Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why am I getting an authentication prompt?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Why am I getting an authentication prompt? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why am I getting an authentication prompt? - 14.Aug.2005 10:27:00 AM   
hutchingsp

 

Posts: 23
Joined: 10.Feb.2002
Status: offline 		OK so I swapped out our ISA server today from 2000 to a new 2004 box.

Everything seems OK barring a few niggles that I need to iron out.

We want to allow Internet access in two ways:

A Machine has access regardless of who is logged on.
A User has access regardless of where they are logged on.

If I have a rule that allows access from a bunch of IPs to "external" for "All Users" it works.

If I have a rule that allows access from "internal" to "external" with the condition "Internet_Group" it doesn't work.

I have auto discovery information enabled and setup in DHCP, and it seems that when you try to go to a website where you would expect the user to have access and not the machine, Internet Explorer prompts for authentication, and if you authenticate it appears to work.

I have a feeling I'm missing something obvious but I'm not quite sure what - any pointers would be appreciated.

cheers,
Paul
Post #: 1
RE: Why am I getting an authentication prompt? - 14.Aug.2005 3:23:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Paul,

a good starting point:
- http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html
- http://www.isaserver.org/articles/ISA2004_AccessRules.html

HTH,
Stefaan

(in reply to hutchingsp)
Post #: 2
RE: Why am I getting an authentication prompt? - 14.Aug.2005 3:29:00 PM   
hutchingsp

 

Posts: 23
Joined: 10.Feb.2002
Status: offline
quote:
Originally posted by spouseele:
Hi Paul,

a good starting point:
- http://www.isaserver.org/articles/ISA2004_ClientAutoConfig.html
- http://www.isaserver.org/articles/ISA2004_AccessRules.html

HTH,
Stefaan
Thanks, I have already looked over both of those. Everything that I see makes me thing this should be working, WPAD and auto-discovery entries are setup correctly AFAICT and clients seem to autodetect the ISA correctly it just seems that Internet Explorer will not authenticate to the ISA server.

I noticed that if I look at what is being logged by ISA, the username is always showing as "anonymous".

Everything works just fine so long as I specify machines/networks that are allowed out, the problem seems to only affect rules where I try to specify a group that should have access.

Paul

(in reply to hutchingsp)
Post #: 3
RE: Why am I getting an authentication prompt? - 14.Aug.2005 4:01:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Paul,

can you post some ISA log examples? Just make sure you include the fields 'Result Code', 'Error Information' and 'Filter Information' in the log view.

HTH,
Stefaan

(in reply to hutchingsp)
Post #: 4
RE: Why am I getting an authentication prompt? - 14.Aug.2005 4:15:00 PM   
hutchingsp

 

Posts: 23
Joined: 10.Feb.2002
Status: offline
quote:
Originally posted by spouseele:
Hi Paul,

can you post some ISA log examples? Just make sure you include the fields 'Result Code', 'Error Information' and 'Filter Information' in the log view.

HTH,
Stefaan
OK I've just noticed something interesting. I had a rule before my Allow Access By User rule that said

Deny Internal to External for Condition All Users and Content Type Audio/Video.

If I disable that rule, my allow by user rule works?!?

I could post some logs tomorrow, it's been a long day and right now I'm knackered :-)

Thanks,
Paul

(in reply to hutchingsp)
Post #: 5
RE: Why am I getting an authentication prompt? - 14.Aug.2005 4:29:00 PM   
hutchingsp

 

Posts: 23
Joined: 10.Feb.2002
Status: offline 		Nah something is not happy. Now if I try and access the web from a machine whose IP has Internet access that doesn't work, it "denies" on the "Allow by Username" rule rather than (as I would expect) going on to read the next rule that would allow access?

For now I'll stick in an "allow internal to external for everyone" rule but I really don't understand what ISA is doing when it interprets these rules - I'm sure I'm not doing anything particularly complicated.

Paul

(in reply to hutchingsp)
Post #: 6
RE: Why am I getting an authentication prompt? - 14.Aug.2005 4:43:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Paul,

you should definitely reread my article about access rules again! [Wink]

quote:
When you configure access rules that apply to users and the user can not authenticate themselves for any reason, then the request will be denied by the rule requiring authentication, even if it is an allow rule. This situation can arise if you forget to enable at least one authentication mechanism on the Web Proxy listener. By the same token, ISA server will deny any request from a SecureNET client, not being a VPN client at that moment, when hitting a rule requiring user authentication.
HTH,
Stefaan

(in reply to hutchingsp)
Post #: 7
RE: Why am I getting an authentication prompt? - 15.Aug.2005 1:57:00 PM   
hutchingsp

 

Posts: 23
Joined: 10.Feb.2002
Status: offline
quote:
Originally posted by spouseele:
[QB]Hi Paul,

you should definitely reread my article about access rules again! [Wink]
Hi, I thought I'd get back to you after the suggestions yesterday. I followed the suggestions in your article, I've not really changed any rule content, but I did change the order as per the article and things now seem to be ticking nicely.

One thing I did notice is that if I have a "block" rule for "internal to external for all users and content is audio/video" before any allow rules (the idea being to block streaming media and music/video download) everything seems to break and users get denied, disable that rule and it all works.

I need to do some digging on the best way to achieve this, but for now the main thing is that access is being controlled in the two methods I want.

Thanks again,
Paul

(in reply to hutchingsp)
Post #: 8
RE: Why am I getting an authentication prompt? - 15.Aug.2005 3:50:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Paul,

good to hear my article was useful for you! [Smile]

Regarding the block rule, I've just tested a simular situation and it works as one would expect. Here are the details:
- Rule #1: block all content type 'images' from Internal to External for all Users and All outbound traffic (might as well be HTTP).
- Rule #2: allow all content from Internal to External for All authenticated users and All outbound traffic.

Go to http://www.microsoft.com and you should clearly see that only the images are blocked.

HTH,
Stefaan

(in reply to hutchingsp)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Why am I getting an authentication prompt? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts