• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Integrated Authentication: Firefox - works, IE - doesn't

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Integrated Authentication: Firefox - works, IE - doesn't Page: [1]
Login
Message << Older Topic   Newer Topic >>
Integrated Authentication: Firefox - works, IE - doesn't - 2.May2005 5:21:00 PM   
johnsonru

 

Posts: 4
Joined: 2.May2005
From: San Diego
Status: offline
Hi.
I'm trying out ISA Server for the first time, in a test environment. Ultimately, I want to be able to publish two company intranet websites running on different servers under one URL. Both websites use integrated authentication. I've installed ISA Server 2004 Standard with sp1.

After setting up my firewall policies, I'm able to authenticate with one website using Internet Explorer(IE6.0.2800), but one the other website, I receive a 401 - unable to authenticate error from the website. Using FireFox I'm able to authenticate against both websites and see the expected content.

I'm puzzled because:
1. The servers have identical configurations (I've compared the local security policies/IIS configuration/ACLs of the servers to each other)
2. One of the sites comes up in IE.
3. Both sites come up in Firefox.
4. I can visit the site that doesn't come up in IE, if I visit it directly.
5. If I enable anonymous access on the site, it will come up through the ISA server in IE.

Does anybody have any ideas? I've been researching this here and Google for a couple days without any progress.

MANY thanks in advance!
Post #: 1
RE: Integrated Authentication: Firefox - works, IE - do... - 3.May2005 10:13:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Johnson,

Sounds like the Web Publishing Rules are configured differently.

HTH,
Tom

(in reply to johnsonru)
Post #: 2
RE: Integrated Authentication: Firefox - works, IE - do... - 3.May2005 10:57:00 PM   
johnsonru

 

Posts: 4
Joined: 2.May2005
From: San Diego
Status: offline
They're identical. To test, I even copied and pasted the working rule then made the minimum change to point to the different server. Same results.

Some further information: I can authenticate against the server if I create a local NT account. I'm unable to authenticate as a domain user. Our domain is running Active Directory (out of my control.) Is it possible to register a server in a domain where one server will delegate authentication but another won't?

(in reply to johnsonru)
Post #: 3
RE: Integrated Authentication: Firefox - works, IE - do... - 7.May2005 12:32:00 AM   
johnsonru

 

Posts: 4
Joined: 2.May2005
From: San Diego
Status: offline
Further info:
Turns out taking the ISA Server out of Active Directory domain into a workgroup allows the users to authenticate in the Active Directory domain....

(in reply to johnsonru)
Post #: 4
RE: Integrated Authentication: Firefox - works, IE - do... - 9.May2005 1:50:00 AM   
adelprete

 

Posts: 42
Joined: 11.Jan.2004
From: Rome, Italy
Status: offline
quote:
Originally posted by johnsonru:
Further info:
Turns out taking the ISA Server out of Active Directory domain into a workgroup allows the users to authenticate in the Active Directory domain....

Can you tell me if ISA2004 SP1 is running on W2K3 SP1?

I started having the same issue since the upgrade to W2K3 SP1 on the ISA Box. One site works fine with integrated authentication, the second site (same publishing rule) doesn't work with IE, but works with FireFox.

When I try access to the second site, on my client PC using IE 6, the following events are logged into the Application Log:

ID: 40960 Source: LSASRV Category: SPNEGO
The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".

ID: 40961 Source: LSASRV Category: SPNEGO
The Security System could not establish a secured connection with the server <server name>. No authentication protocol was available.

I'll analyze this one tomorrow...

(in reply to johnsonru)
Post #: 5
RE: Integrated Authentication: Firefox - works, IE - do... - 16.Aug.2005 10:42:00 AM   
bender_2112

 

Posts: 3
Joined: 12.Aug.2005
Status: offline
I'm running into a similar issue. We are running ISA 2004 SP1 on Win2K3. We currently have OWA, RPC over HTTP (for Outlook), SharePoint and a our ERP Web interface published through ISA. All of them work fine. ISA is not a member of the domain.

*Just a side note, SharePoint and the ERP Web app are using RSA authentication.*

I've set up an identical rule to SharePoint and the ERP Web app to publish an application called Changepoint. I've set up RSA auth as well.

*note, Changepoint only works with IE.*
*note, The odd thing about Changepoint, and it's inherent to the app, when you go to the URL it redirects you and brings up the application in a new window, therefore leaving you with 2 windows open. Popup blockers do get in the way, and in my testing all popup blockers are disabled.*

Now for the odd behavior...
With integrated auth set in IE:
Inside the network it works fine, no prompt.
Outside the network the integrated auth fails. I get the RSA auth, that works, but on the attempt to go to the web app, I get page cannot be displayed.
If I turn off integrated auth in IE, I get RSA, then I get windows prompt. Upon password entry it works fine.

In testing, even though Firefox is not supported for the app, when I set integrated auth in Firefox I get the RSA, then it actually works like it's supposed to. While I don't actually get the application, I get the first screen before the popup redirect. That tells me that it's authenticated.

Whew!....sorry for the long winded explanation.

So, my question is, am I missing a setting somewhere? Is this an ISA bug? Is it choking on the 2 browser windows that Changepoint uses upon login? Or, if anyone is familiar with Changepoint, is it something with that app?

Oh, not setting integrated auth is not really an option, since we have 2 other web apps that use it and it works. Our user base would complain... [Frown]

Any insight into this would be very helpful.

(in reply to johnsonru)
Post #: 6
RE: Integrated Authentication: Firefox - works, IE - do... - 23.Aug.2005 10:49:00 AM   
bender_2112

 

Posts: 3
Joined: 12.Aug.2005
Status: offline
Just bringing this back to the top of the list to see if anyone has any suggetions/ideas.

Thanks
Matt

(in reply to johnsonru)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Integrated Authentication: Firefox - works, IE - doesn't Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts