• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No authentication prompt

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> No authentication prompt Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
No authentication prompt - 8.Dec.2004 5:25:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Users are not prompted to authenticate.

I have an access rule that allows HTTP from internal to external for an AD group. Users not in this group are denied access to the internet, but a prompt is not appearing as in Proxy 2.0 and ISA 2000.

Everything I've read says to make sure the Outgoing Authentication is Integrated and does not have the box checked that requires all users to authenticate. This setting is on Networks, Internal, Properties, Web Proxy, Authentication.

I have both of these settings and still my users are not prompted for a valid username/password to authenticate. I do not have the firewall client installed and they are only Web Proxy clients, ISA server and port is specified in Internet Explorer. I have tried installing the firewall client for testing purposes, but they are still not prompted. How do I enable this in ISA 2004?

Thanks.

tjcarst
tjcarst
Post #: 1
RE: No authentication prompt - 8.Dec.2004 7:36:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline

(in reply to tjcarst)
Post #: 2
RE: No authentication prompt - 8.Dec.2004 10:13:00 PM   
Guest
put check in require all users to authentificate. In this case its will ask for username/pass/domain for every user attempted to start browser. Remember-- old browser dosnt have ability to authenticate users, mostly IE, but new opera for Mac finally got that options, so we not stuck to Internet Bugsplorer only.

(in reply to tjcarst)
  Post #: 3
RE: No authentication prompt - 9.Dec.2004 4:22:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Thanks. We are running all IE 5.x or higher, so should not be a problem.

I checked this box, but still am not prompted. I receive an error

Error code : 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
Source: proxy

tjcarst

(in reply to tjcarst)
Post #: 4
RE: No authentication prompt - 9.Dec.2004 4:30:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I have an ISA 2000 running on Windows 2000 that DOES prompt for a username and password. I do not have the option to ask unauthenticated users to authenticate checked.

For ISA 2000, there was a Microsoft hotfix that broke the ability for users to be prompted. Then there was a fix. There was also a registry hack to disable the prompt. I can't find anything on ISA 2004. Many seem to be trying to get this to stop, indicating this is a feature that is on by default. How did they turn it off? I'd like to do the opposite.

I have 50 people ready to lynch me. If I allow All Users access to the internet to appease the 50 who can't, I'll have hundreds who are very happy......

(in reply to tjcarst)
Post #: 5
RE: No authentication prompt - 9.Dec.2004 5:09:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi tjcarst,

I don't really understand your problem. If a user logs on with an account that has permissions, then the integrated authentication will transparently pass those credentials to the ISA firewall and permit the access. Why would you want a prompt to appear?

--
Bill Stewart

(in reply to tjcarst)
Post #: 6
RE: No authentication prompt - 9.Dec.2004 5:21:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
They don't want to logon to the computer as themselves. 20 therapists share a pc and have a quick moment between patients. They want to fire up IE, go to a web site, and walk away.

This worked fine in Proxy 2.0 and ISA 2000. I need it to work in ISA 2004. I have the same authentication setting on my ISA 2004 outgoing listener as on ISA 2000. Integrated. Nothing else. It doesn't work the same. But others here are trying to turn off this prompt on 2004, so obviously, it does work.

Trust me. I've fought to get everyone to signon to computers as themselves for purposes beyond just browsing. It isn't going to happen. And managers are not going to allow ALL employees access to the internet.

I need to be able to get this to work as it used to before ISA 2004. It appears as though it should by default, so I've messed something up somewhere. I was just hoping someone would know how to fix it.

Thanks!

[ December 09, 2004, 05:23 PM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 7
RE: No authentication prompt - 9.Dec.2004 5:34:00 PM   
joemarr_intek

 

Posts: 9
Joined: 8.Dec.2004
Status: offline
Hmm

My questions is related. I want them to authenticate, but I dont want them to get a prompt, I would like the domain authentication to pass through.

If I have intergrated authentication checked, and I dont have require all users to authenticate will it just rely on pass through?

(in reply to tjcarst)
Post #: 8
RE: No authentication prompt - 9.Dec.2004 5:35:00 PM   
joemarr_intek

 

Posts: 9
Joined: 8.Dec.2004
Status: offline
Hmm

My questions is related. I want them to authenticate, but I dont want them to get a prompt, I would like the domain authentication to pass through.

