Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Authentication problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Authentication problems - 25.Oct.2007 10:04:05 AM
|
|
|
kabracity
Posts: 22
Joined: 25.Sep.2007
Status: offline
|
Hi all,
I have an Isa 2006 Standard Edition on a server and got a little trouble with firewall client authentication;Isa Server is a domain member.
Each time I attempt a connection with a client (firewall client installed),and I monitor it through ISA, I see "username (?)",instead of "domain\username (?)".(so if I enable user based rules,authentication fails).
Isa Server was installed in the server before it was joined to the domain, could this be the problem?And if it is, is there a way to fix it without reinstalling Isa?
Thanks for your help,
Andrés
< Message edited by kabracity -- 26.Oct.2007 2:42:46 AM >
|
|
|
|
|
RE: Authentication problems - 26.Oct.2007 2:46:49 AM
|
|
|
kabracity
Posts: 22
Joined: 25.Sep.2007
Status: offline
|
Thanks for the link elmajdal :)
I think I´ve read about this on this forum too, in a post;so what I did was to put a user-based rule, applied to "all authenticated users";the problem is that this rule dennies me the connection, so i guess I´m not able to identify myself.
Authentication is integrated, and I´m logged in the domain so I don´t understand why it doesn´t works :(
Edited:
Troubleshooting with the diagnostic logging tool i got these reports:
EventID 30050 "The rule does not match because the rule requires authentication and no user is specified in the packet."
"ISA Server denied a request because policy rule test authentication requires authentication before allowing traffic"
"The rule test authentication requires user authentication"
(My rule is called test authentication)
So I really don´t understand...when there´s no user based rule it shows me username (?) and not anonymous, and when I enable the rule it says no user is specified on the packet........
< Message edited by kabracity -- 26.Oct.2007 5:11:57 AM >
|
|
|
|
|
RE: Authentication problems - 26.Oct.2007 8:48:01 AM
|
|
|
elmajdal
Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
to authenticate your users you will need to set them as WebProxy and/or Firewall Clients.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Authentication problems - 31.Oct.2007 5:58:45 AM
|
|
|
kabracity
Posts: 22
Joined: 25.Sep.2007
Status: offline
|
The client is set as firewall client, and proxy settings are disabled, as I just wanna the firewall client to identify.When I test connection to the firewall all is ok;but as soon I as make a connection (for example attempt http connection, allowed by a rule needing authentication), client says he´s unable to make authentication.
In the ISA logging, I can see ISA initiating and closing connection via port 1745.In the diagnosting logs, I read the message stating that the client is not authenticated.
If I uninstall the firewall client; and that I set IE to use ISA as a proxy, authentication is OK.
Any suggestion?
|
|
|
|
|
RE: Authentication problems - 31.Oct.2007 11:27:53 AM
|
|
|
kabracity
Posts: 22
Joined: 25.Sep.2007
Status: offline
|
Finally, after days of reading, thinking there was something wrong about the client...
My client had the f-secure suite installed;I hadn´t think about as I had disabled the firewall, to allow all traffic.But there´s a f-secure component called "web analyse" causing the problem...dunno exactly what was he doing, but as soon I uninstalled it my client was able to authenticate!!
I think it´s enough for today, I´ll keep on fighting tomorrow and telling my problems here :P
|
|
|
|
|
RE: Authentication problems - 4.Nov.2007 8:18:50 AM
|
|
|
elmajdal
Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Hi,
Glad that you found what was causing the problem and thanks for the follow up.
one question, does this f-securehas the option to Trust Firewall Client and allow it to communicate freely ?
does it have the option to add apps as trusted application ?
Thanks,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Authentication problems - 6.Nov.2007 8:31:33 AM
|
|
|
kabracity
Posts: 22
Joined: 25.Sep.2007
Status: offline
|
Hi,
Yes,F-Secure has an option to allow trusted applications (has a module named applications control).But I guess is only on firewall purposes, because The firewall client was already as a trusted application on the list.
I even tried,to deactivate all firewall/antivirus/etc.. features,restart/shut down f-secure services,restart Fwclient service and still had an error on the communication channel (used Fwctool -pingserver).Only when I uninstall the module Analyse web traffic (or something like that) I´m able to correctly communicate via the control channel.
I must say that when the module is installed and Fwclient is active,I try to ping a machine and it has a strange behaviour (sometimes it works,sometimes not...,and I have non-sense chars as destination,like showed in picture below)
So I guess the module installation modifys something in windows that makes it incompatible with isa firewall´s client.It was really hard to realise it was the cause, as I had disabled all protection features in F-Secure on test purposes.
I hope this can help someone else using F-Secure and Isa client.
Greetings :)
Andrés
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
Thanks for sharing this with us.
