• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Clarification on Authentication through ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Clarification on Authentication through ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Clarification on Authentication through ISA - 13.Oct.2003 10:12:00 PM   
s3cur3m3

 

Posts: 58
Joined: 23.Nov.2002
Status: offline
Good day all. I need some help clarifying something about how ISA authenticates with the various authentication methods. I know that there are 4 ways to auth with ISA, but how are the credentials passed to and through the ISA server. I'm looking for a technical explanation that shows the different transitions of the credentials (i.e. from client to ISA, from ISA to Domain Controller... with each of the different auth methods).

Just to clarify by giving a more specific example, if I select Basic Authentication so that I can get out to the internet from a *nix machine using Netscape, are the credentials passed in clear text during the entire trip (client to ISA, then ISA to DC)? If not, where and how is it different? I have the Configuring ISA Server 2000 book, but I was not able to find an in-depth explanation for this. Of course, it may be because my brain is fried right now. I did search around a bit and ran into posts like this one:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=004261

If anyone has any references for this information that may help, please share. I haven't turned up much. I ran a tcpdump on the *nix box while authenticating using Basic Auth, but I didn't my credentials passed in the clear in the payload. Perhaps it's encapsulated somehow.

My next step is to sniff the wire for the connection between the ISA server and the DC to see what I can see.

Any help is appreciated.

Thanks.
Post #: 1
RE: Clarification on Authentication through ISA - 14.Oct.2003 4:59:00 AM   
sniper

 

Posts: 687
Joined: 9.Aug.2001
From: OK, USA
Status: offline
s3cur3m3,

Check out these articles in the learning zone section

http://www.isaserver.org/tutorials/Configuring_authentication_methods_for_ISA.html

http://www.isaserver.org/tutorials/Understanding_ISAs_different_Authentication_types.html

(in reply to s3cur3m3)
Post #: 2
RE: Clarification on Authentication through ISA - 14.Oct.2003 1:49:00 PM   
ghosking

 

Posts: 11
Joined: 12.Aug.2002
From: UK
Status: offline
Also,

The latest versions of Netscape (7.1) and Mozilla for PC, supports ISA integrated authentication, rather than using basic thus giving better security than basic. Not sure about other browsers (such as Safari) and Mac/linux/unix versions of Netscape though.

(in reply to s3cur3m3)
Post #: 3
RE: Clarification on Authentication through ISA - 14.Oct.2003 8:41:00 PM   
s3cur3m3

 

Posts: 58
Joined: 23.Nov.2002
Status: offline
I read over these articles and while they are informative, they don't provide the level of information I was looking for. However, I do think I have gathered the general idea from bits and pieces. It looks as though the application passes its supported methods of authentication to the ISA server, and if there's a match with what the ISA server offers, then it prompts the client for authentication for the session. The client performs the operation on the credentials passed - encoding for Basic Auth, hash for Digest, passed through kerberos for Integrated Auth, and so on... The ISA server receives this information and authenticates locally or passes the information to the Auth server (in my case, the domain controller). From there, the DC checks for valid info and let's the ISA server know if it passes or not, thus allowing access to the resource (the web).

Does that sound about right?

Also, I found that Netscape 7.1 for *nix does not seem to support Windows Authentcation via kerberos or NTLM, I guess. Then again, I couldn't find anywhere on the site that said that it would. Maybe it's just the Windows version, but I was looking for Netscape from *nix to work.

My next step is to find out information on the encoding process, which I am sure is not secure, but I would like to know how it's done and how it is attacked when a session is sniffed. If anyone has any resources on that, then please share. Otherwise, off to search I go...

Thanks for your help guys.

(in reply to s3cur3m3)
Post #: 4
RE: Clarification on Authentication through ISA - 15.Oct.2003 8:25:00 PM   
s3cur3m3

 

Posts: 58
Joined: 23.Nov.2002
Status: offline
It appears as though the credentials are encoded using base64 by the client and forwarded to ISA to handle.

So, that said, I guess you could just sniff the session, then feed the information from the payload into a decoder or do it by hand.

(in reply to s3cur3m3)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Clarification on Authentication through ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts