ISA 2004 and Security Templates (Full Version)

All Forums >> [ISA Server 2004 General ] >> General



Message

haz87 -> ISA 2004 and Security Templates (13.Jul.2005 6:47:00 AM)

We have a w2k3 environment, with ISA2004 std ed with SP1 installed. The clients are XP and W2k professional.

The ISA server has the following security templates applied in order via GPO.

Enterprise Client û Member Server Baseline.inf
ISA Server 2004 Member Server Incremental.inf

When ISA is configured to require authentication, with integrated and basic authentication ticked, web proxy clients can browse successfully from XP machines using IE6+, however W2k clients with IE6+ are prompted for credentials 3 times and then denied access, even though the credentials supplied are correct.

If the GPO is disabled so the security templates are not applied to the ISA Server, then the W2k web proxy clients are authenticated and can browse successfully. I have attempted amending the more obvious Security Options section settings applied via Group Policy (see below) but with no joy. The clients are configured in a similar fashion.

Domain member: Digitally encrypt or sign secure channel data (always) û Disabled
Domain member: Digitally encrypt secure channel data (when possible) û Enabled Domain member: Require strong (Windows 2000 or later) session key û Enabled
Microsoft network client: Digitally sign communications (always) û Disabled
Microsoft network client: Digitally sign communications (if server agrees) û Enabled
Microsoft network server: Digitally sign communications (always) - Enabled
Microsoft network server: Digitally sign communications (if client agrees) û Enabled
Network security: LAN Manager Authentication level - Allow NTLMv2 LM & NTLMNetwork security: LDAP client signing requirements - Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Tried disabling/enabling all settings:
-Require message integrity
-Require message confidentiality
-Require NTLM V2 session security
-Require 128bit encryption
System cryptography: Force strong key protection for user keys stored on the computer - User is prompted when the key is first used.
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing -Disabled

Any idea what needs to be changed with in the template to allow w2k web proxy clients to be authenticated successfully?



tshinder -> RE: ISA 2004 and Security Templates (13.Jul.2005 7:16:00 AM)

Hi Haz,
What happens when you remove the "ask unauthenticated users to auth" setting on the ISA firewall and you remove the basic authetnication option?

Thanks!
Tom



haz87 -> RE: ISA 2004 and Security Templates (13.Jul.2005 1:57:00 PM)

With "Require all users to authenticate" unticked, users can browse fine, however I am using SurfControl to log user browsing activity, and require usernames rather than IP addresses to be logged.

If basic is unticked then browsing fails straight away. I am waiting for the customer to repeat the test to obtain the exact error, which I shall post once I have it.

Additional info I neglected to include initially:

Forest Functional Level: Windows 2000
Domain Functional Level: Windows 2000 native

Domain Controller GPO settings for Security Options are compatable with those given in the original post.

HTH
Harry



haz87 -> RE: ISA 2004 and Security Templates (14.Jul.2005 10:29:00 AM)

Update... When Basic auth is unticked, leaving only integrated auth, the user is still prompted for authentication, before this fails and the error message is 407 no authentication is displayed.

Rgds
Harry



haz87 -> RE: ISA 2004 and Security Templates (31.Jul.2005 5:45:00 AM)

Issue fixed by creating a template for the win2k clients with the following settings.

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,537395248
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,537395248
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,4

The NTLMMinClientSec setting was the one that got it working. Although the setting or lack of them was identical on XP and win2k clients, why the XP clients worked and the W2k didn't I don't know, but as soon as I explicitly configured the setting, win2k clients could proxy OK.



danahallenbeck -> RE: ISA 2004 and Security Templates (1.Aug.2005 10:57:00 AM)

Another possible solution:

- check Basic Authentication
- check Integrated Authentication (if server is part of the same domain as the users or is able to resolve names to AD from a different domain)
- Uncheck 'Require all users to authenticate'
- In your ISA policies allow authenticated users only for client access.

I use SurfControl as well and this configuration resolves usernames fine. Plus it will allow you to create rules for anonymous access (All Users) if you need to.

Dana Hallenbeck



Page: [1]