ISA & authenticating users HELP! (Full Version)

All Forums >> [ISA Server 2000 General] >> General


jgisler -> ISA & authenticating users HELP! (10.Apr.2001 1:09:00 AM)


Win2k Server w/sp1 & all patches installed
IIS default website is on port 81 instead of 80
Multihomed, NIC1:configured with internal static IP & subnet, no dns, no gateway
NIC2: External info, DNS, Gateway & such.

Fresh install of ISA, configured all services needed for protocols. Leaving ip packet filters default.
Activated VPN connections.

Setup Multiple groups with different access privilages.
Made Protocols Rules & applied the groups to the different sets of rules.
Made sites rules, ALL.

Installed FW client on client PC's.

Everything worx, I have problems with authenticaion.
On my personal Win2k Professional workstation, I can access everything np. From another machine right next to mine, everything worx, except certain things.
Yahoo Messenger, after running, prompts for authentication again. After inputting the proper info, still won't go.
I read a post saying something about the authentication info getting stripped, added a Protocol rule for HTTP only & now it works

Problem is, either way when I tell Yahoo msnger to use proxy, I get the same problem, prompts for auth. Now the wacky part is, on my 1st workstation, it all worx just fine.
Doesn't prompt me or anything.

What could it be...I'm going nutz....

jgisler -> RE: ISA & authenticating users HELP! (10.Apr.2001 1:17:00 AM)

forgot to mention, this is a NT4.0 domain

Guest -> RE: ISA & authenticating users HELP! (10.Apr.2001 8:41:00 PM)

Make sure the IPSEC service is not started on the ISA server (and client if it is win2k), if it is, then your browser will attempt to send Kerberos authentication instead of NTLM when it is told by ISA it must authenticate. I assume the special rule you added allowed anyone access, which let browsers go through without having to send authentication?

Guest -> RE: ISA & authenticating users HELP! (10.Apr.2001 8:44:00 PM)

Forgot to mention, IPSEC is only needed if you are doing a VPN with this box, if you are then disabling it on the server would be bad :O) , just disable it on the internal client if that is the case.

jgisler -> RE: ISA & authenticating users HELP! (10.Apr.2001 9:16:00 PM)

How would I do that, is it enabled by default? Network adapter settings?

Whats weird is, if I goto another machine, I can't login, lol... @ my machine it worx fines

Really strange

jgisler -> RE: ISA & authenticating users HELP! (11.Apr.2001 6:20:00 PM)

Didn't help...

What else could it be..also on a default install of Win2k server, ipsec is off, not on.

Could I get some help here please

Microsoft can't even figure it out, lol!

tshinder -> RE: ISA & authenticating users HELP! (11.Apr.2001 6:34:00 PM)

Hi JGisler,

Chaulk it up to an "Unsolved ISA Server Mystery" that will probably be revealed with SP1 for ISA Server. I know I'm looking forward to that day.

BTW, you should put the IP address of your internal DNS Server on the internal NIC configuration settings.


Tom Shinder

Guest -> RE: ISA & authenticating users HELP! (11.Apr.2001 9:53:00 PM)

have you taken a shot with Network Monitor? Do you see the machine sending NTLM authentication or is it another kind? I do know that IE 5.01 sent kerberos authentication by default rather then NTLM, and most sites dont have kerberos set up. Take a look at the captured packets of HTTP and see what it is doing. I had this problem with proxy2 on a win2k server, and had to do an adsi script to switch it to NTLM authentication.

jgisler -> RE: ISA & authenticating users HELP! (11.Apr.2001 10:32:00 PM)

Microsoft is working on it also, they were able to create the same problem in their environment... With win2k domain...same problem...I think it is authentication, but either way, it's still poopy that ISA doesn't support Kerb.

jgisler -> RE: ISA & authenticating users HELP! (11.Apr.2001 10:35:00 PM)

Nope, I haven't tried network monitor

I'll give it a whirl...

if that be the case, how can I make it switch??

Guest -> RE: ISA & authenticating users HELP! (12.Apr.2001 3:44:00 PM)

In the case that I had with Proxy 2, since it had IIS installed, there was an ANSI script to run that would force it to use NTLM, instead of negotiating the method (the default).

If IIS is installed on your win2k client you can run that script, otherwise the fix is the new SP for Internet Explorer.

The script is in the inetpub\adminscripts folder and is run by typing:

adsutil set w3svc/NTAuthenticationProviders "NTLM"

all on one line at the command prompt. If you get a message saying that adsutil is not compatible with that type, just say yes to letting it run with cscript instead.

jgisler -> RE: ISA & authenticating users HELP! (12.Apr.2001 7:30:00 PM)

Got it working right now...

I think it was a configuration thing.. Had to setup destinations & multiple groups for the different access levels... Anyways, I figured it out & got rid of the problem

It happens because of certain programs that want to send an anonymous packet 1st...then return, those are what seems to cause the problem. So I created a rule to let just anonymous http & https through.. to any..
then I created a destination for that domain only... By looking through the logs from isa & seeing what,wanted to go where...

all is well

Thanx all!

Page: [1]