Solved

ISA 2006 how not to ask for authentication

Posted on 2007-03-20
10
2,523 Views
Last Modified: 2012-06-22
MS ISA2006
when an unauthenticated user sets his browser to my ms isa 2006 proxy the proxy server popups a webpage with logon screen

i need to disable this screen so the not authenticated users in AD (logged on to computer) will not get the availability to authenticate to be able to browse
0
Comment
Question by:theruck
10 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 18757124
either remove the authentication or install the firewall clients on the PC machines
0
 
LVL 14

Author Comment

by:theruck
ID: 18757634
none of the above is possible either because of administratove effort or because the required functionality for authenticated users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18758620
No offence but it is certainly possible - whether it can be done given the asker's environment is another.

Is the ISA deployed as a firewall or just a proxy server?
How have you published the outbound rule in the first place?
Have you used the authenticated users or the All Users?
Have you ticked the all users must authenticate tick box?
if its in firewall mode, are you also using the ISA2006 firewall client as well?

Keith
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 
LVL 14

Author Comment

by:theruck
ID: 18762340
- isa is deployed as a proxy with a single network adapter
- i am suer the rules are ok i got only 1 rule and the behaviour is the same
- i used my own group of users
- all user must authenticate is unchecked (but the logon popup still appears), i use integrated authentication


i think that this behaviour is by design and that i will have to use certificate authentication

to make it more clear here is the scenario:
a customer uses domain accounts for internet browsing and logon to computer for general work on pc and he needs the users not to be requested to give the password for isa because they would be able to browse the internet in the local pc account.
with the isa2000 it was ok - it did not popup the authentication dialog

i know this is completely crazy and has no security meaning because the users are allways able to run the Iexplorer with the "runas" command but i just came into this enviroment with 400 users and i am supposed to setup the isa2006 only not changing the entire enviroment
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18769645
No sweat. I'll have to set this up and give a try myself this evening.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774105
Just setting up the environment now.

To confirm the requirement then.....

you are using ISA as a proxy only so we are only interested in web traffic.
You want authenticated users to gain Internet access but non-authenticated users to be denied access rather than be prompted for credentials.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774851
Confirmed....

On the outbound rule, is this a manual group you have set up or is it an AD group?

I have added the standard outbound rules to a new 2006 install.
ie allow dns, smtp, ntp etc from the respective servers then a single outbound rule for

allow http, https, ftp from internal & local host to external - users = domain users & domain admins

I then connected my two standalone pc's to the network and set them to point to the prox ip and port 8080. They get the satndard ISA 'on your bike' message that the connection is denied.

Do you have any other outbound interne rules applied? ISA applies the rule top-down in 2004 and 2006. O, and I added a rule to the firewall to only accept http, https and ftp from the ISA ip.
0
 
LVL 14

Author Comment

by:theruck
ID: 18779199
it is an AD group
i solved it for now for internet explorer anyway the alternative browsers still ask for authentication

i made these steps

- disabled all authentification types
- enabled integrated auth
- detach http application filter on  http protocol
- set ReturnAuthRequiredIfAuthUserDenied to False

IE does not asks for credentials. if the user is form the enabled group, it allows him to pass. if not error 502 is displayed (URL blocked/denied)
alternativne browsers still ask for credentials

for the customer it is enough as a solution...
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18955914
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now