Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Limiting access to an AD security group

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Limiting access to an AD security group Page: [1]
Login
Message << Older Topic   Newer Topic >>
Limiting access to an AD security group - 6.May2008 7:22:07 PM   
ajclifford

 

Posts: 2
Joined: 6.May2008
Status: offline 		Hello,

We have a basic ISA Server 2006 access rule setup for allowing HTTP and HTTPS traffic except we have removed the default "All Users" group as the access rules Condition and replaced it with our own user group we've created. This works for pretty much everyone except one user we have come across. For some reason their credentials are not getting passed to the ISA Server so if they try to access a web page they are prompted to re-authenticate. This user has IE6 at the moment.

I've tried re-creating their profile, using Firefox, playing across with IE security settings and the like without success. If I view the ISA Server logging while testing this user their connections show up as anonymous, and therefore are denied. If the user types their username and password into the prompted box when they first open IE and try to open a web page everything works fine and then in ISA Server logging they show up as DOMAIN\User as expected (until they close IE browser down of course).

Has anyone else come across a problem like this? I really thought it was just a bung profile on the local computer for this user, but it appears not (we don't have roaming profiles). I would really much rather not leave the rule open to "All Users" as we use a security group in AD to restrict some accounts to have no internet access.

Any help would be greatly appreciated.

Regards,
Alex
Post #: 1
RE: Limiting access to an AD security group - 17.Jun.2008 8:09:38 AM   
tshinder

 

Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline 		Is the machine a domain member?

Check the Event Viewer on the offending machine and see if there are any AD related events.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ajclifford)
Post #: 2
RE: Limiting access to an AD security group - 17.Jun.2008 6:24:17 PM   
ajclifford

 

Posts: 2
Joined: 6.May2008
Status: offline 		Thanks for the reply tshinder.

The computer is indeed on our domain. I checked it's event log and only found 2 system errors, but which are not AD related. (One was a dcom permissions error and the other a service failing to start-up).

I'm going to get the user to try a different computer with a new profile again just to be sure, and if that works I will re-image their regular computer and start them with a fresh profile. I'll let you guys know if I have any luck.

Regards

(in reply to tshinder)
Post #: 3
RE: Limiting access to an AD security group - 18.Jun.2008 12:08:34 PM   
tshinder

 

Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi AJ,

Great!

Looking forward to see if that works.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ajclifford)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Limiting access to an AD security group Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts