I keep getting HTTP Error 401.1 after entering my credentials, both when connecting from outside through ISA as when connecting internally. When I remove the SPN HTTP/<fqdn> from the Application Pool account I can login fine from the internal network (fallback to NTLM?), but receive http error 403 when connecting through ISA.
I have already added the SPN's HTTP/<fqdn> to the domain account used as Application Pool Identity for Sharepoint, and IIS is configured for "negotiate,NTLM", but still no go. As soon as I remove the SPN and restart IIS I can login from the internal network, so I guess it fallsback to NTLM then.
We use a Radius based OTP solution, I don't think NTLM delegation works with Radius, or does it?
From: United Kingdom
Have you tried enabling the "collect additional credentials" on the web listener? It is located on the authentication tab.
This will allow you to define a windows username and password in addtion to RADIUS details on a single HTML form. ISA can then delegate the windows credentials in NTLM format to SharePoint, in addition to authenticating the RADIUS OTP.
P.S. I would still suggest you go with Microsoft's recommendation and configure SharePoint for NTLM and then use ISA NTLM delegation.
< Message edited by Jason Jones -- 23.Oct.2007 5:14:53 AM >