Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
We have a w2k3 environment, with ISA2004 std ed with SP1 installed. The clients are XP and W2k professional.
The ISA server has the following security templates applied in order via GPO.
Enterprise Client û Member Server Baseline.inf ISA Server 2004 Member Server Incremental.inf
When ISA is configured to require authentication, with integrated and basic authentication ticked, web proxy clients can browse successfully from XP machines using IE6+, however W2k clients with IE6+ are prompted for credentials 3 times and then denied access, even though the credentials supplied are correct.
If the GPO is disabled so the security templates are not applied to the ISA Server, then the W2k web proxy clients are authenticated and can browse successfully. I have attempted amending the more obvious Security Options section settings applied via Group Policy (see below) but with no joy. The clients are configured in a similar fashion.
Domain member: Digitally encrypt or sign secure channel data (always) û Disabled Domain member: Digitally encrypt secure channel data (when possible) û Enabled Domain member: Require strong (Windows 2000 or later) session key û Enabled Microsoft network client: Digitally sign communications (always) û Disabled Microsoft network client: Digitally sign communications (if server agrees) û Enabled Microsoft network server: Digitally sign communications (always) - Enabled Microsoft network server: Digitally sign communications (if client agrees) û Enabled Network security: LAN Manager Authentication level - Allow NTLMv2 LM & NTLMNetwork security: LDAP client signing requirements - Negotiate signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Tried disabling/enabling all settings: -Require message integrity -Require message confidentiality -Require NTLM V2 session security -Require 128bit encryption System cryptography: Force strong key protection for user keys stored on the computer - User is prompted when the key is first used. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing -Disabled
Any idea what needs to be changed with in the template to allow w2k web proxy clients to be authenticated successfully?
Hi Haz, What happens when you remove the "ask unauthenticated users to auth" setting on the ISA firewall and you remove the basic authetnication option?
Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
With "Require all users to authenticate" unticked, users can browse fine, however I am using SurfControl to log user browsing activity, and require usernames rather than IP addresses to be logged.
If basic is unticked then browsing fails straight away. I am waiting for the customer to repeat the test to obtain the exact error, which I shall post once I have it.
Additional info I neglected to include initially:
Forest Functional Level: Windows 2000 Domain Functional Level: Windows 2000 native
Domain Controller GPO settings for Security Options are compatable with those given in the original post.
Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
Update... When Basic auth is unticked, leaving only integrated auth, the user is still prompted for authentication, before this fails and the error message is 407 no authentication is displayed.
The NTLMMinClientSec setting was the one that got it working. Although the setting or lack of them was identical on XP and win2k clients, why the XP clients worked and the W2k didn't I don't know, but as soon as I explicitly configured the setting, win2k clients could proxy OK.
- check Basic Authentication - check Integrated Authentication (if server is part of the same domain as the users or is able to resolve names to AD from a different domain) - Uncheck 'Require all users to authenticate' - In your ISA policies allow authenticated users only for client access.
I use SurfControl as well and this configuration resolves usernames fine. Plus it will allow you to create rules for anonymous access (All Users) if you need to.