ISA Authentication Issues - 25.Mar.2005 2:51:00 PM
We have an ISA 2004 Standard SP1 server running on Windows Server 2003 Standard. We plan to use it as a web proxy server for bandwidth management and content monitoring, nothing else.
I'm using Integrated Authentication and requiring users to authenticate, but I've noticed that users frequently are prompted for their username and password. Isn't this the point of Integrated Authentication?
How can I make this prompt disappear? Moreover, if that is impossible, how can I set the default domain? I know Basic Authentication has an option to set default domain, but Integrated Authentication has no such option. The domain defaults to the IP address of the ISA Server, so clients would have to authenticate as "Domain\User" or "User@Domain" which is well beyond their capacity.
From: OK, USA
IS tghe ISA server a member of the domain. For intergrated to work best ensure that it is. Seems like you are seeing the prompt because intergrated is failing and basic authentication is being attempted.
The default Domain setting if for Basic Auth Intergrated will pass the loged on USers credentials. But if ISA can verify intergrated fails hence the domain\username which = BASIC
RE: ISA Authentication Issues - 25.Mar.2005 4:41:00 PM
I think I've narrowed down the problem a bit. When I install the Firewall Client, I keep getting an error of "unable to authenticate" and a red X on the FWClient icon in the taskbar. The only way I can get FWClient to work is set my firewall access policies to "All Users" and turn off the option, "Require all users to authenticate."
If I change the access rules to "Authenticated Users," the problem crops up again. It would appear the clients don't want to authenticate to the ISA box.
It should be noted that both the ISA server and the clients are in the same domain (single domain forest) and have no firewalls between them. I have verified that my ISA box is properly authenticating *itself* to the domain.
If I leave the access policies as "All Users" and don't set the authentication requirement flag, ISA is useless because the logs won't show user names.
From: OK, USA
Verfiy domain conectivity for the ISA server with NLtest or netdom. netgiag might not be a bad one to run as well. Since this is ISA 2004 I am also recommending you verify the rule set that allows the ISA server to communicate with the DCs and check your logs for more info on the requests.
We have three ISA Servers running an Array with a load balancer in front and it sounds like you are having the same problem that I had.
When having users authenticate, depending on which ISA Server they hit it would prompt them for their credentials. It would prompt them on 2 out of the three servers and it did not make any sense.
After banging my head for several hours, we finally found a white paper which fixed our problem. The problem was with the CrashOnAuditFail within the registry. The article states ISA 2000 but we are running ISA 2004 with 2003 servers and it fixed our problem, see below for link.
Within the registry, the server that worked by passing through the authentication was set to 1 for "CrashOnAuditFail", however, the other 2 servers had the "CrashOnAuditFail" set to 2 and they prompted the user for a username and password. After changing them to 1 and rebooted the servers, the users were no longer prompted for a username and password.
Hope this helps.
[ March 25, 2005, 09:09 PM: Message edited by: K. Turner ]