Re: Authentication Question
- From: "ZVR" <nospamever@xxxxxx>
- Date: Wed, 5 Oct 2005 00:47:27 -0400
Yes you will get prompted for access to domain resources, file shares etc.
if you use a local account. There's really no workaround to it. As for the
ISA authentication prompt, if integrated authentication is enabled on the
web proxy, they will get the authentication window with 3 fields - user,
pass, and domain. They don't have to use the <domain>\<user> format, but
they will need to fill in all three fields, I believe (you can test for
yourself but I think the domain has to be there as well).
Virgil
"Tom Jones" <TomJones@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D6B5D0B-1D70-4AC7-BCED-8219F0E41182@xxxxxxxxxxxxxxxx
> Virgil-
>
> First off thank you very much for replying and thinking so hard on this
> question. I agree with what you are saying. The only issue I can think of
> that my boss will ask me about is the this "generic" user account that
> they
> log onto the laptop with may need access to network resources and if I
> have
> them log on with a locally created account to the computer and not the
> domain
> they are going to get prompted each time they try to access a network
> resource. These users wouldn't understand entering domain\username in the
> prompt.
>
> Also that brings me to this question. If they are logging into the
> computer
> with a local account to the PC and not the domain are the users still
> going
> to have to type in domain\username in the ISA authentication prompt?
>
> Thanks again for all your help on this.
>
> Tom
>
>
> "ZVR" wrote:
>
>> You can achieve your goal with a simple trick. It is not a matter of
>> integrated vs basic authentication which cannot be configured "per rule",
>> rather globally in the properties of the web proxy. However you can still
>> achieve the desired result without touching the configuration of your web
>> proxy and the authentication methods. Here's how:
>>
>> The key here is that your "generic" account on the special computer needs
>> to
>> be from another namespace than ISA's own. So for example if ISA is member
>> of
>> your domain you will never be able to do this by using a generic user
>> account from the same domain. What you could do though, is use a generic
>> account defined locally on the special computer (a local account). Users
>> would log onto the special computer with the local account, then you will
>> see that the moment they try to go online they get prompted for
>> authentication by ISA (provided you have no rules allowing anonymous
>> access
>> through ISA). That happens because ISA won't be able to match the local
>> user
>> account against any of the "known" users or groups from ISA's own domain,
>> so
>> it will prompt for authentication. When the prompt pops up the users will
>> get by inputting their own domain accounts (provided those are allowed
>> access through an ISA rule).
>>
>> I thought really hard about this and I don't think there's any other way
>> to
>> do it except using an account from a disjoint namespace as described.
>>
>> Virgil
>>
>>
>>
>> "Tom Jones" <TomJones@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:935A04D3-4DA2-4327-8359-C7F55E6FB7C5@xxxxxxxxxxxxxxxx
>> > Here is my question/what we are trying to accomplish. We are using ISA
>> > 2004
>> > with Integrated Authentication setup for all of our users when
>> > accessing
>> > the
>> > Internet. We now have a particular group of users that need to access
>> > the
>> > Internet from one specific computer. They each logon to this computer
>> > with
>> > a
>> > general user account but when they access the Internet we want to turn
>> > back
>> > on Basic Authentication just for this group so they are required to
>> > enter
>> > their own credentials to get out to the Internet. This way we can log
>> > and
>> > monitor where the user is browsing on the Internet. We do not want to
>> > them
>> > to
>> > use the general account for that access because then we can not trace
>> > who
>> > went to what website etc.
>> >
>> > Is there a way I can enable the above scenario where I can require
>> > users
>> > to
>> > authenticate (Basic Authentication) from just one specific computer?
>> > Can I
>> > do
>> > this in a firewall rule? I know how to setup a rule allowing access to
>> > the
>> > Internet from one computer but isn't the authentication setting
>> > (Integrated
>> > or Basic) a Global Setting? You can only do one or the other? I want to
>> > find
>> > a way to do both if it is possible.
>> >
>> > Thanks for all your help.
>> > Tom
>> >
>>
>>
>>
.
- References:
- Re: Authentication Question
- From: ZVR
- Re: Authentication Question
- From: Tom Jones
- Re: Authentication Question
- Prev by Date: Re: How to allow access to HTTPS ?
- Next by Date: Setting up a proxy server?
- Previous by thread: Re: Authentication Question
- Next by thread: Setting up a proxy server?
- Index(es):
Relevant Pages
|
