Re: re:Authentication Prompts in IE
- From: "Felipe" <felipe@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Aug 2005 08:31:55 -0300
Sorry for my bad english.. I will try to explain more clearly...
The problem in my company is that sometimes users are asked to provide his
My configuration in ISA 2004 is simple:
- My Deny rules don't require authentication. They are just simple rules
bloquing some sites ..
- My Permit rules require authentication (I put Authenticaded Users on the
rules - anyone that has valid credentials can navigate)..
- My ISA is not configured with 'Require Authentication For All users'.
- My ISA is configured to work only with NTLM, no basic auth and no kerberos
- No VPN or any advanced rules.
I think it's very similar to yours.
Because ISA is configured to only use NTLM, the expected flow in navigation
was to never ask user for credentials. If some authentication is necessary
(and it is), the browser will negotiate with ISA the credentials using NTLM
chalenge and response, and if the credentials are OK, the ISA will permit
In the case of credentials not accepted because the user was not allowed in
the rule, then, the IE will ask users for retype another credentials.
* This is a important thing and sorry for my large explaination:
- If ISA don't accept the user credentials, this in theory is because users
are not allowed in the rule.
- And also in theory, if users retype its password, the ISA must deny the
access too. Because if the first NTLM failed, the browser will retry with
the same credentials and then, the authentication must be rejected too.
- If the ISA accept the same credentials typed by the user, for me, it shows
that the first NTLM negotiation was failed for other reasons because the
password is valid.
- If the ISA accept, and the users Save the Password in IE.. In future
situations where IE failed the first negotiation, IE allways try the same
credentials again, with the same saved password.
- This will cause the incidence of Password Prompt Dialogs to decrease.. It
will happen again only when the double check for password failed.
- If users then, change the password in AD, for future failed first
negotiations, IE will try the old one.. It will fail and and he incidence of
Password Prompts Dialong will increase. The user must then, resave his
- I don't know if my explaination was clear, but for me, it's a real cause
of the problem and the very important thing - maybe a bug..!
With this situation, I then start several tests:
I used Network Monitor to capture low level packets to study the
comunication of IE and ISA.
I observe that when users wants to go to a Site, the communication flow was:
1) IE ask for the site in anonymous ways.
2) ISA reply with error 407 - authentication required
3) IE start NTLM authentication.
4) ISA reply with error 407 again and authentication continue
5) IE continue NTLM authentication
6) ISA then return with one of the following options..
6.1) ISA reply with status 200 - Document follows and serve the request (for
6.2) ISA reply with error 407 - auth required (for users not allowed in the
6.3) ISA don't reply with anything and close the communication with TCP
RESET in the socket!!! (this was not expected! But it happens in my site).
The steps 3-5 is related to NTLM chalenge and response
In MY company I saw a lot of responses of type (6.3).. This was very very
strange!!! And this is why I open the support ticket.
When ISA follow the 6.3 step, then IE will think the authentication failed.
And then, IE ask the user to provide another credentials.
After user press the OK, the comunication will begin again...
Because my rules just require Authenticated Users, in my site, the step 6.2
will never happen.
The step 6.1 is the more frequent then 6.3, but a simple 6.3 occurrence
cause the users to stop navigating and beeing prompted for credentials.
As you can see, it's a real strange thing, and now I'm waiting for news from
MS or someone with the same problem..
But, I don't give up.. I double checked the netmon traces.. and I observed
one more thing:
- This problem happens with small static objects more frequently than bigger
(smallest are the better cacheable).. (gif, css, etc..)
- When I start IE with a URL pointing to some objects, the error in Network
Traces are the same, but IE don't ask for password.. It just display a
--> Because the socket was closed, IE think it's a network error..
I then, did a very crazy test... Disabled the CACHE in ISA!
WHOW... All the problems dissapears!!! No more ocurrences of step (6.3)..
Navigation flow was perfect, users was never asked to provide his
credentials. The dialog never happens.
But it's not a solution. Without Cache ISA loose one big important
Well... Now I'm still waiting for MS...
I hope I'm wrong and the guys shows me where is the problem.. But I really
there is a bug here..
Jack, sorry for my big post, but because I had some difficults choosing the
words, composing the paragraphs... my messages sometimes are very big...
I hope this help
"Jack.Dobiash" <jack.dobiash@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> Hello Felipe, thanks for your input. I'm pretty sure it's not using
> Basic Authentication, as it is not checked in ISA, only Intregrated
> is. Plus, I do not have it set to Require Authentication for All
> Users, only one specific rule has any sort of Authentication
> checking. I don't quite understand when you say 'you dont' type
> user credentials', as I don't type them either, the end user does
> when it prompts them. If they don't stick in anything or stick in
> the wrong password, it keeps coming back and reprompting them.
> If you happen to get feedback from your Trouble ticket open to
> Microsoft, please let us know. Thanks!
- re:Authentication Prompts in IE
- From: Jack.Dobiash
- re:Authentication Prompts in IE