Wow...at this writing, there are more hits on this thread than any other in this section by a factor of 2. Guess there are a lot of lurkers bumping up against this!
And lurkers and posters alike may now have a solution...
I've only tested this on one problem machine, so my sample size is admittedly tiny. But after installing all the relevant updates released to WSUS today (13 Feb 2007)--and my bet is that it's KB928090, "MSO7-016: Cumulative security update for Internet Explorer"--IE7 was able to authenticate against the ISA server with "Enable Windows Integrated Authentication" turned on! It was a machine that, moments before the patch install, was unable to authenticate. If I have time, I'm going to check again tomorrow after WSUS has pushed this update to more computers. Cross your fingers, folks. I also don't know if the problem is solved by making Kerberos work reliably, or "solved" by dropping back to NTLM. Will take a look at some IE headers too if I have a chance. But I note with great interest that http://support.microsoft.com/default.aspx?scid=kb;EN-US;321728 was revised on 8 February, and it now says that IE7 DOES authenticate to proxies with Kerberos. This gives me hope that it now also RELIABLY authenticates with Kerberos. Would be interested in reading if anyone else sees what I'm seeing.
I've not yet approved this update, but once I have and it's made its way to a few of the machines that were causing issues previously, I'll turn Integrated Auth back on in GP and see if it remains solved!
I have a similar problem, but the IE7 security update did not fix my problem. We recently setup a new ISA 2004 proxy server to replace the old one, and using GPO we pushed the server name change to almost all computers. A few computers have an issue receiving the new GP, so to make sure they are going to the correct server, we changed the dns record of the old ISA server to the address of the new one. Now all computers, regardless of which proxy server address they have, go to the new server. However, now on the computers with IE7 that are using the old ISA server address, the users are prompted for authentication. Like others, removing the "Enable Integrated Windows Authentication" fixed the prompting for authentication problem. But do any of you guys know what would cause the authentication error only on IE7 that is being redirected using DNS? If IE7 has the address of the new server, it works fine. Any ideas?
Interesting. A similar problem has arisen recently in my environment. Except that I haven't rolled out IE7 into production environment just yet (we have a custom LOB web-app that's not compatible yet).
Some (about 5 out of 250) domain member computers are experiencing difficulties logging onto proxy (a basic authentication window pops up), and that problem is of come-and-go type - appears and disappears for no apparent reason.
Also, clients can't authenticate to proxy using basic authentication - even if such domain account exists and the credentials are input correctly (tested on non-domain computers only, tho). According to ISA webproxy logs, the client computer doesn't even try to authenticate, all it does is bang the server with unsuccessful anonymous attempts.
What's even more curious - on one of the computers the integrated authentication works when it's assigned its IP address by DHCP, and it doesn't work when the same address is given out statically.
There is only one (deny) rule in the ISA list that requires authentication, and both integrated and basic authentication are enabled for Internal, the 'require all users to authenticate' is off.
this has driven some of our users insane here.Can someone please help with how to group policy the change,I can't find anyway to send it to all our workstations in AD,is there a script or something I anm Missing to apply this globaly to our Domain please
This setting is not settable through Group Policy as furnished by Microsoft. One of my earlier posts in this thread shows the registry setting that is required. 3 relatively easy choices:
Create your own ADM file to set the setting.
Create a .reg script that you run during the logon script.
Install DesktopStandard Registry Extension (free download, and now a Microsoft product) on all your clients (installable via GPO), and use that to set the setting so I could back it out easily when/if Microsoft decides to fix the problem.
Since I already had Registry Extension available to me, I used option 3. That will also allow me to easily reverse the change when/if Microsoft decides to fix this mess.
Wonder if anyone knows if ISA 2004 SP3 fixes it? I notice the KB says there are proxy authentication fixes...not clear on whether it applies to us.
thanks am looking into option 3 now. I installed sp3 this morning and have had one user complain since then so I guess its not fixed yet,unless it was somehow saved in his old user profile on that client, i have found that enablenegotiate reg key under HKLM/Software,,,,as well as HKCU ,,,and again after loading the default user profile hive from the workstation.I was concerned that I would have to massage that default profile which is a right pain for 200 + machines.
> unless it was somehow saved in his old user profile on that client
If it was fixed, the user could use Windows Integrated Authentication. So if the problem is still occurring, it definitely isn't fixed, independent of user profile. (And it may be an IE7 issue, not an ISA issue...at that's what I'm inferring from MS PSS's somewhat cryptic comments on the subject). Thanks for the info.
After disabling the Integrated Auth reg key globaly for the domain it has fixed all clients authentication problems we were having except it has introduced a new one. Some news sites (not all)that have video footage etc loaded in flash players wont load the movie clip.Youtube etc still work perfectly but our local country version of Yahoo doesn't.All videos just don't play and the isalogs show failed due to being unathenticated, I am using webproxy and firewall client but its not passing auth through.turning the integrated back on I get a popup authentication box for realm.isaserver.blah blah this then enables the video to play. I don't understand why these sites are using kerberos but turning integrated off isn't the complete answer.Msoft need to sort this mess ASAP please
the problem still exist with many ie7 update no news about the problem ? , i have the same problem , many pc with ie7 and an isa server 2006 and prompt some times but after a restart or with integrated auth turn off works well
Speaking for myself, I haven't tried it in a while with my XP notebook. I probably should take it in and give it a try.
I did try it with my new Vista notebook. It doesn't have the problem...same user account, same ISA server, same domain. It's the only Vista machine in use on the domain, though, so I don't have enough data to know if it always works with Vista, or just happens to work with this particular Vista computer.
I have been having this problem sporadically for 6 months. It started with one user, and after trying many different things, it finally cleared up. I assumed it was one of the changes I made to the Network Settings on ISA or the IE settings I tweaked in GP. Then I found out that around the time I fixed the problem for that user another user started having the problem. I did some more tweaking and his problem went away. Then another cropped up and finally another.
It seems to impact users and not desktops. The same user will have the problem even if we blow out their profile and re-image their desktop. Yet, we can give them a new user object and it doesn't happen or we can login and it doesn't happen.
Any chance that ISA is caching credentials on it's end?
I will say that disabling Integrated authentication has resolved the issue for the two users that were experiencing the problem today.
As far as disabling Integrated Authentication, thatís the only way I have found to get around the issue. IE 7 does cache the password when you are prompted for authentication and saved by placing a check mark in the remember my password box. The credentials are stored in the users local profile under Documents and Settings\Application Data\Microsoft\Credentials\<SID>\Credentials. You should be careful what credentials you use because the cached credentials will be what is authenticated to the ISA; not the users logon credentials.
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003