If I have intergrated authentication checked, and I dont have require all users to authenticate will it just rely on pass through?

(in reply to tjcarst)
Post #: 9
RE: No authentication prompt - 9.Dec.2004 5:37:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi tjcarst,

Let me see if I understand your problem...

A computer is logged on with a user that should not have web access. If you open IE, then access is denied immediately rather than prompting for authentication. It's too time-consuming to log off the current user and log back on with an account that has the appropriate permissions.

Is this correct?

--
Bill Stewart

(in reply to tjcarst)
Post #: 10
RE: No authentication prompt - 9.Dec.2004 6:02:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
You have it correct, Bill.

(in reply to tjcarst)
Post #: 11
RE: No authentication prompt - 9.Dec.2004 6:22:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi,

A possible woraround for this behavior is to create an IE shortcut with the "run with different credentials" option enabled.

--
Bill Stewart

(in reply to tjcarst)
Post #: 12
RE: No authentication prompt - 9.Dec.2004 7:35:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Thanks, Bill. That is an option. But, some things are links in email, or on an internal web page, and this would not work very well.

But, it should work. By default, this is supposed to be the behavior. Something I've done has changed it and I'd really like to get it back to how the users are used to it working.

tjcarst

(in reply to tjcarst)
Post #: 13
RE: No authentication prompt - 9.Dec.2004 7:52:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
By default, this is supposed to be the behavior.
Hi,

This is not the default behavior in ISA Server 2004 AFAIK. I don't know of a way offhand to revert to the old behavior.

--
Bill Stewart

(in reply to tjcarst)
Post #: 14
RE: No authentication prompt - 9.Dec.2004 10:06:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I will search some more, but I believe there are other users who have posted they wish to stop the prompt and I thought it was ISA 2004. The person, joemarr_intek, that posted in this thread above may be able to confirm s/he has ISA 2004.

Why would MS change the default behavior?

tjcarst

[ December 09, 2004, 10:28 PM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 15
RE: No authentication prompt - 10.Dec.2004 12:01:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi tjcarst,

I threw together a quick VBScript script that lets you toggle this behavior. You can get it here: RequestAuth.vbs

Copy it to your ISA Server, and run it from a command window.

In your case, you probably need to type:

cscript RequestAuth.vbs /network:Internal /enable

For ISA Server 2000, you can change the ReturnDeniedIfAuthenticated registry value (see KB article 297324).

--
Bill Stewart

[ January 05, 2005, 12:22 AM: Message edited by: Bill Stewart ]

< Message edited by AbqBill -- 31.Mar.2009 10:52:20 AM >

(in reply to tjcarst)
Post #: 16
RE: No authentication prompt - 10.Dec.2004 12:11:00 AM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Thanks, Bill. I actually had that registry hack for ISA 2000. I installed a MS hotfix that broke the authentication prompt. This registry hack put it back.

The registry is different in ISA 2004 and I was a bit of a coward.

You are a Genius! Thanks for hanging in there and providing this fix.

tjcarst

[ December 10, 2004, 03:11 AM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 17
RE: No authentication prompt - 10.Dec.2004 12:32:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi tjcarst,

Let me know if the script works for you (it worked for me here).

I posted the info regarding ISA Server 2000 in case other readers might have wanted to know how to do the same thing in the older version.

--
Bill Stewart

(in reply to tjcarst)
Post #: 18
RE: No authentication prompt - 10.Dec.2004 3:12:00 AM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Yes, your script worked perfectly. Thank you very much!

I had to hack the registry using that exact KB article when I had an ISA 2000 server. Actually, ISA 2000 existed for all of 1 month and then 2004 came out, so I didn't spend much time with 2000. I've been running Proxy 2.0 since 1998. What a change with ISA 2004. It is so much more intuitive. Until they change the default behavior, that is. [Smile]

tjcarst

[ December 10, 2004, 03:15 AM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 19
RE: No authentication prompt - 21.Jan.2005 8:49:00 AM   
bindumadhava

 

Posts: 4
Joined: 12.Jan.2005
Status: offline
Hi,
In my case it is working fine except for chatting..Yahoo & MSN Chat is not working .Yahoo log shows Error Code 12002.

Bindu

(in reply to tjcarst)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> No authentication prompt Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts