Can't get authentication popup from website thru our IS... - 31.Dec.2004 3:03:00 PM
Guest
Problem: a user is attempting to open this site: http://ublib.buffalo.edu - Select "Library Research" - Pick Databases by Title - Pick the top entry, "Abell" - Click the icon "Connect to Database"
When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)
All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.
I have Tom's book, and have suggested, configured *.buffalo.edu as direct access. We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group). I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required. User has Firewall client installed and operating. User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...
quote:Originally posted by <Vic>: Problem: a user is attempting to open this site: http://ublib.buffalo.edu - Select "Library Research" - Pick Databases by Title - Pick the top entry, "Abell" - Click the icon "Connect to Database"
When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)
All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.
I have Tom's book, and have suggested, configured *.buffalo.edu as direct access. We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group). I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required. User has Firewall client installed and operating. User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...
No luck. Help!
Do you have anonymous access enabled under the Internal Network properties? Go to the Web Proxy tab and click on the Authentication button. There you will see an option that states that ALL USERS should be authenticated. Make sure that is unchecked. I'm assuming that Integrated Authentication is your only checked method. See how that works out for you. -Evan
RE: Can't get authentication popup from website thru ou... - 7.Jan.2005 3:23:00 PM
Guest
"Do you have anonymous access enabled under the Internal Network properties"
I'm not clear on your suggestion. I do not want anonymous internet browsing:
I have [only] "Integrated Authentication checkboxed, and under that, "Require all users to authenticate".
We must limit web browsing to a select group of folks. They are in an Active Directory group that ISA2004 "ProxyUsers" and has as the rule "First Rule" (which is now rule #4...):
Allow AllOutbound Internal External ProxyUsers
I do not want pop-up boxes for Name & Password. If somemone is not in the select Internet Users group, they should not browse the Internet (I do not want allow anonymous access)
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Vic,
Do not use the "Require all users to authenticate" option; this will definitely generate authentication dialogs.
In ISA Server 2004, if you are authenticated as a user in the your domain, but you do not have an access rule in place that allows you to use http, then you will be denied. This is a change from the default in ISA Server 2000, which would generate an authentication dialog.
RE: Can't get authentication popup from website thru ou... - 15.Jan.2005 2:42:00 AM
Guest
Hi Bill, I will turn off "require users to authenticate" and give it a try when I get back to work and see if that helps.
BUT - I think I'm confusing folks with what is going on here by talking about 2 issues in the same problem request.
Insofar as ISA2004 authentication - yes I do not want users to type in their Win2k domain name and password. I was letting the integrated authentication take care of that. And that was and is working fine as configured.
But this is not the real problem here. What it really is that the UB site sends back its OWN login name and password for *their* authority access. . The users get to the website using the proxy, but when they click the "login" at the UB site, whatever packets are being sent back from UB never get to the user. They never get the target server Apache login authentication box, thus the connection to the site times out, and they can't get to their data. That is what I'm trying to solve.
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 8:44:00 PM
Guest
OK Bill, thanks, thats what I wanted to know, if the credential request (yes appears to come back on port 2048) was getting past your ISA2004 to you. Our users are not getting it. I do not know why.
Incidentially, I turned off "require users to authenticate" to try to solve my problem as you had mentioned. It did not help this issue, but I did note that all the traffic after I did that as being recorded by ISA2004 was all "anonymous". Nope, we need to track usage by logged in user's name, so I had to turn that flag back on...
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:Our users are not getting it. I do not know why.
As a guess, I would imagine you'd need to allow http outbound on port 2048. (It drives firewall admins crazy when web folks insist on running their servers on non-standard ports.)
Regarding anonymous requests: All web proxy requests are sent as anonymous first. If there are no rules permitting anonymous access, then ISA will request credentials from the user agent. So you see, there is a way to force authentication without selecting the problematic Require all users to authenticate option. I recommend removing anonymous access rules and disabling that option, as it will prevent problems in the future.
RE: Can't get authentication popup from website thru ou... - 18.Jan.2005 2:49:00 AM
Guest
(from a few posts up) I am allowing all authenticated users, all data types (should encompass all ports) via this rule:
Allow AllOutbound Internal External ProxyUsers
I would have expected "AllOutbound" to allow port 2048 out (the firewall client IS being used). I also would have expected when ISA2004 sets up an established connection outbound, it would know who set it up and route corresponding data back to that user as needed.... I cant be sure if I need 2048 out, or if its not that I need 2048 coming back in.