• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Supported Delegation scenario?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Supported Delegation scenario? Page: [1]
Message << Older Topic   Newer Topic >>
Supported Delegation scenario? - 12.Mar.2009 10:10:32 AM   


Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
I have two Windows 2003 security domains/forests, A and B, both controlled by different teams within my company. They are separated by a dual-homed ISA Server 2006, which is a member of domain A.

We have published a web site in domain B, which requires integrated authentication. However, the web server does not have access to the DC from domain A, and so cannot authenticate the users from domain A. There is a user account in domain B that has been created to be used by the ISA Server.
[Please trust me, there are reasons for all of this!]

What we wish to do is manage access to the web site through a web publishing rule on the ISA Server. ISA would log and control access to the site from domain A, but then use the special ISA account to access the web site. Meanwhile, users from domain B would access the site as normal using their local credentials.

All sounds very straightforward.

However, the Authentication Delegation options in the web publishing rule do not allow you to implement this scenario. Either the credentials are forwarded through delegation (which requires trust between the domains), or they are not, in which case a site requiring authentication would fail.

It is frustrating, because in a web chaining rule, it is possible to specify the credentials that you want to pass on to the next node in the chain.

Does anyone have any experience of trying to implement a scenario like this, or have any suggestions of how I may achieve it?

Many thanks in advance.

Post #: 1
RE: Supported Delegation scenario? - 12.Mar.2009 12:45:59 PM   
Jason Jones


Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Does this really relate to ISA?

If the web server cannot validate credentials with the non-trusted domain, I'm confused at to how you think ISA can help?

I can't think of anything ISA can do natively...maybe you could write a custom web filter to help??? Maybe drop Greg a line at Collective Software.




Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to RuiFiske)
Post #: 2
RE: Supported Delegation scenario? - 12.Mar.2009 5:08:45 PM   


Posts: 14
Joined: 15.Jan.2008
Status: offline
One way you could do it is have another instance of the same website on the IIS server in Domain B. Enable anonymous access on this site but restrict IP access to only the ISA server.

What you really want is another option on the delegation tab to say "delegate this specifed crediental" and specify user name and password. Is this what you're getting at?

< Message edited by Rhys.Goodwin -- 12.Mar.2009 5:15:07 PM >

(in reply to Jason Jones)
Post #: 3
RE: Supported Delegation scenario? - 13.Mar.2009 4:39:20 AM   


Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
Hi Rhys,

Thank you for your reply. You have understood the scenario perfectly.

Your suggestion is a good one, and is indeed how we are doing it at the moment (second site with anonymous access limited by IP).

Exactly what I would like is an option in Authentication Delegation, saying "Always use these credentials". The website would then be able to authenticate this account, as it would be provisioned in Domain B.

By the sound of Jason's reply, though, this is not possible without a custom filter. Is this correct?


(in reply to Rhys.Goodwin)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Supported Delegation scenario? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts