I've been researching this issue in my spare time, but as more and more users are migrating to IE7/IE8 so this is becoming a larger issue.
Here is why the issue is affecting IE7 and IE8;
"The cause of the problem is, that unttil IE6 the browser doesn't support kerberos authentication. The server what you want to reach begins the authentication process with a negotiation: Can you handle kerb auth.? If the answer is yes, they will use that. If the answer is no, it will ask: Can you handle NTLM auth.? If the answer is yes, they will use that. Because IE6 can't handle kerberos it always uses NTLM. (If the answer is no it won't authenticate you.)"
1. Disable kerberos authentication on the ISA Server, but keep NTLM authentication. -With ONLY "Integrated Authentication" selected in the proxy authentication options, the Auth Request Header still contains:
I dont think this is a configurable option in ISA... but I'm waiting to hear from Microsoft
2. Disable "Integrated Windows Authentication" in IE on the clients. -Does this break any other websites in your environment? -What happens in the future when an intranet Website is introduced that needs Kerberos auth?
3. Figure out why random Kerberos authentication requests fail. i.e. the garbled security logs from the first post in this forum.
< Message edited by ISAadmin11 -- 12.Jan.2010 1:32:24 PM >
I've been checking this thread on and off for many months as we kept getting this issue as well. As of this morning I think we have a solution and I thought I'd share the love.
Thanks; good to know that's available in case we end up needing integrated auth for some other reason.
On the down side, given all the dev work that went in to the hotfix--which is just an ISA-side version of the workaround we've been using and not a fix at all--I'd say it's sending a pretty clear signal that Microsoft is not ever going to actually fix this.
Agreed - but as we require integrated auth for several intranet sites here I'm just glad to have some kind of work around that doesn't break anything! At the end of the day isn't that the best we can expect from MS?