Good day all. I need some help clarifying something about how ISA authenticates with the various authentication methods. I know that there are 4 ways to auth with ISA, but how are the credentials passed to and through the ISA server. I'm looking for a technical explanation that shows the different transitions of the credentials (i.e. from client to ISA, from ISA to Domain Controller... with each of the different auth methods).
Just to clarify by giving a more specific example, if I select Basic Authentication so that I can get out to the internet from a *nix machine using Netscape, are the credentials passed in clear text during the entire trip (client to ISA, then ISA to DC)? If not, where and how is it different? I have the Configuring ISA Server 2000 book, but I was not able to find an in-depth explanation for this. Of course, it may be because my brain is fried right now. I did search around a bit and ran into posts like this one:
If anyone has any references for this information that may help, please share. I haven't turned up much. I ran a tcpdump on the *nix box while authenticating using Basic Auth, but I didn't my credentials passed in the clear in the payload. Perhaps it's encapsulated somehow.
My next step is to sniff the wire for the connection between the ISA server and the DC to see what I can see.
The latest versions of Netscape (7.1) and Mozilla for PC, supports ISA integrated authentication, rather than using basic thus giving better security than basic. Not sure about other browsers (such as Safari) and Mac/linux/unix versions of Netscape though.
I read over these articles and while they are informative, they don't provide the level of information I was looking for. However, I do think I have gathered the general idea from bits and pieces. It looks as though the application passes its supported methods of authentication to the ISA server, and if there's a match with what the ISA server offers, then it prompts the client for authentication for the session. The client performs the operation on the credentials passed - encoding for Basic Auth, hash for Digest, passed through kerberos for Integrated Auth, and so on... The ISA server receives this information and authenticates locally or passes the information to the Auth server (in my case, the domain controller). From there, the DC checks for valid info and let's the ISA server know if it passes or not, thus allowing access to the resource (the web).
Does that sound about right?
Also, I found that Netscape 7.1 for *nix does not seem to support Windows Authentcation via kerberos or NTLM, I guess. Then again, I couldn't find anywhere on the site that said that it would. Maybe it's just the Windows version, but I was looking for Netscape from *nix to work.
My next step is to find out information on the encoding process, which I am sure is not secure, but I would like to know how it's done and how it is attacked when a session is sniffed. If anyone has any resources on that, then please share. Otherwise, off to search I go...