• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA and integrated authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Cache] >> Web Proxy Client >> ISA and integrated authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA and integrated authentication - 2.Oct.2002 4:08:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
Here's the scenario:
Windows 2000 AD domain with both Windows 2000 and NT 4 clients.
ISA server in cache configuration only.
We were recently bought by another company and have a T1 directly to them in addition to our T1 internet connection. There are no trusts set up between our forest and theirs. All users here have a seperate account in this external forest and need to log in to this other company's web server. It's normal for us to get prompted 2-3 times, but after that the users get prompted from 10.97.201.14, which is the address of the ISA server. They then have to enter their local credentials to get out.
Here is a summary of what they receive--

Enter Network Password
Please type your username and password.
Firewall: 10.97.201.14
Username:
Password:
Domain:

ISA is setup to ask unauthenticated users for credentials on outbound web requests, but only has integrated authentication enabled. I would really like to set it up so that ISA does not even cache this destination, and sends the clients directly to it instead, but I am not sure how to do this. There is no LDT or LAT.
Any clue what's going on here?
Thanks.

[ November 26, 2002, 02:09 PM: Message edited by: bkendall ]
Post #: 1
RE: ISA and integrated authentication - 3.Oct.2002 8:57:00 AM   
Sutton

 

Posts: 53
Joined: 12.Dec.2001
From: Sydney, New South Wales, Australia
Status: offline
Hi,

You may not be able to get past the multiple authentication prompts until a trust exists. However, you can avoid caching a web site using a routing rule. Create a destination set for the domain or URL you wish NOT to cache. Create a routing rule and use the destination set you created. Specify that you do not wish to cache the web site.

HTH

Regards,

Nathan.

(in reply to bkendall)
Post #: 2
RE: ISA and integrated authentication - 7.Oct.2002 2:38:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I'm not concerned about the remote web site prompting for credentials; that's normal and the users have come to expect it. What I don't understand is why ISA is prompting the users for credentials when it is only set up for integrated authentication.
Thanks for the tip on routing and caching.

(in reply to bkendall)
Post #: 3
RE: ISA and integrated authentication - 9.Oct.2002 12:33:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

Is the Web site cofigured for Direct Access, or the ISA Server proxying the request from internal network clients to internal network servers?

Thanks!
Tom

(in reply to bkendall)
Post #: 4
RE: ISA and integrated authentication - 9.Oct.2002 2:46:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
quote:
Originally posted by tshinder:
Hi B,

Is the Web site cofigured for Direct Access, or the ISA Server proxying the request from internal network clients to internal network servers?

Thanks!
Tom

I have the site in a destination set and a routing rule that does not cache the route, but I'm not sure how to configure the clients to access the destination set directly. That's really what I want them to do...

(in reply to bkendall)
Post #: 5
RE: ISA and integrated authentication - 11.Oct.2002 3:43:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

Check out one of the recent articles over at www.isaserver.org/shinder I think it was the article on automating the Firewall client, where I talk about Direct Access and how it works.

HTH,
Tom

(in reply to bkendall)
Post #: 6
RE: ISA and integrated authentication - 21.Oct.2002 10:02:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I looked through your articles and didn't see what you're referring to. The server is cache-only and the suits don't want to use it as a firewall at all.
I should be able to get IE to download the configuration script, though, and have the clients directly access specified sites that way, right?

(in reply to bkendall)
Post #: 7
RE: ISA and integrated authentication - 22.Oct.2002 6:28:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

Check out my second article on automating the Firewall client for details on Direct Access configuration for Web Proxy clients.

HTH,
Tom

(in reply to bkendall)
Post #: 8
RE: ISA and integrated authentication - 19.Nov.2002 4:42:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I have figured out what my problem is. The web-proxy clients must be configured to use the configuration script in order to access certain servers or domains directly. When you enter the script into the client's browser configuration, you must enter the info in the format of http://[servername] instead of http://[serverIP]. When you enter the info with the IP address instead of the servername, you are immediately prompted for credentials every time you open IE.
Thanks for the help.

(in reply to bkendall)
Post #: 9
RE: ISA and integrated authentication - 20.Nov.2002 4:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

That's interesting, becuase I use the IP address at home (although I always use the name at customer sites) and never have an authentication prompt. Are you forcing authentication at the Outgoing Web Requests listener?

Thanks!
Tom

(in reply to bkendall)
Post #: 10
RE: ISA and integrated authentication - 25.Nov.2002 4:44:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
quote:
Originally posted by tshinder:
Hi B,

That's interesting, becuase I use the IP address at home (although I always use the name at customer sites) and never have an authentication prompt. Are you forcing authentication at the Outgoing Web Requests listener?

Thanks!
Tom

Yes, I'm forcing authentication because we need to track access by individual user accounts. Only integrated authentication is selected, which is what strikes me as funny since it's prompting the users.

(in reply to bkendall)
Post #: 11
RE: ISA and integrated authentication - 25.Nov.2002 5:52:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

I've found a bug with the setting with forcing authentication. I don't use that setting, because of the same problems that you've noticed. The best solution is to remove all anonymous access rules, then you will get user names in the logs and not get the authentication prompts appear randomly.

HTH,
Tom

(in reply to bkendall)
Post #: 12
RE: ISA and integrated authentication - 4.Dec.2002 7:19:00 PM   
bkendall

 

Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I disabled anonymous access and the same thing is happening, but in a slightly different way... here's what I've turned up:

We're using SuperScout to block the destination set "Advertisements". When users go to a web site (happened every time with www.unitedairlines.com), you can see the page load and you're immediately prompted for credentials. Only integrated authentication is allowed at this point. Whether you type in your credentials or hit cancel, you're prompted immediately again. This occurs over and over and you're eventually returned a 407 PROXY AUTHENTICATION REQUIRED error page. After much digging on the Knowledgebase I turned up article 297324. It refers to a hotfix that you have to contact Microsoft to obtain (naturally) and lists the date/time/version of the hotfixed w3proxy.exe. The version that I have installed is a later version than the hotfix, so I moved on. The article next instructs you to run regedit and navigate to hkey_local_machine\system\currentcontrolset\services\w3proxy\parameters and to add a new value. The value is:
"Value Name: ReturnDeniedIfAuthenticated
Date Type: Reg_Dword
Radix: Hex
Value Data: 1"

I did this and restarted the server. Now when clients access web sites with ads, they only see a red box with an x where the ad should be instead of being prompted for credentials.
Hopefully this will help you guys if you run into the same problem I've been having.

(in reply to bkendall)
Post #: 13
RE: ISA and integrated authentication - 7.Dec.2002 7:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

Yes! Q297324 is one of the more popular fixes.

Thanks!
Tom

(in reply to bkendall)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Cache] >> Web Proxy Client >> ISA and integrated authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts