Welcome to ISAserver.org

User Authentication Caching

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> User Authentication Caching

Page: [1]

Message

<< Older Topic Newer Topic >>

User Authentication Caching - 26.Feb.2004 4:51:00 PM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

I have a ISA server installed as a proxy server, I have over 1000 users. I have enabled outbound user authentication. When I have the authentication enabled - users complain about having to re-authenticate all the time(same s**t, different day!)and the whole internet access slows to a grinding halt. if I remove outbound auth - everything is zippy!

Is there away I can configure the ISA to cache sucessfull user authetnication attemps????

Post #: 1

Featured Links*

RE: User Authentication Caching - 26.Feb.2004 6:04:00 PM

elgordano

Posts: 137
Joined: 9.Jul.2003
From: St.Albans
Status: offline

What type of authentication are you using ?
Basic ? NTLM ?

(in reply to Quakedemon)

Post #: 2

RE: User Authentication Caching - 27.Feb.2004 1:29:00 AM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

We are using NTLM, as this conforms to our corporate Internet Usage Policy.

(in reply to Quakedemon)

Post #: 3

RE: User Authentication Caching - 27.Feb.2004 7:01:00 AM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

How have you implimented that authentication?
On user groups or the outbound web-listener?

IMHO, DONT turn on "ask unauthenticated users..." on the web-listener as they can cause spurious problems with random prompts for user authentication....

Rely solely on your site&Content rules (and/or protocol rules) to do it.

(in reply to Quakedemon)

Post #: 4

RE: User Authentication Caching - 27.Feb.2004 9:10:00 AM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

I have set it up to use the "Same listener on all internal ip addresses"

I also have checked the "Ask authenticating users for identification" If I don't enable this then outbound authentication against the DC does'nt happen. If using this causes problems - how do I authenticate outbound connections???? Can I cache authentication requests???

(in reply to Quakedemon)

Post #: 5

RE: User Authentication Caching - 27.Feb.2004 12:29:00 PM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

I can see what tolk is saying but I have to disagree. Personally I always use the Outgoing Web Requests\Ask unauthenticated users for identifcation option along with Integrated Authentication Method, when granting web access through Active Directory Groups.

I'm unaware of whether or not credentials can be cached on the ISA box.

How have you setup your protocol and site and content rules?

I would grant HTTP (and HTTPS and FTP) to all IPs for the protocol and then grant users access in the Site and Content Rules.

If you are still being prompted with this setup I would check to make sure that your IE clients are setup to Integrated Authentication as well (IE\Properties\Advanced\Enable Integrated Windows Authentication).

This setup does require a DC mind...

(in reply to Quakedemon)

Post #: 6

RE: User Authentication Caching - 27.Feb.2004 12:40:00 PM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

We are currently using SurfControl for all URL & Content filtering on the ISA. The ISA is currently allowing ALL through to the Internet and authenticating users to the DC.

The SurfControl module is filtering the URL & Content based on rules and groups (Users from the DC are placed in specific groups, based around user requriements/business use)

(in reply to Quakedemon)

Post #: 7

RE: User Authentication Caching - 27.Feb.2004 12:52:00 PM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

How are you allowing all through ISA? How have you setup your Site & Content and Protocol Rules?

Howd' you find SurfControl? I think it's a great product.

(in reply to Quakedemon)

Post #: 8

RE: User Authentication Caching - 27.Feb.2004 1:48:00 PM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

No site or content rules in ISA - we are using it specifically for Proxy & Authentication. SurfControl is doing all the content & site management.

SurfControl is a good product - the interaction between ISA & SurfControl can be a bit temperamental at times. When you speak to SurfControl about it - they say it's ISA. When you speak to Microsoft they say it's SurfControl! [Wink]

(in reply to Quakedemon)

Post #: 9

RE: User Authentication Caching - 27.Feb.2004 2:28:00 PM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

Ah ha. I don't think that surf control can do what you want without access rules on ISA. I maybe wrong, but the way I understand it (and implement it) is that you grant Internet access based on a Site and Content Rule (after allowing HTTP via a protocol rule) in ISA and then control specific content filtering, etc from SurfControl.

So, basically you'll have a Protocol Rule granting IP addresses access to HTTP. A Site and Content Rule granting all content and all sites to a group or number of groups within the AD, and then SurfControl sitting on top stopping people using its own rule set.

Hope this helps,

Paul.

(in reply to Quakedemon)

Post #: 10

RE: User Authentication Caching - 27.Feb.2004 5:31:00 PM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

Paul,

That is how I already have it?! [Razz]

User authentication is really slow - when I disable outbound auth, everything is fine?

(in reply to Quakedemon)

Post #: 11

RE: User Authentication Caching - 28.Feb.2004 12:04:00 PM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

Hmmm, interesting...

Have a look at these, and see if they can help. If I remember correctly, they go against what I've told you but Dr. Shinder knows best...

http://www.isaserver.org/tutorials/disableanonoutbound.html

http://www.isaserver.org/articles/sitecontentssl.html

Paul.

(in reply to Quakedemon)

Post #: 12

RE: User Authentication Caching - 1.Mar.2004 10:49:00 AM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

Paul,

Thanks for the pointers - will read the articles and post a reply?

(in reply to Quakedemon)

Post #: 13

RE: User Authentication Caching - 4.Mar.2004 9:30:00 AM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

Paul,

I can't see how any of the suggested will solve my problem. perhaps I don;t understand??

(in reply to Quakedemon)

Post #: 14

RE: User Authentication Caching - 4.Mar.2004 10:34:00 AM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

Quakedemon,

I put those articles in as an alternative to what I've been suggesting. You see, I use the setup I've described to you with no issues whatsoever -never had any either. I see on these message boards, however lots of people struggling with access issues. So I thought maybe you'd like to see an alternate suggestion. Tolk metioned earlier that there can be issues; now I've never seen any but obviosuly others have.

Anyway, I've another question. Are you denying access based on destination sets? I know your implementing SurfControl but is it possible there's destination sets left over from before SurfControl, or that somebody has put some in there? The reason I ask is because of this kb:

http://support.microsoft.com/?kbid=297324

Also, re. this:

quote:
User authentication is really slow - when I disable outbound auth, everything is fine?

Check your DNS setup if this is the case. Obviously there's more overhead when validating user credentials over simply granting per IP but it shouldn't really be noticeable (unless your DC's are in a different site [Wink]

).

Paul.

(in reply to Quakedemon)

Post #: 15

RE: User Authentication Caching - 5.Mar.2004 3:26:00 PM

Quakedemon

Posts: 9
Joined: 26.Feb.2004
From: United Kingdom
Status: offline

Paul,

OK - I understand that, the DC is on the same site, but just a different part of the network.

Can you explain the authentication process - does it happen in this manner:-

Authentication on session or authentication per page??

If it authenticated per page, does the client re-authenticate to the proxy server, then the proxy checks auth with the DC or the client authenticated once, then the proxy re-authenticates with the DC on every page????

Another thing is - we applied the ISA pack, it didn't make any difference in performance. I am unable to make any registry setting changes at this time, as the proxy is sort of work! [Wink]

(in reply to Quakedemon)

Post #: 16

RE: User Authentication Caching - 7.Mar.2004 3:53:00 PM

ptwilliams

Posts: 277
Joined: 3.Nov.2003
From: South Wales, UK
Status: offline

Off the top of my head I'd say per session, but I'm not 100% sure.

But I think it goes like this:

Anonymous request from client
ISA Denies anonymous request, and asks for valid credentials
Credentials are passed to ISA
ISA checks these with a DC (using Kerberos v5 if Win2k or higher and NTLM if a down level client)
DC will authenticate or not
If DC ok'd it you browse, if not you are prompted for alternate credentials

I would think that this is only done per session. I can't see this happening for every page (or link within a page).

If I'm wrong with this, I'd appreciate it if somebody who knows the answer could correct me... [Big Grin]