Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA Authintication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA Authintication - 16.Jun.2008 1:02:59 AM
|
|
|
darkgabeman
Posts: 9
Joined: 31.Jul.2007
Status: offline
|
how can i force ISA to athinticate users against specifc domain controler without changing any thing on that domain controler?
|
|
|
|
|
RE: ISA Authintication - 16.Jun.2008 3:40:00 AM
|
|
|
elmajdal
Posts: 4959
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
When you install ISA Server, and configure it, you do not touch the DC at all !
All what you have to do is to join ISA Server to the domain ( make it a domain member )
then with ISA Server Management console , you can use your AD users/groups for your rules.
And To forxe authentication on outbound rules, remove the ALL Users condition and replace it with users/groups from AD. And Only Firewall client/Web Proxy CLient can authenticate.
HTH,
Tarek
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: ISA Authintication - 16.Jun.2008 4:03:49 AM
|
|
|
darkgabeman
Posts: 9
Joined: 31.Jul.2007
Status: offline
|
thanks Tareq
but i dont think you've got my point
my question was
how to force ISA to authinticate against a specific DC
for example i have DC1,DC2 and DC3
all in the same subnet and all with same weight and prioriy
and i want ISA to authinticate only in DC1
in other words i want ISA to authinticate to a specific domain controller regardless of DNS and Site settings
|
|
|
|
|
RE: ISA Authintication - 18.Jun.2008 9:59:49 AM
|
|
|
Rievax
Posts: 40
Joined: 13.Oct.2004
Status: offline
|
darkgabeman,
To me, this is going against AD high availability. Why would you like to do such a thing? AD requests to authenticate a user are not really heavy on your controllers. And what will happend if you loose this server? Nobody will be able to browse, and you will have to reboot your boxes to "fix" the hypotetical registry key hack...
You could try to create a LHMOST file in "c:\WINDOWS\system32\drivers\etc\lmhosts" (sample in the c:\WINDOWS\system32\drivers\etc\lmhosts.sam) with entries for #PRE and #DOM. This could do the trick, but I am not sure is will work for ISA AD authentication...
But to my opinion, the best way would be to create another subnet, put you ISA and AD server in it and create a new site and subnet in your "AD Sites and Services" MMC snap-in. This way, if the AD server dies, the ISA will talk to other AD servers in your domain...
Xavier.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
