• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Integrated authentication, client user not a domain member

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Integrated authentication, client user not a domain member Page: [1]
Login
Message << Older Topic   Newer Topic >>
Integrated authentication, client user not a domain member - 15.Mar.2007 4:15:03 AM   
sopi20

 

Posts: 3
Joined: 15.Mar.2007
Status: offline
Hi,

we've upgraded our ms isa 2000 to ms isa 2006 (by doing a fresh install and creating all the rules again, as direct upgrade from ms isa 2000 to isa 2006 is not supported). We are using integrated authentication, as the isa server is a domain member. We are actualy using the isa server as a url filter - long story short - the rules are like "allow http for group abc to url set xzy", etc. the last rule is to deny all the http/https traffic for all users to any location. Everything's working as it is supposed to be, as for one thing - when a client tries to access a website and he is not logged in as a domain user (is logged in as local user "user"), an authentication window pops up 3 times before the 407 message is shown. This behaviour is a bit unacceptable, we don't want users to be able to use a domain username and password to authenticate when accessing a website, when they're logged in as a local user on their computer. Any idea what could solve the problem ? The "require all users to authenticate" box is unchecked, only integrated authentication is used. If it might help, i can post the log messages from the web and fw log here, or post a screenshot of our rules.

Thanks in advance for any help, i'm really out of any ideas, as I've been trying to fix this the whole night.
Post #: 1
RE: Integrated authentication, client user not a domain... - 15.Mar.2007 10:41:53 AM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
I dont think you can stop users using your ISA using their domain credentials while logged on as local users. The thing is the users PCs are valid members of the domain and are authenticated. The users also provide credentials that are valid before accessing the domain. I think your only solution is to disable local logins on the workstations. You could run a startup script (specified in a GPO) that disables all local user accounts on the PC. That would force domain user accounts to be used.

Please note if you do this, you will never be able to logon using a local account (e.g.administrator) to even fix a issue on the PC. Perhaps you could disable all local user accounts except the local administrator and change the local administrator password.

HTH

M@

(in reply to sopi20)
Post #: 2
RE: Integrated authentication, client user not a domain... - 15.Mar.2007 10:52:04 AM   
sopi20

 

Posts: 3
Joined: 15.Mar.2007
Status: offline
the thing I want to find out is whether there is a way how to make isa server not to authenticate users that are not domain members (not requesting the authentication), but simply to deny the webpage request. Users that are domain member do send their username/password automaticaly (at least that's what I think), and local users may send it too, but... - I want MS ISA to accept wrong creditentials (as the local user cannot be verified in domain) and deny the page request, not to prompt for the creditentials again and again.

(in reply to sopi20)
Post #: 3
RE: Integrated authentication, client user not a domain... - 15.Mar.2007 11:09:19 AM   
matheesha

 

Posts: 23
Joined: 11.Mar.2007
Status: offline
Please read http://blogs.technet.com/isablog/archive/2007/01/28/internet-access-for-generic-accounts-through-isa-server-2004.aspx which explains why you cant do what you would like to.

HTH

M@

(in reply to sopi20)
Post #: 4
RE: Integrated authentication, client user not a domain... - 15.Mar.2007 11:16:09 AM   
sopi20

 

Posts: 3
Joined: 15.Mar.2007
Status: offline
Thanks a lot! This link helped me really very much to understand how the authentication in MS ISA is actually working. Once more thank for your time and effort. The only thing that is making me a bit concerned is that it did work in isa 2000 that way..... strange... but never mind... thanks again.

(in reply to sopi20)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Integrated authentication, client user not a domain member Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts