Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange Integrated Auth Issues...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Strange Integrated Auth Issues... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange Integrated Auth Issues... - 18.Jul.2005 11:23:00 AM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Hi All,

I'm having a pretty strange problem happening here.

My setup is as follows:

Win2003 Standard SP1, ISA 2004 Standard SP1, Surfcontrol 5 (All updates).

I have 1 external interface and 1 internal interface, and roughly 50 users connecting to the ISA server for web access as SecureNAT clients.

Everything works correctly when I set the authentication to not required on the internal network, and the HTTP/Etc protocol to allow all users.

Now when I set it the authentication to Integrated and required on the internal network, and set the protocol filter to "ISA Users" (A security group I set up in the AD which includes all users who require internet access), it works for maybe 10 minutes, then boom, it dies.

I can see the user names in the Monitoring/sessions, Surfcontrol correctly filters based on user name, and so on. And then it just stops.

You can enter ANY user name/password combination (domain\username, user@work etc) and it just asks for it again.

In the event logs on the ISA Server I see all of the connection attempts as Logon/Logoff errors (event ID 537). A sample:

Logon Failure:
Reason: An error occurred during logon
User Name: Blah
Domain: (my domain)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Blah
Status Code: 0xC000005E
Substatus Code: 0x0

If I switch the authentication off again then access works for everyone, until I turn it on and then it works for 10 minutes and dies again.

I checked up the status code, and tried setting the ISA server to "Trusted for delegation" in the AD, but it still failed after a while.

I attempted to use RADIUS for the authentication, however it does not seem to work correctly/at all? It does work for VPN clients.

Soooo... what do I try now? Is this a hardware issue possibly, or something wrong with the way I have set up the ISA server?

IĈm really stumped, and appreciate any help/suggestions.

Thanks! "[Big

[ July 18, 2005, 11:24 AM: Message edited by: Cov ]
Post #: 1
RE: Strange Integrated Auth Issues... - 18.Jul.2005 11:36:00 AM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline 		I would suggest that you unchceck "require authentication" for the Internal Network and keep the integrated. Install firewall client on all workstations and configure browsers as webproxy (set them to use HTTP/1.1 for proxy). Remove the "All Users" on the Access rule allowing HTTP/HTTPS and add user group needing web access.

(in reply to Cov)
Post #: 2
RE: Strange Integrated Auth Issues... - 18.Jul.2005 11:39:00 AM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline 		Oops! forgot you have surfcontrol. Since I primarly use ISA to control all of our outbound access, I don't use surfcontrol.

(in reply to Cov)
Post #: 3
RE: Strange Integrated Auth Issues... - 18.Jul.2005 11:47:00 AM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Thanks for the suggestion, however using ISA 2000 on a win2k server these issues were non existant.

ISA 2004 was much, much easier to set up and it works great without authentication. I'd love to run it without surfcontrol but that isn't my decision, so I have to find a way to get this working [Big Grin]

(in reply to Cov)
Post #: 4
RE: Strange Integrated Auth Issues... - 18.Jul.2005 12:49:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		0xC000005E (the Status Code) is "STATUS_NO_LOGON_SERVERS"

What DNS Servers do you have configured on the ISA Server's External and Internal interfaces?

(in reply to Cov)
Post #: 5
RE: Strange Integrated Auth Issues... - 18.Jul.2005 1:24:00 PM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Internal DNS - 192.168.76.8 (Local DNS Server)
212.135.1.36 (ISP DNS)
195.40.1.36 (ISP DNS)

External DNS - No DNS configured.

I checked up on that error code earlier, and changed the MaxPacketSize for Kerberos to force it to use TCP instead of UDP.

Im running in that config now and it has worked for an hour, but it is after work hours so there is hardly any load on the auth process...

We will see [Big Grin]

(in reply to Cov)
Post #: 6
RE: Strange Integrated Auth Issues... - 18.Jul.2005 1:30:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		The problem isn't Kerberos - it's your DNS configuration. Remove any reference to external DNS Servers on your ISA Server and this will be resolved.

Have your internal DNS Server use Root Hints or Forwarders to resolve external names (don't forget the access rule on ISA to allow DNS from the DNS Server to External).

(in reply to Cov)
Post #: 7
RE: Strange Integrated Auth Issues... - 18.Jul.2005 1:32:00 PM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Thanks for the info!

Just out of interest, I copied the network card config directly from my old ISA server which worked correctly like this, any idea why it would change in 2004?

I'll give it a try now though, thanks [Big Grin]

(in reply to Cov)
Post #: 8
RE: Strange Integrated Auth Issues... - 18.Jul.2005 1:39:00 PM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Right, I have removed the entries and it appears the DNS was already set up to use root hints, so I will see how this works now.

Cheers [Big Grin]

(in reply to Cov)
Post #: 9
RE: Strange Integrated Auth Issues... - 18.Jul.2005 3:26:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		It depends on how you had ISA setup for Access Rules on your old install. I would say you were just living on borrowed time on your ISA 2000 install. This is the way that I've always configured ISA and is the way Tom suggests as well.

The problem is the DNS Client service of Windows which ISA utilizes in addition to it's own cache.

The DNS Client service will prioritize DNS Server based on the response time and number of responses it receives for queries. So in your scenario, your Internal DNS Server was being used initially, but after a period of time, the ISA Server wouild send queries for external names to your ISPs DNS Servers and get a quicker response. The DNS Client service would move that server to the top of the DNS list but at the same time, this would cause queries for your Internal AD DNS namespace to fail.

(in reply to Cov)
Post #: 10
RE: Strange Integrated Auth Issues... - 19.Jul.2005 3:45:00 AM   
Cov

 

Posts: 22
Joined: 18.Jul.2005
From: UK
Status: offline 		Thanks for the explanation, that makes more sense now.

Its the start of another day and, fingers crossed, it will keep working.

Thanks for all the help [Big Grin]

(in reply to Cov)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Strange Integrated Auth Issues... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts