Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ISA 2006 how not to ask for authentication

Posted on 2007-03-20
10
2,527 Views
Last Modified: 2012-06-22
MS ISA2006
when an unauthenticated user sets his browser to my ms isa 2006 proxy the proxy server popups a webpage with logon screen

i need to disable this screen so the not authenticated users in AD (logged on to computer) will not get the availability to authenticate to be able to browse
0
Comment
Question by:theruck
10 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 18757124
either remove the authentication or install the firewall clients on the PC machines
0
 
LVL 14

Author Comment

by:theruck
ID: 18757634
none of the above is possible either because of administratove effort or because the required functionality for authenticated users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18758620
No offence but it is certainly possible - whether it can be done given the asker's environment is another.

Is the ISA deployed as a firewall or just a proxy server?
How have you published the outbound rule in the first place?
Have you used the authenticated users or the All Users?
Have you ticked the all users must authenticate tick box?
if its in firewall mode, are you also using the ISA2006 firewall client as well?

Keith
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 14

Author Comment

by:theruck
ID: 18762340
- isa is deployed as a proxy with a single network adapter
- i am suer the rules are ok i got only 1 rule and the behaviour is the same
- i used my own group of users
- all user must authenticate is unchecked (but the logon popup still appears), i use integrated authentication


i think that this behaviour is by design and that i will have to use certificate authentication

to make it more clear here is the scenario:
a customer uses domain accounts for internet browsing and logon to computer for general work on pc and he needs the users not to be requested to give the password for isa because they would be able to browse the internet in the local pc account.
with the isa2000 it was ok - it did not popup the authentication dialog

i know this is completely crazy and has no security meaning because the users are allways able to run the Iexplorer with the "runas" command but i just came into this enviroment with 400 users and i am supposed to setup the isa2006 only not changing the entire enviroment
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18769645
No sweat. I'll have to set this up and give a try myself this evening.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774105
Just setting up the environment now.

To confirm the requirement then.....

you are using ISA as a proxy only so we are only interested in web traffic.
You want authenticated users to gain Internet access but non-authenticated users to be denied access rather than be prompted for credentials.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774851
Confirmed....

On the outbound rule, is this a manual group you have set up or is it an AD group?

I have added the standard outbound rules to a new 2006 install.
ie allow dns, smtp, ntp etc from the respective servers then a single outbound rule for

allow http, https, ftp from internal & local host to external - users = domain users & domain admins

I then connected my two standalone pc's to the network and set them to point to the prox ip and port 8080. They get the satndard ISA 'on your bike' message that the connection is denied.

Do you have any other outbound interne rules applied? ISA applies the rule top-down in 2004 and 2006. O, and I added a rule to the firewall to only accept http, https and ftp from the ISA ip.
0
 
LVL 14

Author Comment

by:theruck
ID: 18779199
it is an AD group
i solved it for now for internet explorer anyway the alternative browsers still ask for authentication

i made these steps

- disabled all authentification types
- enabled integrated auth
- detach http application filter on  http protocol
- set ReturnAuthRequiredIfAuthUserDenied to False

IE does not asks for credentials. if the user is form the enabled group, it allows him to pass. if not error 502 is displayed (URL blocked/denied)
alternativne browsers still ask for credentials

for the customer it is enough as a solution...
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18955914
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
isa 2006 pptp & l2tp & pre-shared key 13 829
Lync 2013 Test Connectivity error 34 11,790
Unable to open website 1 102
Multiple IP Address Block through a switch 7 117
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question