Solved

ISA 2006 how not to ask for authentication

Posted on 2007-03-20
10
2,534 Views
Last Modified: 2012-06-22
MS ISA2006
when an unauthenticated user sets his browser to my ms isa 2006 proxy the proxy server popups a webpage with logon screen

i need to disable this screen so the not authenticated users in AD (logged on to computer) will not get the availability to authenticate to be able to browse
0
Comment
Question by:theruck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 18757124
either remove the authentication or install the firewall clients on the PC machines
0
 
LVL 14

Author Comment

by:theruck
ID: 18757634
none of the above is possible either because of administratove effort or because the required functionality for authenticated users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18758620
No offence but it is certainly possible - whether it can be done given the asker's environment is another.

Is the ISA deployed as a firewall or just a proxy server?
How have you published the outbound rule in the first place?
Have you used the authenticated users or the All Users?
Have you ticked the all users must authenticate tick box?
if its in firewall mode, are you also using the ISA2006 firewall client as well?

Keith
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Author Comment

by:theruck
ID: 18762340
- isa is deployed as a proxy with a single network adapter
- i am suer the rules are ok i got only 1 rule and the behaviour is the same
- i used my own group of users
- all user must authenticate is unchecked (but the logon popup still appears), i use integrated authentication


i think that this behaviour is by design and that i will have to use certificate authentication

to make it more clear here is the scenario:
a customer uses domain accounts for internet browsing and logon to computer for general work on pc and he needs the users not to be requested to give the password for isa because they would be able to browse the internet in the local pc account.
with the isa2000 it was ok - it did not popup the authentication dialog

i know this is completely crazy and has no security meaning because the users are allways able to run the Iexplorer with the "runas" command but i just came into this enviroment with 400 users and i am supposed to setup the isa2006 only not changing the entire enviroment
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18769645
No sweat. I'll have to set this up and give a try myself this evening.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774105
Just setting up the environment now.

To confirm the requirement then.....

you are using ISA as a proxy only so we are only interested in web traffic.
You want authenticated users to gain Internet access but non-authenticated users to be denied access rather than be prompted for credentials.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18774851
Confirmed....

On the outbound rule, is this a manual group you have set up or is it an AD group?

I have added the standard outbound rules to a new 2006 install.
ie allow dns, smtp, ntp etc from the respective servers then a single outbound rule for

allow http, https, ftp from internal & local host to external - users = domain users & domain admins

I then connected my two standalone pc's to the network and set them to point to the prox ip and port 8080. They get the satndard ISA 'on your bike' message that the connection is denied.

Do you have any other outbound interne rules applied? ISA applies the rule top-down in 2004 and 2006. O, and I added a rule to the firewall to only accept http, https and ftp from the ISA ip.
0
 
LVL 14

Author Comment

by:theruck
ID: 18779199
it is an AD group
i solved it for now for internet explorer anyway the alternative browsers still ask for authentication

i made these steps

- disabled all authentification types
- enabled integrated auth
- detach http application filter on  http protocol
- set ReturnAuthRequiredIfAuthUserDenied to False

IE does not asks for credentials. if the user is form the enabled group, it allows him to pass. if not error 502 is displayed (URL blocked/denied)
alternativne browsers still ask for credentials

for the customer it is enough as a solution...
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18955914
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MS Direct Access 3 654
tmg evaluation 10 552
TMG Network Access Message: The page cannot be displayed 9 3,150
TMG Load Balanced Web Farm Issues 9 139
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question