ISA 2004 domain user --- access failure
Posted on 2006-07-09
Using ISA 2004 as a web proxy only. No firewall.
I installed ISA 2004 Standard Edition on a Windows 2003 member (not a dc) server running in a Windows 2000 network. I can login from the console using my domain account without any problem. Initially I setup the ISA to allow anonymous access, and that worked fine. When I view the ISA monitor I see the IP addresses of the stations accessing the Internet.
Now the problem. When I set the ISA to require “all users must authenticate” the users are then prompted for username and password when they try to open a connection to a web site. We are running IE 6. No matter what username or password they enter the authentication fails. I tried username and domain\username. In reality they should never be prompted at all !
The event log on the ISA server indicates the ISA server cannot find a domain controller to use to check the username.
I do not have the exact error code at this time. ISA 2004 cannot find a dc to use, while the Windows OS seems to have no problem (when I login using domain\user) I am successfully granted access.
Remember I can login on the console using my domain username and password.
The ISA server joined the domain without error. The server seems to have registered correctly in ‘users and computers’. I set the domain to trust "local system account" services on the ISA 2004 server.
One other note. This ISA server is replacing a ISA 2000 server running on an old PIII machine. I turned off the old server and removed it’s name from the domain users and computers AD tool. The ISA 2000 server was not a DC. I gave the new ISA 2004 server the same name and IP address as the old server. Un-authenticated access works fine. I can ping the server from other servers and the nslookup from another server correctly id’s the ISA 2004 address.
When I check all users must authenticate and access the Web from the ISA 2004 console it works fine. I see my local username in the ISA monitor. I also logged on from a client computer to a Local account on the ISA 2004 machine (administrator). This also worked.
Example. domain/user fails isa2004computername\user works.
The prblem is definitly the fact that ISA cannot find a DC, while the netlogin service of Windows 2003 can.