• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web Proxy connections no longer authenticating

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Web Proxy connections no longer authenticating Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web Proxy connections no longer authenticating - 7.Dec.2010 12:12:18 PM   
gburch83

 

Posts: 4
Joined: 7.Dec.2010
Status: offline
I've recently developed a rather unusual error. For some time now, my ISA server has been running successfully only allowing authenticated HTTP traffic. All clients are configured to use the ISA box as the proxy server.

Just recently, however, I'm starting to get problems accessing the Internet from multiple clients (most run IE8, but one is running IE9). What's happening is that the ISA box is recieving an anonymous request for a URL, which is denied, but is is not being followed by an authenticated request like it used to be.

If I repeatedly refresh the page or close and re-open the browser and try again, I can sometimes get an authenticated connection, and it works correctly for the rest of that browsing session.

So, my question is, Is the ISA Server Denying the anonymous connections, but not prompting for authentication? Or is it the browsers which aren't sending the credentials correctly? How can I find out which?
Post #: 1
RE: Web Proxy connections no longer authenticating - 7.Dec.2010 3:33:54 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
Hi,

So what happens when you uncheck "Enable Integrated Windows Authentication " in IE on the problem clients?

What's showing in your ISA logging monitor? Possibly a network packet capture on the client may shed some light on the issues? It sounds like a Kerberos issue but I would think you would be prompted if authentication is failing.

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to gburch83)
Post #: 2
RE: Web Proxy connections no longer authenticating - 7.Dec.2010 4:27:51 PM   
gburch83

 

Posts: 4
Joined: 7.Dec.2010
Status: offline
Thanks for the quick reply.

Tonight, I tried a few times to get it to connect, and all I got were the following 3 Web Proxy connections for each attempt:

quote:


Denied Connection ISA 07/12/2010 20:32:31
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( <ISA IP>:8888)
Request: GET http://www.imdb.com/
Filter information: Req ID: 13f59e69
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Processing time: 234
Cache info: 0x0 MIME type:


Failed Connection Attempt ISA 07/12/2010 20:32:31
Log type: Web Proxy (Forward)
Status: 5 Access is denied.
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( <ISA IP>:8888)
Request: GET http://www.imdb.com/
Filter information: Req ID: 13f59e6a
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Processing time: 1
Cache info: 0x0 MIME type:

Failed Connection Attempt ISA 07/12/2010 20:32:31
Log type: Web Proxy (Forward)
Status: 5 Access is denied.
Rule:
Source: Internal ( <Client IP>:0)
Destination: ( <ISA IP>:80)
Request: GET http://www.imdb.com/
Filter information: Req ID: 13f59e6b
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Processing time: 62
Cache info: 0x0 MIME type:


Then, I removed the Enable Integrated Windows Configuration checkbox as you suggested and restarted IE, and it connected straight away.

quote:


Denied Connection ISA 07/12/2010 20:53:58
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( <ISA IP>:8888)
Request: GET http://www.imdb.com/
Filter information: Req ID: 13f5a0a6
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Processing time: 172
Cache info: 0x0 MIME type:

Denied Connection ISA 07/12/2010 20:53:58
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( <ISA IP>:8888)
Request: GET http://i.media-imdb.com/images/SF0bbf9289f9d26c9e967fcac4a3de045d/css/min/consumerhome.css
Filter information: Req ID: 13f5a0a9
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Processing time: 235
Cache info: 0x0 MIME type:

Allowed Connection ISA 07/12/2010 20:53:59
Log type: Web Proxy (Forward)
Status: 200 OK
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( 72.21.214.36:80)
Request: GET http://www.imdb.com/
Filter information: Req ID: 13f5a0a7
Protocol: http
User: <DOMAIN>\<username>
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Internet Processing time: 1594
Cache info: 0x62420000 MIME type:

Allowed Connection ISA 07/12/2010 20:54:00
Log type: Web Proxy (Forward)
Status: 200 OK
Rule: Web Access (Unlisted)
Source: Internal ( <Client IP>:0)
Destination: External ( 198.78.220.126:80)
Request: GET http://i.media-imdb.com/images/SF0bbf9289f9d26c9e967fcac4a3de045d/css/min/consumerhome.css
Filter information: Req ID: 13f5a0aa
Protocol: http
User: <DOMAIN>\<username>
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Object source: Internet Processing time: 1234
Cache info: 0xc00000 MIME type:



plus a whole lot more successful connections.

So, any idea what the problem is, or why it would suddenly show up? What other issues am I going to get from just leaving this setting unchecked?

(in reply to Rotorblade)
Post #: 3
RE: Web Proxy connections no longer authenticating - 7.Dec.2010 8:00:53 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Sounds like you have a problem with Kerberos authentication. Have a look at this to understand why: http://technet.microsoft.com/en-us/library/bb984870.aspx

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to gburch83)
Post #: 4
RE: Web Proxy connections no longer authenticating - 8.Dec.2010 4:03:02 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
As JJ mentioned it sounds like a Kerberos issue which has been a problem child for many of us that use ISA. There have been many posts on this site and there is really no good why some see it and some don't. I have ran into this issue myself but only with a few clients. You may have a Kerberos issue possibly due to a Domain issue but that you will need to TS yourself. With leaving the setting unchecked you may run into authentication issues with internal web servers that use Integrated Authentication only.

What ISA 2004 version (service pack level) are you currently running?  There is a script that you can run to force ISA to use NTLM only if it really becomes an issue with disabling IE Integrated Authentication.

http://support.microsoft.com/kb/927265/en-us

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to Jason Jones)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> Web Proxy connections no longer authenticating Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts