• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't Get Authenticated on ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Can't Get Authenticated on ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can't Get Authenticated on ISA 2006 - 13.Nov.2006 10:25:09 AM   
sullivac

 

Posts: 31
Joined: 29.Jun.2005
From: Boston
Status: offline
Hi -

I have recently upgraded 2 different offices from ISA 2004 Ent. to ISA 2006 Ent.  Each one was and is installed as a separate enterprise, but they connect via site-to-site VPN.  This was not an upgrade per se, as I just installed ISA 2006 and configured everything manually.  Before the "upgrade" everything was working fine, but here is the problem I am experiencing on both arrays/servers:

No users can make a VPN connection to either ISA server.  It gets to the point where authentication is attempted, but responds with "bad user name or password" or something similar.
Also, I have published an Exchange Server on one of the ISA boxes, but only the Exchange Admin can get authenticated.  Interestingly, a different user was able to change their password, which had expired, when prompted by the forms based authentication, but was then not able to access Exchange itself.  The Exchange Server has not been changed since the ISA upgrade and FBA was the method used on the former ISA 2004 installation.
All accounts that are being used are domain accounts from the domain that the ISA servers belong to.  The site-to-site VPN connection DOES work, but I am using local accounts on the ISA boxes to authenticate to each other.

When I check the live logs while a user attempts VPN authentication, I keep seeing denials of ports 1024, 1025 and 1026 from the ISA box to the domain controller.  This seems consistent with the problem, which seems to be that domain users can't get authenticated.

I checked the System Policy and found that the policy for Active Directory is enabled and also for publishing the CRL (both are on by default I believe).  I have disabled Strict RPC Compliance on the Active Directory rule and disabled the RPC filter both at the Enterprise and Array levels.

Has something changed in the way ISA 2006 communicates with AD?  Am I missing something?

Thanks in advance.
Post #: 1
RE: Can't Get Authenticated on ISA 2006 - 15.Nov.2006 3:03:50 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sull,

Are the ISA Firewalls domain members?

How is the ISA Firewall assigning IP addresses to clients?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sullivac)
Post #: 2
RE: Can't Get Authenticated on ISA 2006 - 15.Nov.2006 4:12:56 PM   
sullivac

 

Posts: 31
Joined: 29.Jun.2005
From: Boston
Status: offline
Hi Tom -

Yes, each ISA server is a member of the domain where the user accounts live.  (I have posted to a MS newsgroup and they recommended uninstalling ISA after exporting the configuration, removing the server from the domain, then rejoining the domain, reinstalling ISA and importing the configuration.  I want to avoid that for now.)

Addresses are being assigned via a DHCP server.  The DCs, DHCP server and ISA are all on the same subnet in each case.

More info:  When I ran netdiag on one of the ISA servers, it failed the DC List test.  I did the same thing from a different Windows 2003 Server and it passed.  In the earlier post I mentioned the denials on RPC connections to the DC every time a remote user tries to authenticate.  When I go to the allowed users tab of the VPN configuration, it is extremely slow to respond, which I'm sure is because it is referencing domain groups.  At one point I had added 5 domain groups to list and for some reason 3 of them would only show the SID even though the other 2 showed friendly names, even an hour later (I since have added the Domain Users group).

Note the info regarding the published Exchange Server and the successful site-to-site VPN connection from the last post.  It really seems like an AD authentication problem, but there are a couple of inconsistencies which seem weird, at least to me.

Thanks for the help. 


(in reply to tshinder)
Post #: 3
RE: Can't Get Authenticated on ISA 2006 - 16.Nov.2006 2:39:22 PM   
sullivac

 

Posts: 31
Joined: 29.Jun.2005
From: Boston
Status: offline
   OK.  My mistake due to a misunderstanding of the RPC Filter.

Here is what I said in my original post:
"I have disabled Strict RPC Compliance on the Active Directory rule
and disabled the RPC filter both at the Enterprise and Array levels."

That apparently was what CAUSED the problem.  (I'm surprised someone didn't catch that, but I do tend to make long posts.)  I am assuming that the Strict RPC Compliance didn't cause the problem, but rather disabling the RPC Filter.
The reason I had done that is because in the past, the only way I could get a certificate from the CA in the parent domain was to configure the child domain ISA server this way.  When I did these new ISA 2006 installations, I proactively configured ISA in that manner in order to avoid problems (duhhh). 

Obviously, I need to learn more about what the RPC Filter does.  In the case of turning it off to fix the certificate problem, that should have been a temporary configuration I believe.  (Again I need to find out more; I think I may need to keep Strict RPC Compliance off on the child domain so ISA can talk to the parent domain CA.)

Cheers.

(in reply to sullivac)
Post #: 4
RE: Can't Get Authenticated on ISA 2006 - 19.Nov.2006 12:15:01 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sull,

Yes, that is true. You need to disable the RPC filter in order to contact an online CA and also it needs to be disabled to use the Certificates MMC to obtain a certificate from an online CA.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sullivac)
Post #: 5
RE: Can't Get Authenticated on ISA 2006 - 19.Nov.2006 3:30:09 PM   
sullivac

 

Posts: 31
Joined: 29.Jun.2005
From: Boston
Status: offline
Thanks Tom.

The one thing that I haven't gotten working on ISA 2006 at this point is L2TP, even though it was working on ISA 2004.  On both the site-to-site VPN and for VPN clients, I have had to revert to PPTP.

When the ISA server and the CA are on the Internal Network and members of the same domain, and the ISA server has already obtained a certificate to use for L2TP, would I need to turn off the RPC Filter?  (For now I just want to concentrate on getting VPN clients to be able to use L2TP to that server.  The clients I am describing are ones that were able to use L2TP before the ISA upgrade.)

(in reply to tshinder)
Post #: 6
RE: Can't Get Authenticated on ISA 2006 - 4.Dec.2006 11:10:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sull,

If you already have the machine and CA certificates installed, you don't need to disable the RPC filter.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sullivac)
Post #: 7
RE: Can't Get Authenticated on ISA 2006 - 4.Dec.2006 11:23:57 AM   
sullivac

 

Posts: 31
Joined: 29.Jun.2005
From: Boston
Status: offline
Thanks, Tom.
That's what I was looking for.

(in reply to tshinder)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Can't Get Authenticated on ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts