Re: Proxy Authentication
- From: "ZVR" <nospamever@xxxxxx>
- Date: Mon, 19 Sep 2005 11:47:58 -0400
"Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
news:CDDCA7CF-924A-4BE3-9F24-58B524DA5C64@xxxxxxxxxxxxxxxx
> Thanks Virgil...
>
> So to make sure I am understanding the setting correctly, and since I am
> still learning ISA and how to fully leverage it...the setting that you
> mentioned as located on the Outgoing Web Requests for UnAuthenticated
> users,
> is for the "per proxy listener"?
Yes.
> I do have a rule for internet access, where by certain groups and users
> are
> assigned. I am understanding that this setting will protect the server
> from
> anyone just going out?
Yes, if you don't have any another rule that allows access to "All Users"
for those protocols (probably http/https/ftp)
> The caching of credentials was just another thought that entered my mind,
> that if the user was not getting logged in in a timely manner, that they
> were
> in fact not getting authenticated for internet activity...but I would have
> expected that when ISA asked for the user to enter thier username and
> password, that it was in fact trying to give the user a new token.
Yes, except that it's not ISA providing the token, but still the domain
controller. Authentication is processed at the domain level, by your domain
controllers.
>(Here is
> where I was mentioning the "admin" thing. If I were to enter the admin or
> the user credentials, the web page never returns, IE just sits there
> thinking
> about going out to the internet. That was what I was making a poor attempt
> at
> mentioning.)
You most definitely have a problem with that machine then... either
something got corrupted or you have a conflict of some kind.
> So to update what I noticed on the machine, was that when the user logged
> in, there were certain programs that did not start as expected, Anti-Virus
> and Firewall Client, as well as another 3rd party software that runs a
> security token piece of software for a USB Token (specific for some other
> application on the web). Now, I noticed that this too was not coming up
> in
> the systray as well. I un-installed that software, the user logged in,
> and
> no more proxy authentication request.
Well, you never mentioned this security software until now... It is very
possible that it's screwing up somehow the workstation/user authentication
process to your domain. If after you uninstall that software everything
starts working normally again... then I'd say yes, you found your conflict.
> So as it seems, this other software may very well have been giving me all
> my
> problems. But I was interested in researching the setting you mentioned,
> and
> what dangers one way or the other there were in leaving it enabled, or
> disabling the setting?
Well, as I said the primary method for controlling user access should be
through your ISA rules. The proxy level setting is however not a bad idea...
if it works flawlessly for you then your best bet is to leave it checked,
with integrated authentication being the only choice (as you have it right
now). That will deter "smart" people on your network from using
http-tunelling applications to get around your protocol rules - suppose you
don't allow ICQ, but you do allow http. There are tunneling applications
that one can use to encapsulate, say, ICQ requests in an https stream going
through your proxy... but I have yet to see one that works with integrated
authentication at the proxy level.
Virgil
>
> Thanks
> J
>
> "ZVR" wrote:
>
>> First of all, by making the change you are NOT "opening the server up to
>> allow anyone out to the internet", IF you have a correctly configured ISA
>> installation. Since outbound access to the Internet is controlled through
>> ISA's access rules, if you don't want "anonymous" access to Internet you
>> should not allow "All Users" through your rules. Instead, use for your
>> rules
>> a certain group, for example "Internet Enabled Users" or whatever, whose
>> membership YOU control, and as such you control who goes on the net and
>> who
>> doesn't.
>>
>> I already mentioned this to you two or three posts ago but seems you are
>> confusing the "per proxy listener" authentication (the option I am
>> talking
>> about) with "per rule" authentication which should be the preffered
>> mechanism in ISA.
>>
>> To respond to your question about cached credentials, since you are using
>> integrated-mode authentication on your ISA server, the authentication
>> token
>> must come from the domain where the user is a member. If for some reasons
>> the user doesn't get authenticated on the domain (say, a problem with the
>> workstation), of course the cached profile will kick in, but that profile
>> won't include the authentication token from your domain, so ISA ends up
>> asking for authentication. It is therefore possible that you have the
>> problem you described.
>>
>> Last but not least, I am not sure what you're asking about your "admin"
>> credentials. If you're asking why ISA continues to use your credentials
>> well
>> after you have entered them from that user's workstation, the answer is
>> simple. ISA uses "per session", not "per request" authentication. Thus,
>> as
>> long as the original ISA session is alive and being used, the same
>> credentials will apply (yours).
>>
>> Virgil
>>
>>
>>
>>
>> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
>> news:357A3536-252D-4373-A414-9696BA4F5511@xxxxxxxxxxxxxxxx
>> > So I found the setting you are talking about...but have not changed it.
>> >
>> > Do you know why it is that I have one user who is not allowed to go out
>> > the
>> > internet? I seem to only have one person who is having this trouble.
>> > I
>> > moved her to 2 different machines.
>> >
>> > With this setting (which implies unauthenticated users) no other users
>> > are
>> > being affected...
>> >
>> > If the user's network connection were slow, and they were not
>> > authenticated
>> > in a timely manner, could this affect this connection, in which the
>> > user
>> > is
>> > using some type of cached profile to get up and running? But when
>> > attempting
>> > to leave the workstation for the internet, the user is asked for
>> > credencials?
>> >
>> > Also, what would cause the connection to just sit there there after I
>> > were
>> > to enter the Admin's credencials?
>> >
>> > I am looking for some ideas, beyond just opening the server up to allow
>> > anyone out to the internet?
>> >
>> > J
>> >
>> > "ZVR" wrote:
>> >
>> >> OK, here's how you do it in ISA2000:
>> >> -open ISA Management console
>> >> -right click on the server name, choose "Properties"
>> >> -go to the "Outgoing Web Requests" tab
>> >> -under "Connections" uncheck "Ask unauthenticated users for
>> >> identification"
>> >>
>> >> Now, I'm not sure if that'll help you or not, since you are using
>> >> ISA2000.
>> >> When I was using ISA2000 I didn't have to do this (as opposed to
>> >> ISA2004)...
>> >> but it's worth a try I guess.
>> >>
>> >> Virgil
>> >>
>> >>
>> >>
>> >>
>> >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
>> >> news:9F040423-995B-417D-AE56-0985AB768AD8@xxxxxxxxxxxxxxxx
>> >> > Actually the update was not a test...lol...but I was literally
>> >> > trying
>> >> > to
>> >> > get
>> >> > out and get the updates for this new machine. (I say new machine, a
>> >> > windows
>> >> > 2000 machine upgraded to XP Pro SP1 , then SP2, now doing the
>> >> > updates,
>> >> > all
>> >> > 37
>> >> > of them... :) )
>> >> >
>> >> > But in any case that was where I was prompted...just going to the
>> >> > home
>> >> > page.
>> >> >
>> >> > When I tried another page, it worked just fine. And when I clicked
>> >> > cancel
>> >> > in the MS Update page where I was being prompted, I was able to
>> >> > continue.
>> >> >
>> >> > In answer to the version, I am running ISA 2000, and have not had
>> >> > the
>> >> > courage to go to 2004...yet.. :)
>> >> >
>> >> > J
>> >> >
>> >> > "Phillip Windell" wrote:
>> >> >
>> >> >> Don't use Microsoft Updates as the "test site". Microsoft Updates
>> >> >> already
>> >> >> has known issues with not working via CERN Compliant Web Proxys
>> >> >> when
>> >> >> authentication is required. Find a simple, uncomplicated,
>> >> >> low-scripted,
>> >> >> no-popup site to use as the test site.
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Phillip Windell [MCP, MVP, CCNA]
>> >> >> www.wandtv.com
>> >> >> -----------------------------------------------------
>> >> >> Understanding the ISA 2004 Access Rule Processing
>> >> >> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>> >> >>
>> >> >> Microsoft Internet Security & Acceleration Server: Guidance
>> >> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
>> >> >> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>> >> >>
>> >> >> Microsoft Internet Security & Acceleration Server: Partners
>> >> >> http://www.microsoft.com/isaserver/partners/default.asp
>> >> >> -----------------------------------------------------
>> >> >>
>> >> >>
>> >> >>
>> >> >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
>> >> >> news:ED071678-B103-4D3C-B9E3-D07A14F85938@xxxxxxxxxxxxxxxx
>> >> >> > Thanks again... so I just was prompted as an Admin, going to
>> >> >> > Microsoft
>> >> >> > Updates sites, it seems that I am starting to see this more and
>> >> >> > more.
