haz87 -> ISA 2004 and Security Templates (13.Jul.2005 6:47:00 AM)
We have a w2k3 environment, with ISA2004 std ed with SP1 installed. The clients are XP and W2k professional.
The ISA server has the following security templates applied in order via GPO.
Enterprise Client û Member Server Baseline.inf
ISA Server 2004 Member Server Incremental.inf
When ISA is configured to require authentication, with integrated and basic authentication ticked, web proxy clients can browse successfully from XP machines using IE6+, however W2k clients with IE6+ are prompted for credentials 3 times and then denied access, even though the credentials supplied are correct.
If the GPO is disabled so the security templates are not applied to the ISA Server, then the W2k web proxy clients are authenticated and can browse successfully. I have attempted amending the more obvious Security Options section settings applied via Group Policy (see below) but with no joy. The clients are configured in a similar fashion.
Domain member: Digitally encrypt or sign secure channel data (always) û Disabled
Domain member: Digitally encrypt secure channel data (when possible) û Enabled Domain member: Require strong (Windows 2000 or later) session key û Enabled
Microsoft network client: Digitally sign communications (always) û Disabled
Microsoft network client: Digitally sign communications (if server agrees) û Enabled
Microsoft network server: Digitally sign communications (always) - Enabled
Microsoft network server: Digitally sign communications (if client agrees) û Enabled
Network security: LAN Manager Authentication level - Allow NTLMv2 LM & NTLMNetwork security: LDAP client signing requirements - Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Tried disabling/enabling all settings:
-Require message integrity
-Require message confidentiality
-Require NTLM V2 session security
-Require 128bit encryption
System cryptography: Force strong key protection for user keys stored on the computer - User is prompted when the key is first used.
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing -Disabled
Any idea what needs to be changed with in the template to allow w2k web proxy clients to be authenticated successfully?