we've upgraded our ms isa 2000 to ms isa 2006 (by doing a fresh install and creating all the rules again, as direct upgrade from ms isa 2000 to isa 2006 is not supported). We are using integrated authentication, as the isa server is a domain member. We are actualy using the isa server as a url filter - long story short - the rules are like "allow http for group abc to url set xzy", etc. the last rule is to deny all the http/https traffic for all users to any location. Everything's working as it is supposed to be, as for one thing - when a client tries to access a website and he is not logged in as a domain user (is logged in as local user "user"), an authentication window pops up 3 times before the 407 message is shown. This behaviour is a bit unacceptable, we don't want users to be able to use a domain username and password to authenticate when accessing a website, when they're logged in as a local user on their computer. Any idea what could solve the problem ? The "require all users to authenticate" box is unchecked, only integrated authentication is used. If it might help, i can post the log messages from the web and fw log here, or post a screenshot of our rules.
Thanks in advance for any help, i'm really out of any ideas, as I've been trying to fix this the whole night.
I dont think you can stop users using your ISA using their domain credentials while logged on as local users. The thing is the users PCs are valid members of the domain and are authenticated. The users also provide credentials that are valid before accessing the domain. I think your only solution is to disable local logins on the workstations. You could run a startup script (specified in a GPO) that disables all local user accounts on the PC. That would force domain user accounts to be used.
Please note if you do this, you will never be able to logon using a local account (e.g.administrator) to even fix a issue on the PC. Perhaps you could disable all local user accounts except the local administrator and change the local administrator password.
the thing I want to find out is whether there is a way how to make isa server not to authenticate users that are not domain members (not requesting the authentication), but simply to deny the webpage request. Users that are domain member do send their username/password automaticaly (at least that's what I think), and local users may send it too, but... - I want MS ISA to accept wrong creditentials (as the local user cannot be verified in domain) and deny the page request, not to prompt for the creditentials again and again.
Thanks a lot! This link helped me really very much to understand how the authentication in MS ISA is actually working. Once more thank for your time and effort. The only thing that is making me a bit concerned is that it did work in isa 2000 that way..... strange... but never mind... thanks again.