• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Proxy authentication problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Proxy authentication problem Page: <<   < prev  1 2 [3]
Login
Message << Older Topic   Newer Topic >>
RE: Proxy authentication problem - 12.Jan.2010 1:31:07 PM   
ISAadmin11

 

Posts: 3
Joined: 31.Aug.2009
Status: offline
I've been researching this issue in my spare time, but as more and more users are migrating to IE7/IE8 so this is becoming a larger issue.

Here is why the issue is affecting IE7 and IE8;

"The cause of the problem is, that unttil IE6 the browser doesn't support kerberos authentication. The server what you want to reach begins the authentication process with a negotiation: Can you handle kerb auth.? If the answer is yes, they will use that. If the answer is no, it will ask: Can you handle NTLM auth.? If the answer is yes, they will use that. Because IE6 can't handle kerberos it always uses NTLM. (If the answer is no it won't authenticate you.)"

http://social.msdn.microsoft.com/Forums/en-IE/iewebdevelopment/thread/9e56fa7c-e0c1-4930-9612-0ad5436ad9f3



Where it stands now, there are 3 options:

1. Disable kerberos authentication on the ISA Server, but keep NTLM authentication.
 -With ONLY "Integrated Authentication" selected in the proxy authentication     options, the Auth Request Header still contains:

 Proxy-Authenticate: Negotiate
 Proxy-Authenticate: Kerberos
 Proxy-Authenticate: NTLM
 
  I dont think this is a configurable option in ISA... but I'm waiting to hear from Microsoft

2. Disable "Integrated Windows Authentication" in IE on the clients.
  -Does this break any other websites in your environment?
  -What happens in the future when an intranet Website is introduced that needs Kerberos auth?


3. Figure out why random Kerberos authentication requests fail. i.e. the garbled security logs from the first post in this forum.

< Message edited by ISAadmin11 -- 12.Jan.2010 1:32:24 PM >

(in reply to ISAadmin11)
Post #: 41
RE: Proxy authentication problem - 12.Jan.2010 4:14:12 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Still using the workaround here, 2 years and 1 IE version later. Amazing that it hasn't been fixed in all this time.

Wonder if Kerberos works correctly in IE 7/8 & Forefront TMG?

(in reply to ISAadmin11)
Post #: 42
RE: Proxy authentication problem - 15.Jan.2010 6:19:36 AM   
PhilipGardham

 

Posts: 2
Joined: 15.Jan.2010
Status: offline
Hi guys,

I've been checking this thread on and off for many months as we kept getting this issue as well.  As of this morning I think we have a solution and I thought I'd share the love.

There is a script in http://support.microsoft.com/kb/927265/en-us that forces NTLM auth when using integrated authentication.  This side steps the Kerberos issues that have been causing the problem.  Also, although the article is specifically talking about upstream ISA boxes it resolved the issue for us and we have a single server implementation.  More info can be found at http://social.technet.microsoft.com/Forums/en/itproxpsp/thread/9d81e3b1-1e75-473a-8233-7db72f558532 , which is what pointed me in the right direction.

Hope you guys get some milage out of this.

(in reply to JeffVandervoort)
Post #: 43
RE: Proxy authentication problem - 15.Jan.2010 9:40:58 AM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Thanks; good to know that's available in case we end up needing integrated auth for some other reason.

On the down side, given all the dev work that went in to the hotfix--which is just an ISA-side version of the workaround we've been using and not a fix at all--I'd say it's sending a pretty clear signal that Microsoft is not ever going to actually fix this.

(in reply to PhilipGardham)
Post #: 44
RE: Proxy authentication problem - 15.Jan.2010 9:49:23 AM   
PhilipGardham

 

Posts: 2
Joined: 15.Jan.2010
Status: offline
Agreed - but as we require integrated auth for several intranet sites here I'm just glad to have some kind of work around that doesn't break anything!  At the end of the day isn't that the best we can expect from MS? 

(in reply to JeffVandervoort)
Post #: 45

Page:   <<   < prev  1 2 [3] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Proxy authentication problem Page: <<   < prev  1 2 [3]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts