Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web server authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web server authentication - 13.Jul.2006 5:13:11 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
I am testing a new web app that we want to publish using ISA 2006. This same ISA will be used for new Sharepoint deployment, hence 2006, which seems to have more features for Sharepoint.
The web server I am presently trying to publish has nothing to do with SP. Here is the scenario:
1. ISA will publish web listener on DMZ (NIC1)
2. ISA will be on internal network and member of domain on NIC2.
3. This web server should only be accessible to authorized users, so I want ISA to authenticate users against AD
4. I am asssuming I should use forms authentication?
5. (now I get confused) The web developer is asking me how he should set up his app (ASP.NET/IIS 6.0) to receive proof of authentication.
6. I have read the ISA Server 2006 authentication details http://www.microsoft.com/technet/prodtechnol/isa/2006/authentication.mspx
But am not sure of what to tell the developer that he will receive from ISA after ISA authenticates the user against AD.
Thanks!
_____________________________
Mark
|
|
|
|
|
RE: Web server authentication - 17.Jul.2006 4:01:52 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Tom,
Thanks for the response, and I am receiving much help from you ISA Server 2004 book.
From what I am finding on the Microsoft web site it appears I should have ISA server use Kerberos/NTLM and pass the ticket to the published server after authentication against AD. The web server and AD are all runnning server 2003.
Any input is appreciated.
Thanks,
Mark
|
|
|
|
|
RE: Web server authentication - 18.Jul.2006 3:15:12 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Tom,
In reviewing our internal requirements again, we still need to keep the internal server as forms authentication to properly serve some of our user base.
Therefore I think I need the following:
- ISA server performs forms authentication to external internet users and authenticates against AD
- ISA server delegates this to published server, which brings up some questions
- Is this possible? I see it described for OWA, but not sure about IIS. I need help here.
- From what I see in the ISA 2006 authentication docs http://www.microsoft.com/technet/prodtechnol/isa/2006/authentication.mspx the published server would also authenticate against AD when it receives use credentials from ISA server.
I hope I am explaining the problem clearly. Basically I want the same web server to be accessible using forms authentication to internal and external users. I want ISA to force external users to authenticate using forms.
Thank you for your help,
Mark
|
|
|
|
|
RE: Web server authentication - 18.Jul.2006 3:37:13 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mark,
- ISA server performs forms authentication to external internet users and authenticates against AD
TOM: OK, but you need to know what type of delegation you want the ISA firewall to use: Basic? Integrated? NTLM? Kerberos?
- ISA server delegates this to published server, which brings up some questions
- Is this possible? I see it described for OWA, but not sure about IIS. I need help here.
TOM: Yes, this is a new feature with the 2006 ISA firewall
- From what I see in the ISA 2006 authentication docs http://www.microsoft.com/technet/prodtechnol/isa/2006/authentication.mspx the published server would also authenticate against AD when it receives use credentials from ISA server.
TOM: That's correct, that's how delegation of credentails works when the ISA firewall pre-authenticates the user.
I hope I am explaining the problem clearly. Basically I want the same web server to be accessible using forms authentication to internal and external users. I want ISA to force external users to authenticate using forms
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web server authentication - 18.Jul.2006 8:54:25 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Thanks. Your question thankfully exposes part of my confusion
If the published internal web server is running forms authentication, can I still have ISA server use Integrated to delegate to it? If not, I guess I can use basic with SSL turned on? This is what I am unclear on.
I am willing to set up ISA server for what can be secure with the internal web server still using forms. I understand basic can be helped with SSL between ISA and internal web server.
Thanks.
|
|
|
|
|
RE: Web server authentication - 19.Jul.2006 5:27:30 PM
|
|
|
tshinder
Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi MJ,
If the internal server must use FBA, then the ISA firewall can't also use FBA, and it won't delegate to an FBA site, so the ISA firewall must not pre-authenticate the user, which is not an optimal security config.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Web server authentication - 28.Aug.2006 5:08:57 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Tom,
I have a need for non-authenticated Internet users to get to part of my sharepoint that is being designed for public access. I have tested non-authentication and authentication rules for ISA to publish anon and non-anon IIS instances on the inside network.
What do you recommend to allow public internet access to anon sharepoint sites that are part of the domain?
_____________________________
Mark
|
|
|
|
|
RE: Web server authentication - 5.Sep.2006 8:49:25 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Thanks.
From what what I have read ISA server 2006 will provide application level protection even in the non-authenticated mode. I am concerned about public non-authenticated users accessing the internal sharepoint (anonymous portions) web server. I am relying on ISA server 2006 to allow this in a secure fashion.
Your thoughts?
Thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
