Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Publishing -- Authentication problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Publishing -- Authentication problems - 23.Oct.2002 6:48:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
We are trying to implement an ISA server and publish our intranet as follows:
===Web server with Intranet (W2K, IIS5)====>ISA Standalone (SP1) server (W2K, IIS not installed)===>Internet
The ISA server has 2 NICS - one internal (with a private IP, DNS, WINS and subnet mask assigned), and one external (with 3 public IP addresses assigned, an external gateway IP, two external DNS addresses) and is part of our domain.
The ISA inbound listener is set to listen on port 80 and configured individually to listed to one of the public IP's, and basic authentication has been selected with our domain name in the required field.
From the Publishing Rules, here's what it looks like so far:
On the destinations tab, the "selected definition set" is chosen, and in the name of the destination set appears in the box as required. The correct IP address for the external NIC also appears. On the action tab, redirect the request to this internal Web server shows the correct IP for the correct IIS 5 Web server. The bridging tab defaults remain and the applies to tab we have selected the "selecting the users and groups specified below" option.
When the option in the applied to tab is set to "any request", we are able to view the web page properly. Also, when we select the "client address sets specified below" option and specify the IP address of the test laptop we are using from an outside connection, we are able to view the page properly.
The problem comes in when using the "selecting users and groups specified below" option. As soon as we select a user or group, we can no longer access the web page even though the correct creditials are entered in the authentication box. We have tried IE 5.0, IE5.5 and IE6.0 with SP1. We have tried to use a local account as opposed to a domain account. When using the local account, we get a 401 - Unauthorized access error. When using the domain account, we get a 403 - Forbidden error.
The web pages are set on IIS for all domain users to access them using Integrated authentication. This is because we want all employees to be able to access the intranet while they are at work, however, we want to limit access to the web pages from the outside.
Any assistance in helping us with our authentication problem would be greatly appreciated.
Thanks, Dee
|
|
|
|
RE: Web Publishing -- Authentication problems - 23.Oct.2002 9:57:00 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
Two things that will make your life a lot easier:
1. Use basic authentication
2. Use FQDNs, *not* IP addresses, in your Destination Sets
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 23.Oct.2002 10:06:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
quote:
Originally posted by tshinder:
Hi Dee,
Two things that will make your life a lot easier:
1. Use basic authentication
2. Use FQDNs, *not* IP addresses, in your Destination Sets
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 23.Oct.2002 10:09:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi Tom.
I've changed the IP's to FQDN's - still have the same problem. Also, we are already using basic authentication on the ISA (integrated authentication on the IIS).
Any other suggestions?
Thanks in advance, Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 23.Oct.2002 10:37:00 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
Only authentication at one place. Either the listener or the Web server, it usually doesnt' matter which one. Just don't require authentication at both.
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 23.Oct.2002 10:49:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi again Tom,
As I stated earlier, they want the intranet available to everyone during while they are at work, however, they want to limit who has access to it from home (the internet). Can ISA not be used for that?
Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 5:08:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
.
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 5:56:00 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
In that case, just authenticate the users at the Incoming Web Requests listener.
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 6:19:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Thanks again Tom, but when I set "Users and groups specified below" for any authentication at all on ISA in the applies to of my web publishing rule, NO ONE can authenticate. I've tried a local user and a domain user and neither works. I get a 403 forbidden error. However, if I set it with "any request" or use the "client address sets specified below" everything works fine.
Any light you can shed would be greatly appreciated.
Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 6:32:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Me again Tom :-)
Is there something special I need to do in order for the stand-alone ISA server (joined to the domain) to pass authentication on to the DC? Seems to me that that's where my problem lies...
Thanks, Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 8:48:00 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
Enable Basic Authentication on the Incoming Web Requests listener and enter a default domain.
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 24.Oct.2002 8:56:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi Tom,
Yes, I have tried that, I still get a 403 Forbidden error.
Anything else I can try?
Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 1:44:00 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
How are users entering their credentials?
Are you testing from an external network client?
Thanks!
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 1:55:00 AM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi Tom,
Yes, I am using a laptop that's connected directly to the internet.
When I receive the authentication (logon) box, I have tried both a domain account and a local account, both with the same result (the 403 forbidden error). If I remove all requirements for authentication from the ISA server, the IIS logon box appears and I am able to enter my account information and get authenticated based on the rules that apply directly from the IIS server. However, this doesn't meet the requirements that we need limit the external (internet) access to this website.
Thanks so much for your help and response. Any more ideas?
Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 3:13:00 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
Do you enter the credentials this way:
DOMAIN\username
password
Thanks!
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 3:22:00 AM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi Tom,
Yes, I do enter the credientials that way.
Donna
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 4:05:00 AM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
How are you forcing authentication at the ISA Server?
Also, make sure that when you're forcing authentication at the ISA Server that you are *not* forcing authentication at the Web server.
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 2:34:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Hi Tom,
I've tried enforcing it globally, or on the listener, as well as using the "applies to" users and groups option in the web publishing rules.
We need to force authentication at both the ISA and the IIS to meet the requirement that users can view the intranet from within our domain, but limit the external access. Can we not do both? Do we need to limit the authentication at either the IIS or the ISA, but not both?
Thanks again, Dee
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 4:47:00 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dee,
Yes, I thought I said that earlier, but I'll have to check.
Enforce authentication ONLY at a SINGLE location. We'll if you want to use certificate authentication on the Incoming Web Request listener, that will work, but if you don't want to use certificate authentication on the Incoming Web Requests listener, then you can force authentication only at one place: the ISA Server OR the Web Server.
HTH,
Tom
|
|
|
|
|
RE: Web Publishing -- Authentication problems - 25.Oct.2002 5:52:00 PM
|
|
|
Dee757
Posts: 36
Joined: 23.Oct.2002
Status: offline
|
Thanks Tom,
I get it now: I can only enforce authentication at either the ISA server or the IIS server, but not both.... How can I limit external access to the intranet then? Do I need to publish it twice on IIS with different security to allow for the differences?
Also, another main problem is outstanding: The ISA does NOT authenticate at all when using the "applies to - users and groups" option.... ISA is not able to authenticate at all this way, but can authenticate when client address sets or allowing all. How do I solve this problem to get the ISA server to authenticate?
Thanks, Dee
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
