ISA2004 - Password Prompts

Posted on 2006-06-01
Last Modified: 2010-04-08

We have a problem with a single user (out of approx 80) who keeps getting prompted to enter his password every time he tries to access a website through ISA2004. This problem does not happen to any other users.

We are only using ISA in web cache mode, and not using the firewall client.
The network setup is as follows:

   LAN         |                DMZ                               | Internet
Client      ->| CA eTrust SCM Filter -> ISA2004 ->| external website
                 |                                                     |

I have done a search on the forums, and made the following changes based on my findings:
unselected "Automatically Detect Proxy Settings" on the affected client's IE
unselected "Require all users to authenticate" under web proxy settings on the Internal Interface (Integrated auth is still selected)
modified the Web access rule to include authenticated users only.

This is working perfectly for all users on our domain except one who keeps getting prompted.

Any help on this issue would be much appreciated. Thanks!
Question by:shaunchristides
    LVL 51

    Expert Comment

    by:Keith Alabaster
    1. Can you confirm that this user has the same problem visiting a web site through isa if they log on at different work stations?
    Iam assuming you have set the IE proxy browser settings for this user to match all the others.

    2. if a different user logs on to the work station that is failing, do they get the same error when visiting a web site?

    3. open the ISA GUI.
    click on montioring - logging.
    Click on start query
    try to connect to a web site for this user, what do you see in the log?

    4. Have you reset the IE explorer settings back to default?
    Open IE,
    select tools - internet options - security
    make sure Internet, local intranet etc are set to defaults.

    select tools - internet options - general
    clear the temporary internet files and any off-line content.

    5. open IE -select tools - internet options - security
    Select Internet
    select Custom
    scroll down to the bottom. What is user authentication set to?

    Do the same for the Intranet zone. What is User Authentication set to?

    6. If you create a new test user account, does the test user have the same issue?

    7. How are your users authenticating to ISA server? Through Active Directory groups/user names?
    Is this user a member of the correct groups?
    Is this user in the allowed lists?
    LVL 51

    Accepted Solution

    PS. You don't quite explain if the problem is for a user going to one specific web site (and all others are OK) OR it is this user going to any web site.
    LVL 1

    Assisted Solution

    I'm assuming CA eTrust SCM Filter has an ISA add-in to apply web content filtering?  If so, try disabling this add-in and seeing if the issue remains.

    If the issue is fixed with CA eTrust SCM Filter add-in disabled, then CA eTrust SCM Filter is causing the issue, if not it's ISA...


    LVL 51

    Expert Comment

    by:Keith Alabaster
    Personally, I would think that the CA device would have affected all users or none of the users; not just affect one user differently but you never know...


    Author Comment

    I have started logging for this user, and will be having a closer look at their setting while they are on lunch today, so i will be able to provide more answers then.

    In answer to 7: the users are authenticated through AD - the group is just the All Authenticated Users group. There are no rules to allow different web access for different groups, there is just the one outbound rule for all authenticated users.
    The problem occurs for one user only, when accessing ALL websites.

    The SCM web filter is located on a seperate server, not an ISA add-in. Clients connect to the SCM server, which is then using the ISA server as an upstream proxy.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now