• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

users prompted for credentials after pwd change?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> users prompted for credentials after pwd change? Page: [1]
Login
Message << Older Topic   Newer Topic >>
users prompted for credentials after pwd change? - 23.Aug.2007 12:28:56 PM   
acausemaker

 

Posts: 43
Joined: 3.Mar.2005
Status: offline
Running ISA2004 on Server 2K3 sp1.

Seems that after users change their domain passwords, all of a sudden IE prompts them for credentials when accessing ANY website.  It doesn't happen for every user, but it happens often enough to be annoying to my HelpDesk staff.  So far we haven't found a resolution for it, except to manually change their password on the domain controller.

it's almost as if the ISA server isn't getting the new credentials or something.  it's a member of the domain, and it's authenticating properly (no errors or anything).  We are NOT using the Firewall client, and "integrated Authentication" is turned on for my internal network.

has anybody had this problem before?  it's frustrating.

< Message edited by acausemaker -- 23.Aug.2007 12:38:51 PM >
Post #: 1
RE: users prompted for credentials after pwd change? - 23.Aug.2007 12:58:46 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
I have seen it before...  As you indicated it sound like the user accounts are not synchronizing with ISA or between DCs after the passwords are changed. 

Go to the cmd and run echo %logonserver% and that will show you which server ISA is trying to query.  Check the ISA monitor for blocked traffic to that server.  You will see some blocked traffic so don't go nuts and start opening everything but just take note.

Next go to the domain controller ISA is authenticating against and look at the error logs.  Are there any synchronization errors or other suspicious errors occuring?  One thing to look for are W32time errors because that may mean your DCs have unsynchronized clocks which can cause them to "freak out" especially if they are way off.

Finally...  Restart your domain controllers (after hours of course).  Sometimes DCs can get out of synch and this solves this problem as well as other mysterious ones that pop up. 

(in reply to acausemaker)
Post #: 2
RE: users prompted for credentials after pwd change? - 25.Aug.2007 8:37:17 AM   
Juliang

 

Posts: 2
Joined: 23.Jun.2007
Status: offline
I have ISA 2004 in a W2K3 SP2 domain and require Integrated Windows authentication for outgoing web requests, all clients are using Internet Explorer on Windows XP.

I don't know if this is the same but I often see an issue where a user's domain account get "locked" after they have changed their password. This is expected if they are tying their password wrong many times but they are not. It turns out their account was being locked because windows had cached their old domain credentials and Internet Explorer was automatically sending them to the ISA server in the response to the request for authentication.

This can be verified by running the command 'control userpasswords2' from Start->Run on the affected users workstation. Then click the Advanced tab and go to 'Manage Passwords' and the 'Stored User Names and Passwords' window should appear. If you see an entry for the DNS or NETBIOS name of you ISA server then remove it to delete the cached credentials.

I have been unable to find out why these details get cached in the first place and they only way I have found to prevent it is to disable the whole stored user names and passwords feature altogether.

(in reply to jmilito)
Post #: 3
RE: users prompted for credentials after pwd change? - 27.Aug.2007 8:12:21 AM   
acausemaker

 

Posts: 43
Joined: 3.Mar.2005
Status: offline
That was my first thought, and it's the first thing I have the HelpDesk guys check whenever they get a call like this.  But it's never the problem.  Windows must be caching it somewhere else, I just can't figure out where!

(in reply to Juliang)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> users prompted for credentials after pwd change? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts