Forefront TMG authentification fails, all users marked as anonymous

I'm in the process of setting up a Forefront TMG server, on one of our customers LAN.
The server is operating with only one NIC, and only as a content filtering proxy.

The problem I'm having is, that the customer wants to be able to disable, all internet access for a few select users.
I've created a usergroup containing the users, and a Web Access Policy, denying traffic on all protocols.
I've setup Integrated Authentification and added all the customers domain controllers and GC servers.

Even with the above setup, and the TMG server set as the proxy server. All internet traffic is blocked, for all users.
When I look in the logs, I see that ALL users are anonymous. Not one of them authenticates properly, even though the client machines get the "Username / Password" prompt.
I've even installed the Forefront Client, without luck.

Has anyone come across this before?
johnnybrianIT managerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
What results do you get from the best practice analyser?
johnnybrianIT managerAuthor Commented:
Hi Keith
I'm getting the following:
The secure channel to the domain controller cannot be verified.
1: Verify the connectivity to the domain controller.
2: Make sure that the domain controller is up.
3: Verify that the system policy rule, Allow access to directory services for authentication purposes, is enabled.

I've already edited the System Policy, and added our domain controllers in the LDAP settings of Authentication Servers. The TMG server is able to ping all 3 of our DC's.
Keith AlabasterEnterprise ArchitectCommented:
So TMG is not a member of the domain?
Have you added an allow rule FROM localhost and internal TO localhost & internal - all protocols, all users as a start testing point?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

johnnybrianIT managerAuthor Commented:
The Forefront server is a member server of the domain.
I've just tried adding the rule you said, and now TmgBPA goes through with completed on all points.
johnnybrianIT managerAuthor Commented:
Users are still not authentication is still not working.
The logs state, that the new rule grants access, just the username is still anonymous.

One thing I've noticed, is that when I enable Integrated Authentication, I can only choose radius servers, and not a domain. I've just tried switching to Digest as our domain has a 2003 function level.
johnnybrianIT managerAuthor Commented:
A collague ended up figuring this out after a reinstallation, giving the points to keith for his help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.