ISA Authintication (Full Version)

All Forums >> [ISA Server 2004 General ] >> General



Message

darkgabeman -> ISA Authintication (16.Jun.2008 1:02:59 AM)

how can i force ISA to athinticate users against specifc domain controler without changing any thing on that domain controler?



elmajdal -> RE: ISA Authintication (16.Jun.2008 3:40:00 AM)

When you install ISA Server, and configure it, you do not touch the DC at all !

All what you have to do is to join ISA Server to the domain ( make it a domain member )

then with ISA Server Management console , you can use your AD users/groups for your rules.

And To forxe authentication on outbound rules, remove the ALL Users condition and replace it with users/groups from AD. And Only Firewall client/Web Proxy CLient can authenticate.



HTH,
Tarek



darkgabeman -> RE: ISA Authintication (16.Jun.2008 4:03:49 AM)

thanks Tareq
but i dont think you've got my point

my question was
how to force ISA to authinticate against a specific DC

for example i have DC1,DC2 and DC3
all in the same subnet and all with same weight and prioriy
and i want ISA to authinticate only in DC1

in other words i want ISA to authinticate to a specific domain controller regardless of DNS and Site settings



Rievax -> RE: ISA Authintication (18.Jun.2008 9:59:49 AM)

darkgabeman,

To me, this is going against AD high availability. Why would you like to do such a thing? AD requests to authenticate a user are not really heavy on your controllers. And what will happend if you loose this server? Nobody will be able to browse, and you will have to reboot your boxes to "fix" the hypotetical registry key hack...

You could try to create a LHMOST file in "c:\WINDOWS\system32\drivers\etc\lmhosts" (sample in the c:\WINDOWS\system32\drivers\etc\lmhosts.sam) with entries for #PRE and #DOM. This could do the trick, but I am not sure is will work for ISA AD authentication...

But to my opinion, the best way would be to create another subnet, put you ISA and AD server in it and create a new site and subnet in your "AD Sites and Services" MMC snap-in. This way, if the AD server dies, the ISA will talk to other AD servers in your domain...

Xavier.



Page: [1]