Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web proxy Authentication prompt needed
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web proxy Authentication prompt needed - 29.Mar.2005 3:47:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
I am about to rollout the ISA 2004 EE Web Proxy Client functionality to 1500 desktops in our enterprise but I am having a small authentication problem.
Web client authentication is set to integrated as we have a new AD Domain to which all our users belong. Generally speaking, my firewall policies allow http access to the Internet if the logged on user is a member of the Internet domain group... and no authentication prompt is given to the user. This works fine.
However, we have a need to prompt users for their credentials when they try to surf while they are logged on with one of our generic accounts. In our existing ISA 2000 environment, this works fine, but I cannot figure out how to get this to work under ISA 2004 EE.
Any thoughts or suggestions would be most appreciated.
Regards,
John
[ March 29, 2005, 04:06 PM: Message edited by: jerumball ]
|
|
|
|
RE: Web proxy Authentication prompt needed - 30.Mar.2005 12:54:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi John,
Make sure you are supporting both integrated and basic auth on the Web listener.
HTH,
Tom
|
|
|
|
RE: Web proxy Authentication prompt needed - 30.Mar.2005 3:52:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
Thanks for your reply, Tom. I modified the authentication methods for the web proxy listener for my "Internal" network, and tested this again. Unfortunately, I got the same results... the generic user is flat-out denied access to the sample web site and redirected to a custom "Denied" page I had built, instead of getting prompted to enter domain credentials.
The firewall policy that controls this behaviour is the very last one, immediately before the Enterprise default rule.
Can you think of anything else I should try?
Thanks, as always, for your help.
John
[ March 30, 2005, 03:57 PM: Message edited by: jerumball ]
|
|
|
|
RE: Web proxy Authentication prompt needed - 18.Apr.2005 9:58:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
I am still having problems getting this to work as it did under ISA 2000. If anyone has any auggestions, I'd love to hear it! I am down to the wire now, so any help would be appreciated!
Thanks.
John
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.Apr.2005 2:11:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
This is called ReturnAuthRequiredIfAuthUserDenied in ISA 2004 and can be set with this script.
Link : From MSDN, look on the left, under FpcWeblistenerProperties, for the value ReturnAuthRequiredIfAuthUserDenied
code:
Sub SetNetworkReturnAuthReq(newValue)
' Define the constant needed.
Const fpcInternalNetwork = 4
' Declare the other objects needed.
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
Dim networks ' An FPCNetworks collection
Dim network ' An FPCNetwork object
Dim currentValue ' A Boolean
' Create the root object.
Set root = CreateObject("FPC.Root")
' Get references to the array object
' and the networks collection.
Set isaArray = root.GetContainingArray()
Set networks = isaArray.NetworkConfiguration.Networks
' Set the property for the Internal network if necessary.
For Each network In networks
If network.NetworkType = fpcInternalNetwork Then
currentValue = network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied
WScript.Echo "Current value: " & currentValue
If newValue <> currentValue Then
network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied = newValue
WScript.Echo "New value: " & network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied
network.Save
End If
End If
Next
End Sub
[ April 19, 2005, 02:13 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.Apr.2005 3:29:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
Hi CLintD,
Thanks very much for pointing me at this script. This looks like it's exaclty what I need. I do have two questions, however...
1. How do I go about running this script? I have never done this before.
2. Do I run this script on both of my array servers, or is it only required on one since the ISA configs automatically propogate to array members?
Thanks again.
John
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.Apr.2005 7:10:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
As for the script, just copy the text above into notepad and save it with a VBS extension. Then, just double-click on the VBS file. You won't get any response that it's completed - it's a very basic script.
As for where to run it, you can run it on either node of the array - the script will set the attribute on the Config Storage Server and the other node will pull it down once it refreshes it's config.
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.Apr.2005 9:08:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
Hi again Clint,
That script did exactly what I was hoping for! Thanks.
However, I have noticed that now when I get prompted, it happens twice... once for each array member. Is this normal behaviour? Is there anyway to have the credentials passed to second array member automatically?
Regards,
John
|
|
|
|
RE: Web proxy Authentication prompt needed - 20.Apr.2005 2:31:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
I am resolving the ISA array to the virtual IP created on the internal network.
As an example, when I first open IE and then browse to www.google.ca, I get a logon prompt from the first of my two ISA servers (the IP is displayed at the top of the dialog). I am then allowed to use Google for searches, etc. If I click on one of the hyperlinks in the search results, I get another prompt (for some links, not all) but this time from my 2nd ISA server. I guess it is load balancing at this point.
Before I roll this new ISA array out to my 5000 users I would like to see if I can change this behaviour, or else I'm sure our HelpDesk will get bombarded with calls.
Thanks very much.
John
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 20.Apr.2005 11:17:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Did you also enable CARP? It sounds like it from the behavior you describe. Can you disable it if so and see if the scenario changes?
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.May2005 3:28:00 PM
|
|
|
jerumball
Posts: 52
Joined: 7.May2004
From: Sudbury, ON Canada
Status: offline
|
Yes, CARP is enabled.
I could try to disable it, but I am not sure what the overall implications of disabling it would be!? Would all my cached content be stored on only one of my array members? If so, does that then mean this content would not be available to web proxy clients who happen to be using the other array member? Or would there be two individual and spearate caches stores, one on each array member?
Thanks in advance.
John
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 19.May2005 4:16:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Yeah - this is going to be a problem with that attribute we set - the ISA Server is just what we've told it to do, but the problem is that with CARP, the client will send the request to the other node for a range of websites (tbis is how the CARP algorithm works).
Unfortunately, the other ISA Server doesn't know about the previous request and the user gets prompted.
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 16.Jun.2005 10:43:00 AM
|
|
|
jenlee64
Posts: 3
Joined: 1.Jun.2005
From: Lafayette, LA
Status: offline
|
Hi All,
Questions I have on this script. We are looking to do the same thing. But, have a mix of client os's. Some XP, 2000 and 98.
I see that Microsoft claims requirements are for XP clients only. Can this script work for 2000 and 98 clients as well?
Also, how would you back out of this script if you ran it and it does not work for you?
Thanks -- Jenlee64
|
|
|
|
|
RE: Web proxy Authentication prompt needed - 27.Jul.2005 3:37:00 PM
|
|
|
Guest
|
Hi all,
I've been reading a lot and trying a lot, to get the exact opposite of what the threadstarter wanted. When a user is not allowed internet access through the proxy, I just want ISA to redirect them to my custom "access denied page" WITHOUT prompting for credentials.
I have tried a lot of things, also the script, but I can't get it to work. Authenticated users work like a charm (integrated authentication with IE), but when a user is not a member of the "Inet access users", then they get a message prompting them for correct credentials.
I HAVE to get rid of this prompt, or I cannot publish ISA to my users
Please help me ...
Thanks in advance,
Thanis
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
