• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2004 and Security Templates

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> ISA 2004 and Security Templates Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2004 and Security Templates - 13.Jul.2005 6:47:00 AM   
haz87

 

Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
We have a w2k3 environment, with ISA2004 std ed with SP1 installed. The clients are XP and W2k professional.

The ISA server has the following security templates applied in order via GPO.

Enterprise Client Member Server Baseline.inf
ISA Server 2004 Member Server Incremental.inf

When ISA is configured to require authentication, with integrated and basic authentication ticked, web proxy clients can browse successfully from XP machines using IE6+, however W2k clients with IE6+ are prompted for credentials 3 times and then denied access, even though the credentials supplied are correct.

If the GPO is disabled so the security templates are not applied to the ISA Server, then the W2k web proxy clients are authenticated and can browse successfully. I have attempted amending the more obvious Security Options section settings applied via Group Policy (see below) but with no joy. The clients are configured in a similar fashion.

Domain member: Digitally encrypt or sign secure channel data (always) Disabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled Domain member: Require strong (Windows 2000 or later) session key Enabled
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network server: Digitally sign communications (always) - Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Network security: LAN Manager Authentication level - Allow NTLMv2 LM & NTLMNetwork security: LDAP client signing requirements - Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Tried disabling/enabling all settings:
-Require message integrity
-Require message confidentiality
-Require NTLM V2 session security
-Require 128bit encryption
System cryptography: Force strong key protection for user keys stored on the computer - User is prompted when the key is first used.
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing -Disabled

Any idea what needs to be changed with in the template to allow w2k web proxy clients to be authenticated successfully?
Post #: 1
RE: ISA 2004 and Security Templates - 13.Jul.2005 7:16:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Haz,
What happens when you remove the "ask unauthenticated users to auth" setting on the ISA firewall and you remove the basic authetnication option?

Thanks!
Tom

(in reply to haz87)
Post #: 2
RE: ISA 2004 and Security Templates - 13.Jul.2005 1:57:00 PM   
haz87

 

Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
With "Require all users to authenticate" unticked, users can browse fine, however I am using SurfControl to log user browsing activity, and require usernames rather than IP addresses to be logged.

If basic is unticked then browsing fails straight away. I am waiting for the customer to repeat the test to obtain the exact error, which I shall post once I have it.

Additional info I neglected to include initially:

Forest Functional Level: Windows 2000
Domain Functional Level: Windows 2000 native

Domain Controller GPO settings for Security Options are compatable with those given in the original post.

HTH
Harry

(in reply to haz87)
Post #: 3
RE: ISA 2004 and Security Templates - 14.Jul.2005 10:29:00 AM   
haz87

 

Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
Update... When Basic auth is unticked, leaving only integrated auth, the user is still prompted for authentication, before this fails and the error message is 407 no authentication is displayed.

Rgds
Harry

(in reply to haz87)
Post #: 4
RE: ISA 2004 and Security Templates - 31.Jul.2005 5:45:00 AM   
haz87

 

Posts: 12
Joined: 2.Mar.2005
From: UK
Status: offline
Issue fixed by creating a template for the win2k clients with the following settings.

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395248
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395248
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,4

The NTLMMinClientSec setting was the one that got it working. Although the setting or lack of them was identical on XP and win2k clients, why the XP clients worked and the W2k didn't I don't know, but as soon as I explicitly configured the setting, win2k clients could proxy OK.

(in reply to haz87)
Post #: 5
RE: ISA 2004 and Security Templates - 1.Aug.2005 10:57:00 AM   
danahallenbeck

 

Posts: 27
Joined: 24.Jan.2003
Status: offline
Another possible solution:

- check Basic Authentication
- check Integrated Authentication (if server is part of the same domain as the users or is able to resolve names to AD from a different domain)
- Uncheck 'Require all users to authenticate'
- In your ISA policies allow authenticated users only for client access.

I use SurfControl as well and this configuration resolves usernames fine. Plus it will allow you to create rules for anonymous access (All Users) if you need to.

Dana Hallenbeck

(in reply to haz87)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> ISA 2004 and Security Templates Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts