Welcome to ISAserver.org

ISA 2006 authentication fails for one site only

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> General >> ISA 2006 authentication fails for one site only

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2006 authentication fails for one site only - 26.Jun.2008 6:09:12 PM

gdanielson

Posts: 3
Joined: 26.Jun.2008
Status: offline

I have a problem on ISA 2006 I don't know how to progress. When IE browsing to a specific site the same userid gets 12210 authentication prompts from one client but not from a different client. The workstation admins say they have checked IE settings and they are the same on both. So at this stage I need more info/ammo

I think I can see the 12210 culprit in the ISA logs (it is for a .js object) but how can I get ISA to tell me what is not being satisfied from it's point of view causing a request to fail authentication? How can I get more insight into what is happening/not happening with authentication?

tia!
Graeme

Post #: 1

Featured Links*

RE: ISA 2006 authentication fails for one site only - 27.Jun.2008 8:44:32 AM

paulo.oliveira

Posts: 721
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi,

what the kind of your clients (FW clients, SecureNAT, Webproxy)? Are these machines joined to the same domain of ISA?

Try to check if this configuration is enabled:
In your IE browser, Tools - Internet Options - Advanced tab - Security session - Put a checkmark in Enable Integrated Windows Authentication.

Regards,
Paulo Oliveira.

(in reply to gdanielson)

Post #: 2

RE: ISA 2006 authentication fails for one site only - 27.Jun.2008 10:58:00 AM

pwindell

Posts: 744
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

A ".js object"?

Does this involve the Jave JRE?

_____________________________

Phillip Windell
www.wandtv.com

(in reply to gdanielson)

Post #: 3

RE: ISA 2006 authentication fails for one site only - 1.Jul.2008 4:44:00 PM

gdanielson

Posts: 3
Joined: 26.Jun.2008
Status: offline

They are all webproxy clients, all on the same domain as ISA and with Integrated Windows Authentication on. Also ISA is running the WebMarshal plugin
The problem appears on only one part of one site, it is actually around a new ActiveX control that is used to edit their website content on their externally hosted site. I'd like to get more info from ISA about what it's not happy about.
As far as I know all other internet browsing is fine, no authentication prompts.
thanks, Graeme

(in reply to paulo.oliveira)

Post #: 4

RE: ISA 2006 authentication fails for one site only - 1.Jul.2008 5:17:19 PM

pwindell

Posts: 744
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

There is "no tellin'" what kind of communincation the ActiveX Conrol may be attempting to do. If it does anything that would not be classified as HTTP or FTP it will fail with the Web Proxy Service.

You should make the machines Firewall Clients and Web Proxy Clients at the same time,...unless it is a one-nic ISA,...then you are just screwed.

The next most likely thing is Web Marshal. You need to examine its logs or monitor it in some way,...because it may be blocking the ActiveX Control.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to gdanielson)

Post #: 5

RE: ISA 2006 authentication fails for one site only - 1.Jul.2008 6:29:22 PM

Jason Jones

Posts: 1931
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: pwindell

...unless it is a one-nic ISA,...then you are just screwed.

_____________________________

Jason Jones
Microsoft MVP (Forefront Edge Security)

Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to pwindell)

Post #: 6

RE: ISA 2006 authentication fails for one site only - 1.Jul.2008 9:27:04 PM

gdanielson

Posts: 3
Joined: 26.Jun.2008
Status: offline

ISA is not running a single nic . I have checked WebMarshal and there are no blocked objects for the workstation in question. This situation shows up as an authentication problem, doesn't ISA need to be happy with authentication before passing to Webmarshal?

As you say, I don't know what communication is being attempted from the workstation, but whatever it is ISA doesn't like it, how do I find out what it doesn't like??? Even the http (or other) operation in question would be a start. All I've got to go on is this end-user ISA "error".
You seem to be suggesting that the planets aren't aligned, hard luck?

(in reply to pwindell)

Post #: 7

RE: ISA 2006 authentication fails for one site only - 2.Jul.2008 11:05:53 AM

pwindell

Posts: 744
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

As you say, I don't know what communication is being attempted from the workstation, but whatever it is ISA doesn't like it, how do I find out what it doesn't like??? Even the http (or other) operation in question would be a start. All I've got to go on is this end-user ISA "error".
You seem to be suggesting that the planets aren't aligned, hard luck?

Well if they'd let me run the planet my way they wouldn't get so crooked. But Macs and Linux would be in big trouble

You can see the traffic being generated if you use the Monitoring Log and set the filter to show only traffic from the one "problem" workstation.

1. If there is anything other than HTTP/HTTPS or FTP then it will not work with the Web Proxy Service. You will have to install the Firewall Client on the workstation to handle that and create corresponding Access Rules to handle the Protocols or just add the Protocols to the existing Access Rule for HTTP/HTTPS.

2. Even if it is HTTP/HTTPS or FTP, the ActiveX Control may not be able to handle the authentication over the Web Proxy Service. You will have to install the Firewall Client on the workstation to handle that as well.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to gdanielson)

Post #: 8

RE: ISA 2006 authentication fails for one site only - 2.Jul.2008 11:07:11 AM