Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Problem site with authentication Issue 12209
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Problem site with authentication Issue 12209 - 5.Mar.2007 5:49:54 PM
|
|
|
bruce44
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
I have ISA 2004 SP2 working reasonably. One particular Internet site causes an authentication popup at the browser (IE6). When 100's of other sites are accessed, authentication happens transparently between IE and the ISA proxy as expected.
The "Request all users to authenticate option" is OFF. The first access rule is for a particular internal network with ALL USERS allowed. The second access rule is the main Internet access rule with ALL AUTHENTICATED USERS. The effect is for the first rule to allow anomymous access for that network, and the second rule requires authentication for all Internet users.
This all seems to work fine except for the particular site that causes an authentication popup to occur. I have run Ethereal everywhere, searched this Forum but in vain.
Can anyone shed any light on this?
Thanks
|
|
|
|
|
RE: Problem site with authentication Issue 12209 - 6.Mar.2007 3:29:13 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bruce44,
what did the Ethereal trace and the ISA live logging tell you *exactly*?
Can you post the URL of that web site so we can try it out?
HTH,
Stefaan
|
|
|
|
|
RE: Problem site with authentication Issue 12209 - 6.Mar.2007 5:18:16 PM
|
|
|
bruce44
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hi Stefaan,
Thanks for the response. For a bit more background, the ISA proxy is part of the AD domain, and I am using "intergrated" authentication. The URL giving the problem is "http://linus.lib.uts.edu.au". If I disable proxies in IE and connect directly (via Gateway ISP, firewalls, etc), it works beautifully. However we also run SurfControl on the proxy as a plugin for content/malware checking so do not want our users bypassing it.
Ethereal traces between the internal web proxy client (IE6) and the ISA proxy show the client submitting the GET request, followed by the NTLM authentication challenge/response. This looks OK to me, but when the client sends the NTLM response, the proxy shuts down the session immediately.
Ethereal traces between the proxy and the outside world (Gateway ISP, firewalls, etc) show that the proxy does in fact connect successfully with the external target server, and the HTML page data is downloaded to the proxy, then the session shut down. If you have a look at this HTML data it is fairly busy with link references to other servers, but should be OK.
I put in an access rule for this site temporarily for testing to allow anonymous connection. The authentication popup disappeared, but I received a "page could not be displayed". Ethereal shows the proxy shutting down the connection from the client immediately it receives the GET request. So I believe that the authentication popup thing is not the cause of the problem, just a symptom.
Live ISA logging using the last test:
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) No Proxy CANBERRAISA1 linus.lib.uts.edu.au TCP text/html; charset=UTF-8 Internet - - - - - - 0 62 0 559 200 0x43040000 0x400 Web Proxy Filter 7/03/2007 9:07 138.25.78.11 80 http Allowed Connection UTS 10.13.235.128 anonymous Internal External GET http://linus.lib.uts.edu.au/
10.13.36.2 CANBERRAISA1 - TCP - No - 10675 0 917 6877 0x80074e20 0x0 0x0 Firewall 7/03/2007 9:07 138.25.78.11 80 HTTP Closed Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10672 0 1322 12638 0x80074e20 0x0 0x0 Firewall 7/03/2007 9:07 64.236.106.10 80 HTTP Closed Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10676 0 0 0 0x0 0x0 0x0 Firewall 7/03/2007 9:07 216.218.189.114 80 HTTP Initiated Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10677 0 0 0 0x0 0x0 0x0 Firewall 7/03/2007 9:07 213.86.58.141 80 HTTP Initiated Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10677 0 622 5075 0x80074e20 0x0 0x0 Firewall 7/03/2007 9:07 213.86.58.141 80 HTTP Closed Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10678 0 0 0 0x0 0x0 0x0 Firewall 7/03/2007 9:07 216.73.87.52 80 HTTP Initiated Connection 10.13.36.2 Local Host External - -
10.13.235.128 CANBERRAISA1 - TCP - Yes - 2861 0 0 0 0x0 0x0 0x0 Firewall 7/03/2007 9:07 10.13.38.2 8080 Proxy 8080 Initiated Connection 10.13.235.128 Internal Local Host - -
10.13.235.128 CANBERRAISA1 - TCP - Yes - 2861 0 799 128 0x80074e20 0x0 0x0 Firewall 7/03/2007 9:07 10.13.38.2 8080 Proxy 8080 Closed Connection 10.13.235.128 Internal Local Host - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10679 0 0 0 0x0 0x0 0x0 Firewall 7/03/2007 9:07 209.225.0.106 80 HTTP Initiated Connection 10.13.36.2 Local Host External - -
10.13.36.2 CANBERRAISA1 - TCP - No - 10678 0 572 581 0x80074e20 0x0 0x0 Firewall 7/03/2007 9:07 216.73.87.52 80 HTTP Closed Connection 10.13.36.2 Local Host External - -
Thanks
Bruce
|
|
|
|
|
RE: Problem site with authentication Issue 12209 - 7.Mar.2007 12:36:57 AM
|
|
|
bruce44
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Me again,
Further to all this. I did some more tracing and found that this site only uses LF to terminate each HTTP header line. Also only uses LF to separate header and body data. All sites that I traced that worked use CRLF. I am thinking that this is an RFC compliance issue. How pedantic is ISA 2004 about the RFC for HTTP 1.1? If this is the problem, can ISA 2004 be doctored to be a bit more grey in RFC compliance, or does the site need to fix their implementation.
Thanks
Bruce
|
|
|
|
|
RE: Problem site with authentication Issue 12209 - 8.Mar.2007 2:37:43 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Bruce,
no problem getting to that site through ISA Server 2006 SE as a Web Proxy client with authentication. Could SurfControl be the culprit?
HTH,
Stefaan
|
|
|
|
|
RE: Problem site with authentication Issue 12209 - 12.Mar.2007 6:03:05 PM
|
|
|
bruce44
Posts: 10
Joined: 12.Feb.2007
Status: offline
|
Hi Stefaan,
You are dead right! The latest version of SurfControl (5.5) for ISA has MacAfee malware checking built in to it. I disabled this malware component (left normal content checking running) and the site loaded OK. I re-enabled it again and it failed. I logged a fault with SurfControl support and they agreed it is a known problem (LF terminating HTTP header lines)and will produce a hotfix soon. They recommend to set that site as "unmonitored" as an interim measure, although I have not tested that yet.
Your help is much appreciated!
Regards
Bruce
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
