ISA 2000 authentication and CRM/Sharepoint sites problem

This is a bit confusing to explain so please bear with me...

We have an ISA 2000 server in our organization that filters internet access to our users. We only allow a certain domain security group to access the internet. When an authorized internet user opens up their browser, the ISA will authenticate the user through their local domain account. This has been a practice for many years and hasn't been a problem until now. Our users are now in need to access a CRM and sharepoint site from our corporate office (which requires us to use a separate domain account since we are not on their domain). When they access the crm or sharepoint site, they are challenged with a windows authentication ( using our corporate domain account, not local domain account). The browser prompts the user with multiple windows logon boxes as they enter their corporate domain account. It slowly loads each section of the site after entering their credentials to access the crm/sharepoint site, but ultimately fails from unauthorized access.

I believe that the issue is the differing domain accounts they are using to authenticate between two different domains. One, they are authenticated in our domain to access the internet. Two, they are using a different domain account to access the crm/sharepoint site. When the user opens up the crm/sharepoint site, I believe the two domains is conflicting with eachother (one is trying to authenticate internet access in local domain and other is trying to authenticate crm/sharepoint access in the corporate domain). To get it to work, I set up a protocol policy (HTTP) and applied it to "any request" instead of specifiying to certain user groups. This solved the issue and users are able to access the crm/sharepoint site using their other domain credentials (not the domain credentials they are using to log into the network). However, we can't allow this policy because we can't allow everyone access to the Internet.

Does anyone know more about ISA 2000 to configure it so we can allow only the authorized users to access the crm/sharepoint site without opening internet to everyone else? I've tried applying the policy to only the internet group and not apply it to everyone else but it still doesn't work. Any ideas or thoughts? Thank you for any help!
ROtsujiAsked:
Who is Participating?
 
pwindellConnect With a Mentor Commented:
try to apply the policy from specific computers instead of user accounts
You can't.  All the involved machines would have to have manually statically assigned IP Specs,...and it still wouldn't solve the problem anyway.  The root of the problem is the CRM and SP and also the lack of Domain Structure.  The problem is not the ISA.  
The only real solution I see is,...in these steps,...more or less in this order:
1. Stop using mulitple accounts for the same user (one on that domain, one on this domain, one over here, one over there, one this way and one that way, yadda, yadda, yadda).  All users have one account,...period...end of story.
2. Setup a VPN or some kind or dependable private link between the two facilities.
3. Setup a Trust between the two domains (via the private link).  Then add users from one Domain into the Groups of the other Domain so that they can authentricate for resources on that other Domain.
4. The traffic for the CRM and the SP would run over the Private link between the sites,...ISA would not be involved at all and not have anything to do with it.  Now you might use the ISA to create a Site-to-Site VPN,...but that would be the extent of its involvment, and with it being ISA2000 it is really RRAS performing the VPN behind the scenes anyway, not really the ISA..
0
 
ROtsujiAuthor Commented:
Looking at the "incoming web requests" settings, "Ask unauthenticated users for identification" is checked. If unchecked, will this prevent the ISA from reauthenticating the user (since they are already on the internet) and the only authentication the user will receive is from the crm/sharepoint site?
0
 
pwindellCommented:
Are the users also prefixing their credentials with the correct domain name?

User:  domain\username
Password: *******

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ROtsujiAuthor Commented:
pwindell,

yes..they are using that login format.
0
 
anees10Commented:
try to apply the policy from specific computers instead of user accounts
0
 
Ingeborg Hawighorst (Microsoft MVP / EE MVE)Microsoft MVP ExcelCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
All Courses

From novice to tech pro — start learning today.