• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Using Kerberos for Web Proxy requests

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Using Kerberos for Web Proxy requests Page: [1]
Login
Message << Older Topic   Newer Topic >>
Using Kerberos for Web Proxy requests - 13.Jul.2011 2:48:36 PM   
THX

 

Posts: 107
Joined: 8.Aug.2007
Status: offline
I was reading this article and this article makes it sound like all requests default using NTLM authentication. Or, making the ISA Server perform the authentication on behalf of the client.

http://blogs.technet.com/b/isablog/archive/2008/06/26/understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx

Is this still valid?

The reason I ask is because I did a network trace of two clients (one on ISA Server 2004 and one on TMG 2010) and they are both passing GSS-API authentication, which is to say that they are using Kerberos.

Thoughts and comments please...
Post #: 1
RE: Using Kerberos for Web Proxy requests - 13.Jul.2011 4:34:20 PM   
renatomarson

 

Posts: 17
Joined: 12.Jul.2011
Status: offline
Hi THX,

That link is valid for ISA Servers using NLB.

If you use a single ISA Server or TMG, you only need to configure the proxy address on client machines to use the ISA/TMG FQDN.

Using the FQDN instead of IP, the authentication will use Kerberos.

[]'s

Renato Marson Pagan

(in reply to THX)
Post #: 2
RE: Using Kerberos for Web Proxy requests - 13.Jul.2011 4:57:17 PM   
THX

 

Posts: 107
Joined: 8.Aug.2007
Status: offline
Just so that I understand your reply properly...If I put a FQDN in the proxy address in Internet Explorer (i.e. proxy.contoso.com) it will automatically use Kerberos authentication and therefore offload the authentication requests from the ISA Server array?

Whereas, if I put the IP address of the proxy server address in Internet Explorer it will not use Kerberos authentication and therefore bog down the ISA Server array with NTLM authentication traffic to\from the DC's?

(in reply to renatomarson)
Post #: 3
RE: Using Kerberos for Web Proxy requests - 13.Jul.2011 5:11:06 PM   
renatomarson

 

Posts: 17
Joined: 12.Jul.2011
Status: offline
Hi THX,

If you use a single ISA, yes. Your statement is right. You just need to configure the clients with FQDN.

But if you have a array with 2 or more ISAs then you need to follow the link that you sent and configure the clients to use WPAD.

< Message edited by renatomarson -- 13.Jul.2011 5:13:18 PM >

(in reply to THX)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Using Kerberos for Web Proxy requests Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts