ISA 2006 authentication fails for one site only (Full Version)

All Forums >> [ISA 2006 Web Proxy] >> General



Message

gdanielson -> ISA 2006 authentication fails for one site only (26.Jun.2008 6:09:12 PM)

I have a problem on ISA 2006 I don't know how to progress. When IE browsing to a specific site the same userid gets 12210 authentication prompts from one client but not from a different client. The workstation admins say they have checked IE settings and they are the same on both. So at this stage I need more info/ammo
 
I think I can see the 12210 culprit in the ISA logs (it is for a .js object) but how can I get ISA to tell me what is not being satisfied from it's point of view causing a request to fail authentication?  How can I get more insight into what is happening/not happening  with authentication?
 
tia!
Graeme



paulo.oliveira -> RE: ISA 2006 authentication fails for one site only (27.Jun.2008 8:44:32 AM)

Hi,

what the kind of your clients (FW clients, SecureNAT, Webproxy)? Are these machines joined to the same domain of ISA?

Try to check if this configuration is enabled:
In your IE browser, Tools - Internet Options - Advanced tab - Security session - Put a checkmark in Enable Integrated Windows Authentication.

Regards,
Paulo Oliveira.



pwindell -> RE: ISA 2006 authentication fails for one site only (27.Jun.2008 10:58:00 AM)

A ".js object"?

Does this involve the Jave JRE?



gdanielson -> RE: ISA 2006 authentication fails for one site only (1.Jul.2008 4:44:00 PM)

They are all webproxy clients, all on the same domain as ISA and with Integrated Windows Authentication on.  Also ISA is running the WebMarshal plugin
The problem appears on only one part of one site, it is actually around a new ActiveX control that is used to edit their website content on their externally hosted site. I'd like to get more info from ISA about what it's not happy about.
As far as I know all other internet browsing is fine, no authentication prompts.
thanks, Graeme



pwindell -> RE: ISA 2006 authentication fails for one site only (1.Jul.2008 5:17:19 PM)

There is "no tellin'"  what kind of communincation the ActiveX Conrol may be attempting to do.  If it does anything that would not be classified as HTTP or FTP it will fail with the Web Proxy Service.

You should make the machines Firewall Clients and Web Proxy Clients at the same time,...unless it is a one-nic ISA,...then you are just screwed.

The next most likely thing is Web Marshal. You need to examine its logs or monitor it in some way,...because it may be blocking the ActiveX Control.



Jason Jones -> RE: ISA 2006 authentication fails for one site only (1.Jul.2008 6:29:22 PM)

quote:

ORIGINAL: pwindell

...unless it is a one-nic ISA,...then you are just screwed.



[:D][:D][:D]



gdanielson -> RE: ISA 2006 authentication fails for one site only (1.Jul.2008 9:27:04 PM)

ISA is not running a single nic .  I have checked WebMarshal and there are no blocked objects for the workstation in question. This situation shows up as an authentication problem, doesn't ISA need to be happy with authentication before passing to Webmarshal?

As you say, I don't know what communication is being attempted from the workstation, but whatever it is ISA doesn't like it, how do I find out what it doesn't like??? Even the http (or other) operation in question would be a start.  All I've got to go on is this end-user ISA "error".
You seem to be suggesting that the planets aren't aligned, hard luck?   



pwindell -> RE: ISA 2006 authentication fails for one site only (2.Jul.2008 11:05:53 AM)

As you say, I don't know what communication is being attempted from the workstation, but whatever it is ISA doesn't like it, how do I find out what it doesn't like??? Even the http (or other) operation in question would be a start.  All I've got to go on is this end-user ISA "error".
You seem to be suggesting that the planets aren't aligned, hard luck? 

Well if they'd let me run the planet my way they wouldn't get so crooked. But Macs and Linux would be in big trouble [8D]

You can see the traffic being generated if you use the Monitoring Log and set the filter to show only traffic from the one "problem" workstation.

1. If there is anything other than HTTP/HTTPS or FTP then it will not work with the Web Proxy Service.  You will have to install the Firewall Client on the workstation to handle that and create corresponding Access Rules to handle the Protocols or just add the Protocols to the existing Access Rule for HTTP/HTTPS.

2. Even if it is HTTP/HTTPS or FTP, the ActiveX Control may not be able to handle the authentication over the Web Proxy Service. You will have to install the Firewall Client on the workstation to handle that as well.



pwindell -> RE: ISA 2006 authentication fails for one site only (2.Jul.2008 11:07:11 AM)

quote:

ORIGINAL: Jason Jones

quote:

ORIGINAL: pwindell

...unless it is a one-nic ISA,...then you are just screwed.



[:D][:D][:D]


Yea,..I just love saying that. [:)]



Page: [1]