Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Can't get authentication popup from website thru our ISA2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Can't get authentication popup from website thru our IS... - 31.Dec.2004 3:03:00 PM
|
|
|
Guest
|
Problem: a user is attempting to open this site:
http://ublib.buffalo.edu
- Select "Library Research"
- Pick Databases by Title
- Pick the top entry, "Abell"
- Click the icon "Connect to Database"
When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)
All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.
I have Tom's book, and have suggested, configured *.buffalo.edu as direct access.
We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group).
I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required.
User has Firewall client installed and operating.
User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...
No luck.
Help!
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 31.Dec.2004 4:47:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Vic,
Tried to check it, but there is no:
Library research
link.
Tom
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 31.Dec.2004 4:57:00 PM
|
|
|
Guest
|
This should take you there:
On the right is LIBRARY RESEARCH
Under that is LIBRARY DATABASE
Under that is Library Title.
Pick Library Title.
Sorry for the confusion!
Vic
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 1.Jan.2005 2:49:00 AM
|
|
|
ev@n
Posts: 21
Joined: 29.Dec.2004
Status: offline
|
quote:
Originally posted by <Vic>:
Problem: a user is attempting to open this site:
http://ublib.buffalo.edu
- Select "Library Research"
- Pick Databases by Title
- Pick the top entry, "Abell"
- Click the icon "Connect to Database"
When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)
All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.
I have Tom's book, and have suggested, configured *.buffalo.edu as direct access.
We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group).
I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required.
User has Firewall client installed and operating.
User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...
No luck.
Help!
Do you have anonymous access enabled under the Internal Network properties? Go to the Web Proxy tab and click on the Authentication button. There you will see an option that states that ALL USERS should be authenticated. Make sure that is unchecked. I'm assuming that Integrated Authentication is your only checked method. See how that works out for you.
-Evan
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 7.Jan.2005 3:23:00 PM
|
|
|
Guest
|
"Do you have anonymous access enabled under the Internal Network properties"
I'm not clear on your suggestion. I do not want anonymous internet browsing:
I have [only] "Integrated Authentication checkboxed, and under that, "Require all users to authenticate".
We must limit web browsing to a select group of folks. They are in an Active Directory group that ISA2004 "ProxyUsers" and has as the rule "First Rule" (which is now rule #4...):
Allow AllOutbound Internal External ProxyUsers
I do not want pop-up boxes for Name & Password.
If somemone is not in the select Internet Users group, they should not browse the Internet (I do not want allow anonymous access)
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 14.Jan.2005 10:32:00 PM
|
|
|
Guest
|
I still cant get this to work.
Can anybody verify they can get the authenticaton pop-up from the UB server using their ISA2004 setup?
Thanks,
Vic
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 14.Jan.2005 11:38:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Vic,
Do not use the "Require all users to authenticate" option; this will definitely generate authentication dialogs.
In ISA Server 2004, if you are authenticated as a user in the your domain, but you do not have an access rule in place that allows you to use http, then you will be denied. This is a change from the default in ISA Server 2000, which would generate an authentication dialog.
Check out the following thread:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000383
HTH,
Bill
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 15.Jan.2005 2:42:00 AM
|
|
|
Guest
|
Hi Bill,
I will turn off "require users to authenticate" and give it a try when I get back to work and see if that helps.
BUT - I think I'm confusing folks with what is going on here by talking about 2 issues in the same problem request.
Insofar as ISA2004 authentication - yes I do not want users to type in their Win2k domain name and password. I was letting the integrated authentication take care of that. And that was and is working fine as configured.
But this is not the real problem here. What it really is that the UB site sends back its OWN login name and password for *their* authority access. . The users get to the website using the proxy, but when they click the "login" at the UB site, whatever packets are being sent back from UB never get to the user. They never get the target server Apache login authentication box, thus the connection to the site times out, and they can't get to their data. That is what I'm trying to solve.
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 6:33:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
quote:
Do you get prompted to sign in to the UB system using your ISA2004 proxy?
I am prompted for credentials by elmwood.lib.buffalo.edu, not by my ISA firewall.
I did notice, though, that the Connect to database link you posted uses a non-standard http port (2048).
Bill
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 8:44:00 PM
|
|
|
Guest
|
OK Bill, thanks, thats what I wanted to know, if the credential request (yes appears to come back on port 2048) was getting past your ISA2004 to you.
Our users are not getting it. I do not know why.
Incidentially, I turned off "require users to authenticate" to try to solve my problem as you had mentioned. It did not help this issue, but I did note that all the traffic after I did that as being recorded by ISA2004 was all "anonymous". Nope, we need to track usage by logged in user's name, so I had to turn that flag back on...
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 8:56:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
quote:
Our users are not getting it. I do not know why.
As a guess, I would imagine you'd need to allow http outbound on port 2048. (It drives firewall admins crazy when web folks insist on running their servers on non-standard ports.)
Regarding anonymous requests: All web proxy requests are sent as anonymous first. If there are no rules permitting anonymous access, then ISA will request credentials from the user agent. So you see, there is a way to force authentication without selecting the problematic Require all users to authenticate option. I recommend removing anonymous access rules and disabling that option, as it will prevent problems in the future.
Bill
|
|
|
|
|
RE: Can't get authentication popup from website thru ou... - 18.Jan.2005 2:49:00 AM
|
|
|
Guest
|
(from a few posts up) I am allowing all authenticated users, all data types (should encompass all ports) via this rule:
Allow AllOutbound Internal External ProxyUsers
I would have expected "AllOutbound" to allow port 2048 out (the firewall client IS being used). I also would have expected when ISA2004 sets up an established connection outbound, it would know who set it up and route corresponding data back to that user as needed....
I cant be sure if I need 2048 out, or if its not that I need 2048 coming back in.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
