Authentication issue/ misconfig ? (Full Version)

All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client



Message


mpawlik -> Authentication issue/ misconfig ? (7.Oct.2009 10:49:30 AM)

Hi,
It seems I have an authentication issue, however websites open. What is bugging me is a lot of errors in ISA logs: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.

Here is how I have set it up (I know it is bit odd config).

I am running ISA 2006 SP1 in 1 NIC configuration. The users come via wpad to ISA for web access.Then ISA is web chained to Mcafee gateway appliance which serves AV filtering. Mcafee forward requests to to dsl gateway. Web traffic returns the same way.

Now, some of my firewall access rules require users are members of AD groups. The authentication on web listener is set to Integrated only, without "require all users to authenticate" checkbox ticked.  

When I open an URL in browser it opens fine. However when I look into logging on ISA I see substantial number of denials with authentication error I mentioned above. It doesnt look right, even though website opens!

I looked also into headers in the browser. And this is what I got (I have cut out some unnecessary bits):

GET http: //xxx.xx/ HTTP/1.1
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
Via: 1.1 ISA
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4121


GET http: //xxx.xx/ HTTP/1.1
Host: xxx.xx
Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via: 1.1 ISA
Proxy-Authenticate: Negotiate

TlRMTVNTUAACAAAACAAIADgAAAAFgomiJUtKrxlyn1AAAAAAAAAAAJYAlgBAAAAABQLODgAAAA9VAFMARQBSAAIACABVAFMARQBSAAEAFABJAFMAQQAyADAAMAA2AFIARQBOAAQAKAB1AGsALgBtA

GkAdABzAHUAaQBiAGEAYgBjAG8AYwBrAC4AYwBvAG0AAwA+AEkAUwBBADIAMAAwADYAUgBFAE4ALgB1AGsALgBtAGkAdABzAHUAaQBiAGEAYgBjAG8AYwBrAC4AYwBvAG0AAAAAAA==

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0

GET http: //xxx.xx/ HTTP/1.1
Proxy-Authorization: Negotiate

TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAAAgACABIAAAACgAKAFAAAAASABIAWgAAAAAAAACcAAAABYKIogUBKAoAAAAPVQBTAEUAUgBDADEAMQA0ADQANQA1AEMAQgAxADAAOAA2ADAA
+0G36cNgt14AAAAAAAAAAAAAAAAAAAAAv+/mEk23fCx2Oegbq71CDp96Jm3T68xK

Host: xxx.xx

HTTP/1.1 301 Moved Permanently
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 53
Via: 1.0 sq7.m1r2.xxx:80 (squid), 1.1 Mcafee, 1.0 ISA
Expires: Tue, 07 Oct 2008 10:50:36 GMT
Date: Wed, 07 Oct 2009 10:49:16 GMT
Location: http://www.xxx.xx/
Content-Type: text/html
Server: AOLserver
Pragma: no-cache
Cache-Control: no-cache
X-Cache: MISS from sq7.m1r2.xxx
X-Cache-Lookup: MISS from sq7.m1r2.xxx:80

GET http: //www.xxx.xx/ HTTP/1.1
Proxy-Connection: Keep-Alive
Host: www.xxx.xx

HTTP/1.1 302 Moved Temporarily
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 0
Via: 1.1 Mcafee, 1.0 ISA
Date: Wed, 07 Oct 2009 10:49:17 GMT
Location: http://www.xxx.xx/
Server: squid/2.6.STABLE16


GET http: //www.xxx.xx/ HTTP/1.1
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.xxx.xx

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 89429
Via: 1.0 sq11.m1r2.xxx:80 (squid), 1.1 Mcafee, 1.0 ISA
Expires: Tue, 07 Oct 2008 10:51:07 GMT
Date: Wed, 07 Oct 2009 10:48:31 GMT
Content-Type: text/html; charset=iso-8859-2
Server: AOLserver/3.4.2 SP/1
P3P: CP="ALL DSP COR IVD IVA PSD PSA TEL TAI CUS ADM CUR CON SAM OUR IND"
Vary: Accept-Encoding
Cache-Control: private
X-Cache: HIT from sq11.m1r2.xxx
X-Cache-Lookup: HIT from sq11.m1r2.xxx:80

GET http: //www.xxx.xx/data/css/0,4,1,mag_polak,a98f4a8491136711ae28724d7d1964ef,style.css HTTP/1.1
Accept: */*
Referer: http://www.xxx.xx/
Host: www.xxx.xx
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 48395
Via: 1.1 ISA
Age: 107086
Expires: Mon, 14 Dec 2009 15:34:32 GMT
Date: Tue, 06 Oct 2009 05:04:32 GMT
Content-Type: text/css
Server: AOLserver
Warning: 113 ISA Some of this information has not been updated in the past 24 hours.
Vary: Accept-Encoding
Last-Modified: Wed, 19 Aug 2009 04:02:27 GMT
X-Cache: HIT from sq4.m1r2.xxx
X-Cache-Lookup: HIT from sq4.m1r2.xxx:80

GET http: //xxx.xxx.xx/_s/ads_rules08.css HTTP/1.1
Accept: */*
Referer: http://www.xxx.xx/
Accept-Encoding: gzip, deflate
Host: xxx.xxx.xx
Proxy-Connection: Keep-Alive

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
Via: 1.1 ISA
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM

Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4121

It looks like:
1) Client sends request to ISA,
2) ISA rejects request because of the authentication required.
3) Client sends authentication negotiate request
4) ISA rejects request again.
5) Client sends another negotiate (longer one) request,
6) Request gets redirected (moved temporarily/pernamently) to mcafee
7) Then the website is delivered.
8) Then it happens the same with the other element requested from the website.

My questions:
1. Does it look normal to you? Because for me it's too much denied entries in my logs, as I wouldn't configured it correctly.

2. I thought that auth details would be cached somewhere, that it is not required to hassle AD for each website element??

3. The negotiation algorithm used. I read that it first tries Kerberos then NTLM. So which one is actually used in my example? I don't understand why is sending the digest twice (shorter and longer one)??


I appreciate if someone could shed some light on this, as I have run out of ideas.

Cheers,
Maciek




paulo.oliveira -> RE: Authentication issue/ misconfig ? (7.Oct.2009 1:19:47 PM)

Hi,

when the browser first tries to connect to a web site, it will try as anonymous user. Check this article to use Kerberos authentication and reduce authentication request to DC.

Improving Web Proxy Client Authentication Performance on ISA Server 2006

Regards,
Paulo Oliveira.




mpawlik -> RE: Authentication issue/ misconfig ? (8.Oct.2009 3:05:02 AM)

Yup, I have read it before. This ties to my 3rd question on the list. I am not sure which method I am actually using. I only see negotiate - which obviously is negotiation between Kerberos/NTLM. But I do not see any indication that one is used. How can I check this?




paulo.oliveira -> RE: Authentication issue/ misconfig ? (9.Oct.2009 10:01:34 AM)

Hi,

yeah, did not see. Maybe you missed some packet?

Regards,
Paulo Oliveira.




Jason Jones -> RE: Authentication issue/ misconfig ? (9.Oct.2009 12:39:32 PM)

quote:

ORIGINAL: mpawlik

Yup, I have read it before. This ties to my 3rd question on the list. I am not sure which method I am actually using. I only see negotiate - which obviously is negotiation between Kerberos/NTLM. But I do not see any indication that one is used. How can I check this?


If your proxy server is defined using FQDN, ISA is configured for integrated, and you can reach the KDC, you should be using Kerberos. If you look at the ISA Server and DC with security auditing enabled, you should be able to see that kerberos is being used. There are also lots of kerberos troubleshooting tools (like kerbtray) that should help with Kerberos investigations... 

You will always get denied in the logs becuase a browser will always try anonymous connections until ISA issues the 407 repsonses; the browser will then provide credentials as necessary.

http://blogs.technet.com/isablog/archive/2008/06/26/understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx

Cheers

JJ




Page: [1]