ISA 2000 authentication and CRM/Sharepoint sites problem

This is a bit confusing to explain so please bear with me...

We have an ISA 2000 server in our organization that filters internet access to our users. We only allow a certain domain security group to access the internet. When an authorized internet user opens up their browser, the ISA will authenticate the user through their local domain account. This has been a practice for many years and hasn't been a problem until now. Our users are now in need to access a CRM and sharepoint site from our corporate office (which requires us to use a separate domain account since we are not on their domain). When they access the crm or sharepoint site, they are challenged with a windows authentication ( using our corporate domain account, not local domain account). The browser prompts the user with multiple windows logon boxes as they enter their corporate domain account. It slowly loads each section of the site after entering their credentials to access the crm/sharepoint site, but ultimately fails from unauthorized access.

I believe that the issue is the differing domain accounts they are using to authenticate between two different domains. One, they are authenticated in our domain to access the internet. Two, they are using a different domain account to access the crm/sharepoint site. When the user opens up the crm/sharepoint site, I believe the two domains is conflicting with eachother (one is trying to authenticate internet access in local domain and other is trying to authenticate crm/sharepoint access in the corporate domain). To get it to work, I set up a protocol policy (HTTP) and applied it to "any request" instead of specifiying to certain user groups. This solved the issue and users are able to access the crm/sharepoint site using their other domain credentials (not the domain credentials they are using to log into the network). However, we can't allow this policy because we can't allow everyone access to the Internet.

Does anyone know more about ISA 2000 to configure it so we can allow only the authorized users to access the crm/sharepoint site without opening internet to everyone else? I've tried applying the policy to only the internet group and not apply it to everyone else but it still doesn't work. Any ideas or thoughts? Thank you for any help!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ROtsujiAuthor Commented:
Looking at the "incoming web requests" settings, "Ask unauthenticated users for identification" is checked. If unchecked, will this prevent the ISA from reauthenticating the user (since they are already on the internet) and the only authentication the user will receive is from the crm/sharepoint site?
Are the users also prefixing their credentials with the correct domain name?

User:  domain\username
Password: *******

ROtsujiAuthor Commented:

yes..they are using that login format.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

try to apply the policy from specific computers instead of user accounts
try to apply the policy from specific computers instead of user accounts
You can't.  All the involved machines would have to have manually statically assigned IP Specs,...and it still wouldn't solve the problem anyway.  The root of the problem is the CRM and SP and also the lack of Domain Structure.  The problem is not the ISA.  
The only real solution I see is, these steps,...more or less in this order:
1. Stop using mulitple accounts for the same user (one on that domain, one on this domain, one over here, one over there, one this way and one that way, yadda, yadda, yadda).  All users have one account,...period...end of story.
2. Setup a VPN or some kind or dependable private link between the two facilities.
3. Setup a Trust between the two domains (via the private link).  Then add users from one Domain into the Groups of the other Domain so that they can authentricate for resources on that other Domain.
4. The traffic for the CRM and the SP would run over the Private link between the sites,...ISA would not be involved at all and not have anything to do with it.  Now you might use the ISA to create a Site-to-Site VPN,...but that would be the extent of its involvment, and with it being ISA2000 it is really RRAS performing the VPN behind the scenes anyway, not really the ISA..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ingeborg Hawighorst (Microsoft MVP / EE MVE)Microsoft MVP ExcelCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.