>> >> >> >
>> >> >> > Could you give me better direction for the ISA setting that you
>> >> >> > mentioned
>> >> >> in
>> >> >> > one of your previous posts...I went hunting but did not see it in
>> >> >> > ISA
>> >> >> > Management...
>> >> >> >
>> >> >> > Thanks
>> >> >> > J
>> >> >> >
>> >> >> > "ZVR" wrote:
>> >> >> >
>> >> >> > > No. Not all of them will be affected. I can't tell you what's
>> >> >> > > the
>> >> >> criteria -
>> >> >> > > there is no official article from MS yet explaining this
>> >> >> > > behavior,
>> >> >> however I
>> >> >> > > suspect we will see a fix for it in a future Service Pack for
>> >> >> > > ISA.
>> >> >> > >
>> >> >> > > I can only tell you that I've seen the same thing happening
>> >> >> > > several
>> >> >> times so
>> >> >> > > far at various customers / sites and the solution was always
>> >> >> > > the
>> >> >> > > one
>> >> >> > > I
>> >> >> > > mentioned. I don't know if it applies to you or not, you might
>> >> >> > > have a
>> >> >> > > different issue after all, but it's worth a try if your
>> >> >> > > configuration
>> >> >> > > is
>> >> >> the
>> >> >> > > one described.
>> >> >> > >
>> >> >> > > Virgil
>> >> >> > >
>> >> >> > >
>> >> >> > > "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
>> >> >> > > news:17C5153C-63FB-4A8D-81A1-9B4E4D5CFC02@xxxxxxxxxxxxxxxx
>> >> >> > > > Thanks for the info...I have one question, why does this
>> >> >> > > > behavior
>> >> >> > > > only
>> >> >> > > > happen
>> >> >> > > > to this one user? It would seem that if this were the case
>> >> >> > > > all
>> >> >> > > > of
>> >> >> > > > my
>> >> >> web
>> >> >> > > > users wouldbe getting the same issue?
>> >> >> > > >
>> >> >> > > > J
>> >> >> > > >
>> >> >> > > > "ZVR" wrote:
>> >> >> > > >
>> >> >> > > >> In the configuration of the "Internal" network object, under
>> >> >> > > >> the
>> >> >> > > >> Web
>> >> >> > > >> Proxy
>> >> >> > > >> tab, in the "Authentication" window, do you have the
>> >> >> > > >> "Require
>> >> >> > > >> all
>> >> >> users
>> >> >> > > >> to
>> >> >> > > >> authenticate" option checked?
>> >> >> > > >>
>> >> >> > > >> If you do, disable it and your problems will go away. In
>> >> >> > > >> case
>> >> >> > > >> you
>> >> >> > > >> are
>> >> >> > > >> concerned about users browsing anonymously through the web
>> >> >> > > >> proxy
>> >> >> service,
>> >> >> > > >> just don't create any firewall rule allowing browsing to
>> >> >> > > >> "All
>> >> >> Users" -
>> >> >> > > >> rather, specify a group, that can even be "Domain Users" or
>> >> >> > > >> whatever,
>> >> >> > > >> just
>> >> >> > > >> don't leave rules with "All Users" as that will allow
>> >> >> > > >> anonymous
>> >> >> traffic.
>> >> >> > > >>
>> >> >> > > >> Virgil
>> >> >> > > >>
>> >> >> > > >>
>> >> >> > > >>
>> >> >> > > >> "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
>> >> >> > > >> news:9C4A09EC-2486-4B76-8DAD-20767F08A111@xxxxxxxxxxxxxxxx
>> >> >> > > >> > Okay, forget the profile, because not it totally does not
>> >> >> > > >> > work.
>> >> >> > > >> > I
>> >> >> > > >> > deleted
>> >> >> > > >> > the user profile, had them sign into a different machine,
>> >> >> > > >> > this
>> >> >> > > >> > time
>> >> >> a
>> >> >> > > >> > windows
>> >> >> > > >> > XP SP2 machine, and as soon as they attempt to connect to
>> >> >> > > >> > the
>> >> >> internet
>> >> >> > > >> > they
>> >> >> > > >> > are prompted for authentication.
>> >> >> > > >> >
>> >> >> > > >> > If I enter the admin credencials, the browser just sits
>> >> >> > > >> > there,
>> >> >> thinking
>> >> >> > > >> > about going, and is reporting that it is detecting proxy
>> >> >> > > >> > setting
>> >> >> > > >> > in
>> >> >> the
>> >> >> > > >> > status bar.
>> >> >> > > >> >
>> >> >> > > >> > Any ideas? ISA is still prompting for authentication...
>> >> >> > > >> >
>> >> >> > > >> > Smurfman
>> >> >> > > >> > ""Lee Li[MSFT]"" wrote:
>> >> >> > > >> >
>> >> >> > > >> >> Dear Smurfman,
>> >> >> > > >> >>
>> >> >> > > >> >> Thank you for posting.
>> >> >> > > >> >>
>> >> >> > > >> >> First I want to let you know that you cannot delete the
>> >> >> > > >> >> user
>> >> >> profile
>> >> >> > > >> >> is
>> >> >> > > >> >> because you have enabled "Grant the user exclusive rights
>> >> >> > > >> >> to
>> >> >> > > >> >> My
>> >> >> > > >> >> Documents"
>> >> >> > > >> >> in group policy.
>> >> >> > > >> >> So you will have to take ownership of the folder to
>> >> >> > > >> >> delete
>> >> >> > > >> >> the
>> >> >> > > >> >> profile:
>> >> >> > > >> >> You can take a look a look at the following URL for more
>> >> >> information:
>> >> >> > > >> >> 288991 Enabling the administrator to have access to
>> >> >> > > >> >> redirected
>> >> >> folders
>> >> >> > > >> >> http://support.microsoft.com/?id=288991
>> >> >> > > >> >>
>> >> >> > > >> >> Since the issue can be resolved by deleting the user
>> >> >> > > >> >> profile,
>> >> >> > > >> >> the
>> >> >> > > >> >> issue
>> >> >> > > >> >> is
>> >> >> > > >> >> not related with the Proxy or ISA firewall.
>> >> >> > > >> >> If the problem is caused by the ISA configuration, the
>> >> >> > > >> >> problem
>> >> >> will
>> >> >> > > >> >> remain
>> >> >> > > >> >> after you change the user profile on the local computer.
>> >> >> > > >> >> Regarding this issue, I recommend you to post the issue
>> >> >> > > >> >> in
>> >> >> > > >> >> the
>> >> >> > > >> >> Windows
>> >> >> > > >> >> NT
>> >> >> > > >> >> 4 newsgroup to check the issue further.
>> >> >> > > >> >> We recommend posting appropriately so you will get the
>> >> >> > > >> >> most
>> >> >> qualified
>> >> >> > > >> >> pool
>> >> >> > > >> >> of respondents, and so other partners who regularly read
>> >> >> > > >> >> the
>> >> >> > > >> >> newsgroups
>> >> >> > > >> >> can
>> >> >> > > >> >> either share their knowledge or learn from your
>> >> >> > > >> >> interaction
>> >> >> > > >> >> with
>> >> >> us.
>> >> >> > > >> >>
>> >> >> > > >> >> Have a nice day!
.
- References:
- Re: Proxy Authentication
- From: "Lee Li[MSFT]"
- Re: Proxy Authentication
- From: ZVR
- Re: Proxy Authentication
- From: Smurfman
- Re: Proxy Authentication
- From: ZVR
- Re: Proxy Authentication
- From: Smurfman
- Re: Proxy Authentication
- From: Smurfman
- Re: Proxy Authentication
- Prev by Date: uprdading isa machine to w2k3 sp1
- Next by Date: Re: Steps to Client Automatically detect ISA server
- Previous by thread: Re: Proxy Authentication
- Next by thread: Error Number 0x800733F5
- Index(es):
Relevant Pages
|
