Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
Here's the scenario: Windows 2000 AD domain with both Windows 2000 and NT 4 clients. ISA server in cache configuration only. We were recently bought by another company and have a T1 directly to them in addition to our T1 internet connection. There are no trusts set up between our forest and theirs. All users here have a seperate account in this external forest and need to log in to this other company's web server. It's normal for us to get prompted 2-3 times, but after that the users get prompted from 10.97.201.14, which is the address of the ISA server. They then have to enter their local credentials to get out. Here is a summary of what they receive--
Enter Network Password Please type your username and password. Firewall: 10.97.201.14 Username: Password: Domain:
ISA is setup to ask unauthenticated users for credentials on outbound web requests, but only has integrated authentication enabled. I would really like to set it up so that ISA does not even cache this destination, and sends the clients directly to it instead, but I am not sure how to do this. There is no LDT or LAT. Any clue what's going on here? Thanks.
Posts: 53
Joined: 12.Dec.2001
From: Sydney, New South Wales, Australia
Status: offline
Hi,
You may not be able to get past the multiple authentication prompts until a trust exists. However, you can avoid caching a web site using a routing rule. Create a destination set for the domain or URL you wish NOT to cache. Create a routing rule and use the destination set you created. Specify that you do not wish to cache the web site.
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I'm not concerned about the remote web site prompting for credentials; that's normal and the users have come to expect it. What I don't understand is why ISA is prompting the users for credentials when it is only set up for integrated authentication. Thanks for the tip on routing and caching.
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
quote:Originally posted by tshinder: Hi B,
Is the Web site cofigured for Direct Access, or the ISA Server proxying the request from internal network clients to internal network servers?
Thanks! Tom
I have the site in a destination set and a routing rule that does not cache the route, but I'm not sure how to configure the clients to access the destination set directly. That's really what I want them to do...
Check out one of the recent articles over at www.isaserver.org/shinder I think it was the article on automating the Firewall client, where I talk about Direct Access and how it works.
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I looked through your articles and didn't see what you're referring to. The server is cache-only and the suits don't want to use it as a firewall at all. I should be able to get IE to download the configuration script, though, and have the clients directly access specified sites that way, right?
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I have figured out what my problem is. The web-proxy clients must be configured to use the configuration script in order to access certain servers or domains directly. When you enter the script into the client's browser configuration, you must enter the info in the format of http://[servername] instead of http://[serverIP]. When you enter the info with the IP address instead of the servername, you are immediately prompted for credentials every time you open IE. Thanks for the help.
That's interesting, becuase I use the IP address at home (although I always use the name at customer sites) and never have an authentication prompt. Are you forcing authentication at the Outgoing Web Requests listener?
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
quote:Originally posted by tshinder: Hi B,
That's interesting, becuase I use the IP address at home (although I always use the name at customer sites) and never have an authentication prompt. Are you forcing authentication at the Outgoing Web Requests listener?
Thanks! Tom
Yes, I'm forcing authentication because we need to track access by individual user accounts. Only integrated authentication is selected, which is what strikes me as funny since it's prompting the users.
I've found a bug with the setting with forcing authentication. I don't use that setting, because of the same problems that you've noticed. The best solution is to remove all anonymous access rules, then you will get user names in the logs and not get the authentication prompts appear randomly.
Posts: 11
Joined: 10.Sep.2002
From: USA
Status: offline
I disabled anonymous access and the same thing is happening, but in a slightly different way... here's what I've turned up:
We're using SuperScout to block the destination set "Advertisements". When users go to a web site (happened every time with www.unitedairlines.com), you can see the page load and you're immediately prompted for credentials. Only integrated authentication is allowed at this point. Whether you type in your credentials or hit cancel, you're prompted immediately again. This occurs over and over and you're eventually returned a 407 PROXY AUTHENTICATION REQUIRED error page. After much digging on the Knowledgebase I turned up article 297324. It refers to a hotfix that you have to contact Microsoft to obtain (naturally) and lists the date/time/version of the hotfixed w3proxy.exe. The version that I have installed is a later version than the hotfix, so I moved on. The article next instructs you to run regedit and navigate to hkey_local_machine\system\currentcontrolset\services\w3proxy\parameters and to add a new value. The value is: "Value Name: ReturnDeniedIfAuthenticated Date Type: Reg_Dword Radix: Hex Value Data: 1"
I did this and restarted the server. Now when clients access web sites with ads, they only see a red box with an x where the ad should be instead of being prompted for credentials. Hopefully this will help you guys if you run into the same problem I've been having.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Cache] >> Web Proxy Client >> ISA and integrated authentication 
ISA and integrated authentication - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread