Welcome to ISAserver.org

RE: Proxy authentication problem

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Proxy authentication problem

Page: << < prev 1 2 [3]

Message

<< Older Topic Newer Topic >>

RE: Proxy authentication problem - 12.Jan.2010 1:31:07 PM

ISAadmin11

Posts: 3
Joined: 31.Aug.2009
Status: offline

I've been researching this issue in my spare time, but as more and more users are migrating to IE7/IE8 so this is becoming a larger issue.

Here is why the issue is affecting IE7 and IE8;

"The cause of the problem is, that unttil IE6 the browser doesn't support kerberos authentication. The server what you want to reach begins the authentication process with a negotiation: Can you handle kerb auth.? If the answer is yes, they will use that. If the answer is no, it will ask: Can you handle NTLM auth.? If the answer is yes, they will use that. Because IE6 can't handle kerberos it always uses NTLM. (If the answer is no it won't authenticate you.)"

http://social.msdn.microsoft.com/Forums/en-IE/iewebdevelopment/thread/9e56fa7c-e0c1-4930-9612-0ad5436ad9f3

Where it stands now, there are 3 options:

1. Disable kerberos authentication on the ISA Server, but keep NTLM authentication.
-With ONLY "Integrated Authentication" selected in the proxy authentication options, the Auth Request Header still contains:

Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM

I dont think this is a configurable option in ISA... but I'm waiting to hear from Microsoft

2. Disable "Integrated Windows Authentication" in IE on the clients.
-Does this break any other websites in your environment?
-What happens in the future when an intranet Website is introduced that needs Kerberos auth?

3. Figure out why random Kerberos authentication requests fail. i.e. the garbled security logs from the first post in this forum.

< Message edited by ISAadmin11 -- 12.Jan.2010 1:32:24 PM >

(in reply to ISAadmin11)

Post #: 41

Featured Links*

RE: Proxy authentication problem - 12.Jan.2010 4:14:12 PM

JeffVandervoort

Posts: 142
Joined: 20.Nov.2004
Status: offline

Still using the workaround here, 2 years and 1 IE version later. Amazing that it hasn't been fixed in all this time.

Wonder if Kerberos works correctly in IE 7/8 & Forefront TMG?

(in reply to ISAadmin11)

Post #: 42

RE: Proxy authentication problem - 15.Jan.2010 6:19:36 AM

PhilipGardham

Posts: 2
Joined: 15.Jan.2010
Status: offline

Hi guys,

I've been checking this thread on and off for many months as we kept getting this issue as well. As of this morning I think we have a solution and I thought I'd share the love.

There is a script in http://support.microsoft.com/kb/927265/en-us that forces NTLM auth when using integrated authentication. This side steps the Kerberos issues that have been causing the problem. Also, although the article is specifically talking about upstream ISA boxes it resolved the issue for us and we have a single server implementation. More info can be found at http://social.technet.microsoft.com/Forums/en/itproxpsp/thread/9d81e3b1-1e75-473a-8233-7db72f558532 , which is what pointed me in the right direction.

Hope you guys get some milage out of this.

(in reply to JeffVandervoort)

Post #: 43

RE: Proxy authentication problem - 15.Jan.2010 9:40:58 AM

JeffVandervoort

Posts: 142
Joined: 20.Nov.2004
Status: offline

Thanks; good to know that's available in case we end up needing integrated auth for some other reason.

On the down side, given all the dev work that went in to the hotfix--which is just an ISA-side version of the workaround we've been using and not a fix at all--I'd say it's sending a pretty clear signal that Microsoft is not ever going to actually fix this.

(in reply to PhilipGardham)

Post #: 44

RE: Proxy authentication problem - 15.Jan.2010 9:49:23 AM

PhilipGardham

Posts: 2
Joined: 15.Jan.2010
Status: offline

Agreed - but as we require integrated auth for several intranet sites here I'm just glad to have some kind of work around that doesn't break anything! At the end of the day isn't that the best we can expect from MS?

(in reply to JeffVandervoort)

Post #: 45