• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can't get authentication popup from website thru our ISA2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Can't get authentication popup from website thru our ISA2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can't get authentication popup from website thru our IS... - 31.Dec.2004 3:03:00 PM   
Guest
Problem: a user is attempting to open this site:
http://ublib.buffalo.edu
- Select "Library Research"
- Pick Databases by Title
- Pick the top entry, "Abell"
- Click the icon "Connect to Database"

When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)

All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.

I have Tom's book, and have suggested, configured *.buffalo.edu as direct access.
We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group).
I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required.
User has Firewall client installed and operating.
User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...

No luck.
Help!
  Post #: 1
RE: Can't get authentication popup from website thru ou... - 31.Dec.2004 4:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Vic,

Tried to check it, but there is no:

Library research

link.

Tom

(in reply to Guest)
Post #: 2
RE: Can't get authentication popup from website thru ou... - 31.Dec.2004 4:57:00 PM   
Guest
This should take you there:

On the right is LIBRARY RESEARCH
Under that is LIBRARY DATABASE
Under that is Library Title.

Pick Library Title.

Sorry for the confusion!

Vic

(in reply to Guest)
  Post #: 3
RE: Can't get authentication popup from website thru ou... - 1.Jan.2005 2:49:00 AM   
ev@n

 

Posts: 21
Joined: 29.Dec.2004
Status: offline
quote:
Originally posted by <Vic>:
Problem: a user is attempting to open this site:
http://ublib.buffalo.edu
- Select "Library Research"
- Pick Databases by Title
- Pick the top entry, "Abell"
- Click the icon "Connect to Database"

When I use my ISA2000 proxy, I get the Apache Name/Password pop up box (I am the only user on this box as Administrator...)

All other regular users are on ISA2004 proxy, and get "timeout" when attempting to use this site.

I have Tom's book, and have suggested, configured *.buffalo.edu as direct access.
We have integrated authentication turned on for regular HTTP browsing (via Win2k AD group).
I have created a rule above this AD rule with target *.buffalo.edu with "All Users" as condition so there should be no authentication required.
User has Firewall client installed and operating.
User has the box "use autoconfiguration script" checkmarked, and the ISA2004 server is in that field...

No luck.
Help!

Do you have anonymous access enabled under the Internal Network properties? Go to the Web Proxy tab and click on the Authentication button. There you will see an option that states that ALL USERS should be authenticated. Make sure that is unchecked. I'm assuming that Integrated Authentication is your only checked method. See how that works out for you.
-Evan

(in reply to Guest)
Post #: 4
RE: Can't get authentication popup from website thru ou... - 7.Jan.2005 3:23:00 PM   
Guest
"Do you have anonymous access enabled under the Internal Network properties"

I'm not clear on your suggestion. I do not want anonymous internet browsing:

I have [only] "Integrated Authentication checkboxed, and under that, "Require all users to authenticate".

We must limit web browsing to a select group of folks. They are in an Active Directory group that ISA2004 "ProxyUsers" and has as the rule "First Rule" (which is now rule #4...):

Allow AllOutbound Internal External ProxyUsers

I do not want pop-up boxes for Name & Password.
If somemone is not in the select Internet Users group, they should not browse the Internet (I do not want allow anonymous access)

(in reply to Guest)
  Post #: 5
RE: Can't get authentication popup from website thru ou... - 14.Jan.2005 10:32:00 PM   
Guest
I still cant get this to work.
Can anybody verify they can get the authenticaton pop-up from the UB server using their ISA2004 setup?

Thanks,
Vic

(in reply to Guest)
  Post #: 6
RE: Can't get authentication popup from website thru ou... - 14.Jan.2005 11:38:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Vic,

Do not use the "Require all users to authenticate" option; this will definitely generate authentication dialogs.

In ISA Server 2004, if you are authenticated as a user in the your domain, but you do not have an access rule in place that allows you to use http, then you will be denied. This is a change from the default in ISA Server 2000, which would generate an authentication dialog.

Check out the following thread:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000383

HTH,

Bill

(in reply to Guest)
Post #: 7
RE: Can't get authentication popup from website thru ou... - 15.Jan.2005 2:42:00 AM   
Guest
Hi Bill,
I will turn off "require users to authenticate" and give it a try when I get back to work and see if that helps.

BUT - I think I'm confusing folks with what is going on here by talking about 2 issues in the same problem request.

Insofar as ISA2004 authentication - yes I do not want users to type in their Win2k domain name and password. I was letting the integrated authentication take care of that. And that was and is working fine as configured.

But this is not the real problem here. What it really is that the UB site sends back its OWN login name and password for *their* authority access. . The users get to the website using the proxy, but when they click the "login" at the UB site, whatever packets are being sent back from UB never get to the user. They never get the target server Apache login authentication box, thus the connection to the site times out, and they can't get to their data. That is what I'm trying to solve.

(in reply to Guest)
  Post #: 8
RE: Can't get authentication popup from website thru ou... - 15.Jan.2005 2:53:00 AM   
Guest
Better Example,,,

Open this link:

http://ublib.buffalo.edu/libraries/e-resources/bison/off-serials.html

Click the red button "Connect to Database"

Do you get prompted to sign in to the UB system using your ISA2004 proxy?

(in reply to Guest)
  Post #: 9
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 6:33:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
Do you get prompted to sign in to the UB system using your ISA2004 proxy?
I am prompted for credentials by elmwood.lib.buffalo.edu, not by my ISA firewall.

I did notice, though, that the Connect to database link you posted uses a non-standard http port (2048).

Bill

(in reply to Guest)
Post #: 10
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 8:44:00 PM   
Guest
OK Bill, thanks, thats what I wanted to know, if the credential request (yes appears to come back on port 2048) was getting past your ISA2004 to you.
Our users are not getting it. I do not know why.

Incidentially, I turned off "require users to authenticate" to try to solve my problem as you had mentioned. It did not help this issue, but I did note that all the traffic after I did that as being recorded by ISA2004 was all "anonymous". Nope, we need to track usage by logged in user's name, so I had to turn that flag back on...

(in reply to Guest)
  Post #: 11
RE: Can't get authentication popup from website thru ou... - 17.Jan.2005 8:56:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
Our users are not getting it. I do not know why.
As a guess, I would imagine you'd need to allow http outbound on port 2048. (It drives firewall admins crazy when web folks insist on running their servers on non-standard ports.)

Regarding anonymous requests: All web proxy requests are sent as anonymous first. If there are no rules permitting anonymous access, then ISA will request credentials from the user agent. So you see, there is a way to force authentication without selecting the problematic Require all users to authenticate option. I recommend removing anonymous access rules and disabling that option, as it will prevent problems in the future.

Bill

(in reply to Guest)
Post #: 12
RE: Can't get authentication popup from website thru ou... - 18.Jan.2005 2:49:00 AM   
Guest
(from a few posts up) I am allowing all authenticated users, all data types (should encompass all ports) via this rule:

Allow AllOutbound Internal External ProxyUsers

I would have expected "AllOutbound" to allow port 2048 out (the firewall client IS being used). I also would have expected when ISA2004 sets up an established connection outbound, it would know who set it up and route corresponding data back to that user as needed....
I cant be sure if I need 2048 out, or if its not that I need 2048 coming back in.

(in reply to Guest)
  Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Can't get authentication popup from website thru our ISA2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts