Re: Proxy Authentication
- From: "Smurfman" <smurfman@xxxxxxxxxxxxxx>
- Date: Mon, 19 Sep 2005 08:21:04 -0700
Thanks Virgil...
So to make sure I am understanding the setting correctly, and since I am
still learning ISA and how to fully leverage it...the setting that you
mentioned as located on the Outgoing Web Requests for UnAuthenticated users,
is for the "per proxy listener"?
I do have a rule for internet access, where by certain groups and users are
assigned. I am understanding that this setting will protect the server from
anyone just going out?
The caching of credentials was just another thought that entered my mind,
that if the user was not getting logged in in a timely manner, that they were
in fact not getting authenticated for internet activity...but I would have
expected that when ISA asked for the user to enter thier username and
password, that it was in fact trying to give the user a new token. (Here is
where I was mentioning the "admin" thing. If I were to enter the admin or
the user credentials, the web page never returns, IE just sits there thinking
about going out to the internet. That was what I was making a poor attempt at
mentioning.)
So to update what I noticed on the machine, was that when the user logged
in, there were certain programs that did not start as expected, Anti-Virus
and Firewall Client, as well as another 3rd party software that runs a
security token piece of software for a USB Token (specific for some other
application on the web). Now, I noticed that this too was not coming up in
the systray as well. I un-installed that software, the user logged in, and
no more proxy authentication request.
So as it seems, this other software may very well have been giving me all my
problems. But I was interested in researching the setting you mentioned, and
what dangers one way or the other there were in leaving it enabled, or
disabling the setting?
Thanks
J
"ZVR" wrote:
> First of all, by making the change you are NOT "opening the server up to
> allow anyone out to the internet", IF you have a correctly configured ISA
> installation. Since outbound access to the Internet is controlled through
> ISA's access rules, if you don't want "anonymous" access to Internet you
> should not allow "All Users" through your rules. Instead, use for your rules
> a certain group, for example "Internet Enabled Users" or whatever, whose
> membership YOU control, and as such you control who goes on the net and who
> doesn't.
>
> I already mentioned this to you two or three posts ago but seems you are
> confusing the "per proxy listener" authentication (the option I am talking
> about) with "per rule" authentication which should be the preffered
> mechanism in ISA.
>
> To respond to your question about cached credentials, since you are using
> integrated-mode authentication on your ISA server, the authentication token
> must come from the domain where the user is a member. If for some reasons
> the user doesn't get authenticated on the domain (say, a problem with the
> workstation), of course the cached profile will kick in, but that profile
> won't include the authentication token from your domain, so ISA ends up
> asking for authentication. It is therefore possible that you have the
> problem you described.
>
> Last but not least, I am not sure what you're asking about your "admin"
> credentials. If you're asking why ISA continues to use your credentials well
> after you have entered them from that user's workstation, the answer is
> simple. ISA uses "per session", not "per request" authentication. Thus, as
> long as the original ISA session is alive and being used, the same
> credentials will apply (yours).
>
> Virgil
>
>
>
>
> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
> news:357A3536-252D-4373-A414-9696BA4F5511@xxxxxxxxxxxxxxxx
> > So I found the setting you are talking about...but have not changed it.
> >
> > Do you know why it is that I have one user who is not allowed to go out
> > the
> > internet? I seem to only have one person who is having this trouble. I
> > moved her to 2 different machines.
> >
> > With this setting (which implies unauthenticated users) no other users are
> > being affected...
> >
> > If the user's network connection were slow, and they were not
> > authenticated
> > in a timely manner, could this affect this connection, in which the user
> > is
> > using some type of cached profile to get up and running? But when
> > attempting
> > to leave the workstation for the internet, the user is asked for
> > credencials?
> >
> > Also, what would cause the connection to just sit there there after I were
> > to enter the Admin's credencials?
> >
> > I am looking for some ideas, beyond just opening the server up to allow
> > anyone out to the internet?
> >
> > J
> >
> > "ZVR" wrote:
> >
> >> OK, here's how you do it in ISA2000:
> >> -open ISA Management console
> >> -right click on the server name, choose "Properties"
> >> -go to the "Outgoing Web Requests" tab
> >> -under "Connections" uncheck "Ask unauthenticated users for
> >> identification"
> >>
> >> Now, I'm not sure if that'll help you or not, since you are using
> >> ISA2000.
> >> When I was using ISA2000 I didn't have to do this (as opposed to
> >> ISA2004)...
> >> but it's worth a try I guess.
> >>
> >> Virgil
> >>
> >>
> >>
> >>
> >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
> >> news:9F040423-995B-417D-AE56-0985AB768AD8@xxxxxxxxxxxxxxxx
> >> > Actually the update was not a test...lol...but I was literally trying
> >> > to
> >> > get
> >> > out and get the updates for this new machine. (I say new machine, a
> >> > windows
> >> > 2000 machine upgraded to XP Pro SP1 , then SP2, now doing the updates,
> >> > all
> >> > 37
> >> > of them... :) )
> >> >
> >> > But in any case that was where I was prompted...just going to the home
> >> > page.
> >> >
> >> > When I tried another page, it worked just fine. And when I clicked
> >> > cancel
> >> > in the MS Update page where I was being prompted, I was able to
> >> > continue.
> >> >
> >> > In answer to the version, I am running ISA 2000, and have not had the
> >> > courage to go to 2004...yet.. :)
> >> >
> >> > J
> >> >
> >> > "Phillip Windell" wrote:
> >> >
> >> >> Don't use Microsoft Updates as the "test site". Microsoft Updates
> >> >> already
> >> >> has known issues with not working via CERN Compliant Web Proxys when
> >> >> authentication is required. Find a simple, uncomplicated,
> >> >> low-scripted,
> >> >> no-popup site to use as the test site.
> >> >>
> >> >>
> >> >> --
> >> >> Phillip Windell [MCP, MVP, CCNA]
> >> >> www.wandtv.com
> >> >> -----------------------------------------------------
> >> >> Understanding the ISA 2004 Access Rule Processing
> >> >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
> >> >>
> >> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> >> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
> >> >>
> >> >> Microsoft Internet Security & Acceleration Server: Partners
> >> >> http://www.microsoft.com/isaserver/partners/default.asp
> >> >> -----------------------------------------------------
> >> >>
> >> >>
> >> >>
> >> >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
> >> >> news:ED071678-B103-4D3C-B9E3-D07A14F85938@xxxxxxxxxxxxxxxx
> >> >> > Thanks again... so I just was prompted as an Admin, going to
> >> >> > Microsoft
> >> >> > Updates sites, it seems that I am starting to see this more and
> >> >> > more.
> >> >> >
> >> >> > Could you give me better direction for the ISA setting that you
> >> >> > mentioned
> >> >> in
> >> >> > one of your previous posts...I went hunting but did not see it in
> >> >> > ISA
> >> >> > Management...
> >> >> >
> >> >> > Thanks
> >> >> > J
> >> >> >
> >> >> > "ZVR" wrote:
> >> >> >
> >> >> > > No. Not all of them will be affected. I can't tell you what's the
> >> >> criteria -
> >> >> > > there is no official article from MS yet explaining this behavior,
> >> >> however I
> >> >> > > suspect we will see a fix for it in a future Service Pack for ISA.
> >> >> > >
> >> >> > > I can only tell you that I've seen the same thing happening
> >> >> > > several
> >> >> times so
> >> >> > > far at various customers / sites and the solution was always the
> >> >> > > one
> >> >> > > I
> >> >> > > mentioned. I don't know if it applies to you or not, you might
> >> >> > > have a
> >> >> > > different issue after all, but it's worth a try if your
> >> >> > > configuration
> >> >> > > is
> >> >> the
> >> >> > > one described.
> >> >> > >
> >> >> > > Virgil
> >> >> > >
> >> >> > >
> >> >> > > "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
> >> >> > > news:17C5153C-63FB-4A8D-81A1-9B4E4D5CFC02@xxxxxxxxxxxxxxxx
> >> >> > > > Thanks for the info...I have one question, why does this
> >> >> > > > behavior
> >> >> > > > only
> >> >> > > > happen
> >> >> > > > to this one user? It would seem that if this were the case all
> >> >> > > > of
> >> >> > > > my
> >> >> web
> >> >> > > > users wouldbe getting the same issue?
> >> >> > > >
> >> >> > > > J
> >> >> > > >
> >> >> > > > "ZVR" wrote:
> >> >> > > >
> >> >> > > >> In the configuration of the "Internal" network object, under
> >> >> > > >> the
> >> >> > > >> Web
> >> >> > > >> Proxy
> >> >> > > >> tab, in the "Authentication" window, do you have the "Require
> >> >> > > >> all
> >> >> users
> >> >> > > >> to
> >> >> > > >> authenticate" option checked?
> >> >> > > >>
> >> >> > > >> If you do, disable it and your problems will go away. In case
> >> >> > > >> you
> >> >> > > >> are
> >> >> > > >> concerned about users browsing anonymously through the web
> >> >> > > >> proxy
> >> >> service,
> >> >> > > >> just don't create any firewall rule allowing browsing to "All
> >> >> Users" -
> >> >> > > >> rather, specify a group, that can even be "Domain Users" or
> >> >> > > >> whatever,
> >> >> > > >> just
> >> >> > > >> don't leave rules with "All Users" as that will allow anonymous
> >> >> traffic.
> >> >> > > >>
> >> >> > > >> Virgil
> >> >> > > >>
> >> >> > > >>
> >> >> > > >>
> >> >> > > >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
> >> >> > > >> news:9C4A09EC-2486-4B76-8DAD-20767F08A111@xxxxxxxxxxxxxxxx
> >> >> > > >> > Okay, forget the profile, because not it totally does not
> >> >> > > >> > work.
> >> >> > > >> > I
> >> >> > > >> > deleted
> >> >> > > >> > the user profile, had them sign into a different machine,
> >> >> > > >> > this
> >> >> > > >> > time
> >> >> a
> >> >> > > >> > windows
> >> >> > > >> > XP SP2 machine, and as soon as they attempt to connect to the
> >> >> internet
> >> >> > > >> > they
> >> >> > > >> > are prompted for authentication.
> >> >> > > >> >
> >> >> > > >> > If I enter the admin credencials, the browser just sits
> >> >> > > >> > there,
> >> >> thinking
> >> >> > > >> > about going, and is reporting that it is detecting proxy
> >> >> > > >> > setting
> >> >> > > >> > in
> >> >> the
> >> >> > > >> > status bar.
> >> >> > > >> >
> >> >> > > >> > Any ideas? ISA is still prompting for authentication...
> >> >> > > >> >
> >> >> > > >> > Smurfman
> >> >> > > >> > ""Lee Li[MSFT]"" wrote:
> >> >> > > >> >
> >> >> > > >> >> Dear Smurfman,
> >> >> > > >> >>
> >> >> > > >> >> Thank you for posting.
> >> >> > > >> >>
> >> >> > > >> >> First I want to let you know that you cannot delete the user
> >> >> profile
> >> >> > > >> >> is
> >> >> > > >> >> because you have enabled "Grant the user exclusive rights to
> >> >> > > >> >> My
> >> >> > > >> >> Documents"
> >> >> > > >> >> in group policy.
> >> >> > > >> >> So you will have to take ownership of the folder to delete
> >> >> > > >> >> the
> >> >> > > >> >> profile:
> >> >> > > >> >> You can take a look a look at the following URL for more
> >> >> information:
> >> >> > > >> >> 288991 Enabling the administrator to have access to
> >> >> > > >> >> redirected
> >> >> folders
> >> >> > > >> >> http://support.microsoft.com/?id=288991
> >> >> > > >> >>
> >> >> > > >> >> Since the issue can be resolved by deleting the user
> >> >> > > >> >> profile,
> >> >> > > >> >> the
> >> >> > > >> >> issue
> >> >> > > >> >> is
> >> >> > > >> >> not related with the Proxy or ISA firewall.
> >> >> > > >> >> If the problem is caused by the ISA configuration, the
> >> >> > > >> >> problem
> >> >> will
> >> >> > > >> >> remain
> >> >> > > >> >> after you change the user profile on the local computer.
> >> >> > > >> >> Regarding this issue, I recommend you to post the issue in
> >> >> > > >> >> the
> >> >> > > >> >> Windows
> >> >> > > >> >> NT
> >> >> > > >> >> 4 newsgroup to check the issue further.
> >> >> > > >> >> We recommend posting appropriately so you will get the most
> >> >> qualified
> >> >> > > >> >> pool
> >> >> > > >> >> of respondents, and so other partners who regularly read the
> >> >> > > >> >> newsgroups
> >> >> > > >> >> can
> >> >> > > >> >> either share their knowledge or learn from your interaction
> >> >> > > >> >> with
> >> >> us.
> >> >> > > >> >>
> >> >> > > >> >> Have a nice day!
.
- Follow-Ups:
- Re: Proxy Authentication
- From: ZVR
- Re: Proxy Authentication
- References:
- Re: Proxy Authentication
- From: "Lee Li[MSFT]"
- Re: Proxy Authentication
- From: ZVR
- Re: Proxy Authentication
- From: Smurfman
- Re: Proxy Authentication
- From: ZVR
- Re: Proxy Authentication
- From: Smurfman
- Re: Proxy Authentication
- Prev by Date: Re: Dual External gateways......
- Next by Date: uprdading isa machine to w2k3 sp1
- Previous by thread: Re: Proxy Authentication
- Next by thread: Re: Proxy Authentication
- Index(es):
Relevant Pages
|
