• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA & authenticating users HELP!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> ISA & authenticating users HELP! Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA & authenticating users HELP! - 10.Apr.2001 1:09:00 AM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
Scenario:

Win2k Server w/sp1 & all patches installed
IIS default website is on port 81 instead of 80
Multihomed, NIC1:configured with internal static IP & subnet, no dns, no gateway
NIC2: External info, DNS, Gateway & such.

Fresh install of ISA, configured all services needed for protocols. Leaving ip packet filters default.
Activated VPN connections.

Setup Multiple groups with different access privilages.
Made Protocols Rules & applied the groups to the different sets of rules.
Made sites rules, ALL.

Installed FW client on client PC's.

Everything worx, I have problems with authenticaion.
On my personal Win2k Professional workstation, I can access everything np. From another machine right next to mine, everything worx, except certain things.
Yahoo Messenger, after running, prompts for authentication again. After inputting the proper info, still won't go.
I read a post saying something about the authentication info getting stripped, added a Protocol rule for HTTP only & now it works

Problem is, either way when I tell Yahoo msnger to use proxy, I get the same problem, prompts for auth. Now the wacky part is, on my 1st workstation, it all worx just fine.
Doesn't prompt me or anything.

What could it be...I'm going nutz....

Post #: 1
RE: ISA & authenticating users HELP! - 10.Apr.2001 1:17:00 AM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
forgot to mention, this is a NT4.0 domain

(in reply to jgisler)
Post #: 2
RE: ISA & authenticating users HELP! - 10.Apr.2001 8:41:00 PM   
Guest
Make sure the IPSEC service is not started on the ISA server (and client if it is win2k), if it is, then your browser will attempt to send Kerberos authentication instead of NTLM when it is told by ISA it must authenticate. I assume the special rule you added allowed anyone access, which let browsers go through without having to send authentication?

(in reply to jgisler)
  Post #: 3
RE: ISA & authenticating users HELP! - 10.Apr.2001 8:44:00 PM   
Guest
Forgot to mention, IPSEC is only needed if you are doing a VPN with this box, if you are then disabling it on the server would be bad :O) , just disable it on the internal client if that is the case.

(in reply to jgisler)
  Post #: 4
RE: ISA & authenticating users HELP! - 10.Apr.2001 9:16:00 PM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
How would I do that, is it enabled by default? Network adapter settings?


Whats weird is, if I goto another machine, I can't login, lol... @ my machine it worx fines

Really strange


(in reply to jgisler)
Post #: 5
RE: ISA & authenticating users HELP! - 11.Apr.2001 6:20:00 PM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
Didn't help...

What else could it be..also on a default install of Win2k server, ipsec is off, not on.

Could I get some help here please

Microsoft can't even figure it out, lol!


(in reply to jgisler)
Post #: 6
RE: ISA & authenticating users HELP! - 11.Apr.2001 6:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi JGisler,

Chaulk it up to an "Unsolved ISA Server Mystery" that will probably be revealed with SP1 for ISA Server. I know I'm looking forward to that day.

BTW, you should put the IP address of your internal DNS Server on the internal NIC configuration settings.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to jgisler)
Post #: 7
RE: ISA & authenticating users HELP! - 11.Apr.2001 9:53:00 PM   
Guest
have you taken a shot with Network Monitor? Do you see the machine sending NTLM authentication or is it another kind? I do know that IE 5.01 sent kerberos authentication by default rather then NTLM, and most sites dont have kerberos set up. Take a look at the captured packets of HTTP and see what it is doing. I had this problem with proxy2 on a win2k server, and had to do an adsi script to switch it to NTLM authentication.

(in reply to jgisler)
  Post #: 8
RE: ISA & authenticating users HELP! - 11.Apr.2001 10:32:00 PM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
Microsoft is working on it also, they were able to create the same problem in their environment... With win2k domain...same problem...I think it is authentication, but either way, it's still poopy that ISA doesn't support Kerb.

(in reply to jgisler)
Post #: 9
RE: ISA & authenticating users HELP! - 11.Apr.2001 10:35:00 PM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
Nope, I haven't tried network monitor

I'll give it a whirl...

if that be the case, how can I make it switch??


(in reply to jgisler)
Post #: 10
RE: ISA & authenticating users HELP! - 12.Apr.2001 3:44:00 PM   
Guest
In the case that I had with Proxy 2, since it had IIS installed, there was an ANSI script to run that would force it to use NTLM, instead of negotiating the method (the default).

If IIS is installed on your win2k client you can run that script, otherwise the fix is the new SP for Internet Explorer.

The script is in the inetpub\adminscripts folder and is run by typing:

adsutil set w3svc/NTAuthenticationProviders "NTLM"

all on one line at the command prompt. If you get a message saying that adsutil is not compatible with that type, just say yes to letting it run with cscript instead.



(in reply to jgisler)
  Post #: 11
RE: ISA & authenticating users HELP! - 12.Apr.2001 7:30:00 PM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
Got it working right now...

I think it was a configuration thing.. Had to setup destinations & multiple groups for the different access levels... Anyways, I figured it out & got rid of the problem

It happens because of certain programs that want to send an anonymous packet 1st...then return, those are what seems to cause the problem. So I created a rule to let just anonymous http & https through.. to any..
then I created a destination for that domain only... By looking through the logs from isa & seeing what,wanted to go where...

all is well

Thanx all!


(in reply to jgisler)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> ISA & authenticating users HELP! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts