
Try in your access policy to add Windows users and Groups from the users area. Browse your domain be sure you objects your selecting are from your directory vs the local box. Select a user from your AD domain and then add them to the access policy. If you get an RPC error problem then you'll want to be sure to update to ISA 2004 SP1 it will fix that.
Once you can add your user test with them to see. I found that Authenticated users didn't work for my domain model so I created my groups in AD I wanted and just added them instead.
Kelly
|
|
|
|
|
RE: "All Authenticated Users" fails - 26.Jan.2006 11:52:50 PM
|
|
|
cloggie
Posts: 3
Joined: 10.Jan.2006
Status: offline
|
We're not using WPAD. In IE the settings point to the ISA server, port 8080.
When an Administrator, or anyone in the Administrators AD group, accesses a webpage, the username is logged.
When I add the "normal" users from AD, I still get anonymous access.
When I move a user from the Administrator group to the User group, the username isn't displayed anymore, but is anonymous.
This happens either when I use All Authenticated users or add the group directly.
I have the configuration files with me. How can I post these?
Thanks.
Cloggie
|
|
|
|
|
RE: "All Authenticated Users" fails - 7.Feb.2006 10:31:18 PM
|
|
|
cloggie
Posts: 3
Joined: 10.Jan.2006
Status: offline
|
Well, the problem is finally solved. It wasn't because of a configuration error in the ISA server.
Someone who didn't know what he was doing, tried to secure the server. In this process he removed everyone but the Administrators group from the policy "Access this computer from the network" under "Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment".
As soon as we added the Domain users group, everything was fine.
Thanks.
Cloggie.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
