sjepsen
asked on
ISA 2004 domain user --- access failure
Using ISA 2004 as a web proxy only. No firewall.
I installed ISA 2004 Standard Edition on a Windows 2003 member (not a dc) server running in a Windows 2000 network. I can login from the console using my domain account without any problem. Initially I setup the ISA to allow anonymous access, and that worked fine. When I view the ISA monitor I see the IP addresses of the stations accessing the Internet.
Now the problem. When I set the ISA to require “all users must authenticate” the users are then prompted for username and password when they try to open a connection to a web site. We are running IE 6. No matter what username or password they enter the authentication fails. I tried username and domain\username. In reality they should never be prompted at all !
The event log on the ISA server indicates the ISA server cannot find a domain controller to use to check the username.
I do not have the exact error code at this time. ISA 2004 cannot find a dc to use, while the Windows OS seems to have no problem (when I login using domain\user) I am successfully granted access.
Remember I can login on the console using my domain username and password.
The ISA server joined the domain without error. The server seems to have registered correctly in ‘users and computers’. I set the domain to trust "local system account" services on the ISA 2004 server.
One other note. This ISA server is replacing a ISA 2000 server running on an old PIII machine. I turned off the old server and removed it’s name from the domain users and computers AD tool. The ISA 2000 server was not a DC. I gave the new ISA 2004 server the same name and IP address as the old server. Un-authenticated access works fine. I can ping the server from other servers and the nslookup from another server correctly id’s the ISA 2004 address.
When I check all users must authenticate and access the Web from the ISA 2004 console it works fine. I see my local username in the ISA monitor. I also logged on from a client computer to a Local account on the ISA 2004 machine (administrator). This also worked.
Example. domain/user fails isa2004computername\user works.
The prblem is definitly the fact that ISA cannot find a DC, while the netlogin service of Windows 2003 can.
I installed ISA 2004 Standard Edition on a Windows 2003 member (not a dc) server running in a Windows 2000 network. I can login from the console using my domain account without any problem. Initially I setup the ISA to allow anonymous access, and that worked fine. When I view the ISA monitor I see the IP addresses of the stations accessing the Internet.
Now the problem. When I set the ISA to require “all users must authenticate” the users are then prompted for username and password when they try to open a connection to a web site. We are running IE 6. No matter what username or password they enter the authentication fails. I tried username and domain\username. In reality they should never be prompted at all !
The event log on the ISA server indicates the ISA server cannot find a domain controller to use to check the username.
I do not have the exact error code at this time. ISA 2004 cannot find a dc to use, while the Windows OS seems to have no problem (when I login using domain\user) I am successfully granted access.
Remember I can login on the console using my domain username and password.
The ISA server joined the domain without error. The server seems to have registered correctly in ‘users and computers’. I set the domain to trust "local system account" services on the ISA 2004 server.
One other note. This ISA server is replacing a ISA 2000 server running on an old PIII machine. I turned off the old server and removed it’s name from the domain users and computers AD tool. The ISA 2000 server was not a DC. I gave the new ISA 2004 server the same name and IP address as the old server. Un-authenticated access works fine. I can ping the server from other servers and the nslookup from another server correctly id’s the ISA 2004 address.
When I check all users must authenticate and access the Web from the ISA 2004 console it works fine. I see my local username in the ISA monitor. I also logged on from a client computer to a Local account on the ISA 2004 machine (administrator). This also worked.
Example. domain/user fails isa2004computername\user works.
The prblem is definitly the fact that ISA cannot find a DC, while the netlogin service of Windows 2003 can.
ASKER
After all that posting info. I was searching other solutions and found a comment indicating to make sure the server is already a domain member before installing ISA. So, I removed ISA 2004 and did a reinstall of Windows 2003 just to be 100% clean. Joined the W2000 domain, applied all the service packs and then ISA. Installed SP1 and SP2 for ISA (Watch out for SP2, read the releease notes and Microsoft articles). ISA seems to be working fine at this time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As you said ISA is in Web Proxy and not a firewall do you have a rule which allows the ISA 2004 to go to Internal Networking.
Where the ISA server is pointing to for the DNS.
Try to DISABLE the RPC Filter and restart the ISA server services from the Services Console and check.
Kumar