Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web cleint authentication Question
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web cleint authentication Question - 8.Nov.2007 11:34:17 AM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
I'm sure, based on my other posts, that these are really dumb questions:
I have been given the task of setting up a website (specifically sharepoint but I don't know that is a relevant issue here) for vendors and the customer for one of our projects to use. I am currently in the testing phase. Anyway I have the test site up, and I have published it and I can access it sort of. Basically, I set the rule to use SSL bridging, FBA and granted the domain\administrator and a webserver\testuser rights to the site.
Here is what happens and what I don't understand:
When I connect to the website I get the ISA form and can enter the domain\administator credentials and it starts to load the page, then a basic authentication logon screen pops up. I then enter the credentials into the basic authentication screen and it takes me to the site. Why is the basic authentication screen popping? Did I miss something in setting up the bridging maybe?
Second, if I attempt to logon as the webserver\testuser, who is only a member of the local computer not the internal domain, authentication fails. I guess this makes sense as ISA has no idea who the user is, but is there a way around this? I don't want to have to add the vendors and customer contacts who might need to access the site as members of my private domain. I guess if I have to then so be it, but I would really rather not.
Thanks in advance
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Web cleint authentication Question - 8.Nov.2007 1:45:49 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
Ah, that makes sense. That worked, thanks for the suggestion.
Now to the problem of granting access to users who aren't members of my domain. I still can't logon using an account that belongs to the webserver and isn't a domain user account. Obviously the ISA server doesn't recognize that user and won't allow access. I want to avoid having to create domain user accounts for the customer and vendors who need to access the website if possible. I have to imagine this is do-able I am just not sure where to start. I tried setting 'No delegation but client may authenticate directly' but that didn't seem to help.
EDIT 1
Let me ask the question a different way.
My web server and ISA server are both on the same private domain. The public website I have published, a SharePoint site in this case, requires authentication. Should clients who are defined as users only on the web server be able to access the site or do they have to be defined as members of my domain?
On prior simple websites that I had configured using SSL people who were only defined as users on the web server could authenticate to the site. One this SharePoint site I can't get any cleint that is not defined as user on my domain to authenticate. One thing I have not tried is not using FBA. I have FBA set up right now because the customer does not want users to be able to select the option to remember the password as available in basic authentication.
EDIT 2
OK, maybe a different way: Do I have to use Basic Authentication or something to allow non-domain users to access the SharePoint site?
< Message edited by manning -- 12.Nov.2007 4:14:37 PM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
|
RE: Web cleint authentication Question - 12.Nov.2007 5:26:22 PM
|
|
|
manning
Posts: 97
Joined: 9.Oct.2006
Status: offline
|
Sorry to keep bugging about this. I am pretty perplexed by this. I still cannot log onto the SharePoint site as webserver\testuser, neither from inside nor outside the ISA protected network. However, I can log on as webserver\administrator from either location and as domain\administrator. I don't understand. When I attempt to log on as webserver\testuser the logon appears to fail, at least according to the result on the authentication form page.
When I look at the event veiwer on the web server I see 'Success' events in the Security log for my attempts to log into the site as the webserver\testuser. I also do not see blocked connections in either the web proxy or firewall logs on the ISA Server. But, in the web logs on the web server for that virtual directory I have noticed that when I attempt to log on as the webserver\testuser the cs-username is anonymous and not testuser. Obviously since I don't want to allow anonymous connections (right?) the connection is blocked. So what is going on here? What am I missing?
From the webserver itself I can log onto the SharePoint site as webserver\testuser.
< Message edited by manning -- 13.Nov.2007 9:39:29 AM >
_____________________________
Manning
Please bear with me, I am incredibly distracted by a dozen other thing.
ISA 2006 standard on Server 2k3 R2
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
It works now - 
. The failures were for the testuser account. So I looked at my publishing rule listener for the sharepoint site again and still couldn't see what was holding things up. Then I noticed that on the Users tab only Authenticated Users were allowed. Duh! That is what was keeping ISA from passing the logon to the web server; users on the web server aren't seen as authenticated users on the domain. 