sictuser
asked on
Force Authentication on ISA 2006
Hi
I am trying to force authentication on an ISA server. The server is running ISA 2006. I only need a particular group of users to use alternate credentials, all other users should use integrated authentication. At present I am having to use basic authentication on the internal network for everyone so that this particular group of users can get internet access. If I use integrated authentication then this group of users is simply denied access to the ISA whilst all other users get seamless internet access.
I have tried to force authentication via group policy and IE security settings but to no avail
Any help would be gratefully received
Thanks in advance
Adrian
I am trying to force authentication on an ISA server. The server is running ISA 2006. I only need a particular group of users to use alternate credentials, all other users should use integrated authentication. At present I am having to use basic authentication on the internal network for everyone so that this particular group of users can get internet access. If I use integrated authentication then this group of users is simply denied access to the ISA whilst all other users get seamless internet access.
I have tried to force authentication via group policy and IE security settings but to no avail
Any help would be gratefully received
Thanks in advance
Adrian
What do you by alternate credentials? Other user name or RADIUS credentials?
What exactly are you trying to achieve?
What exactly are you trying to achieve?
ASKER
Thanks for the responses, sorry to take so long to reply, been away from office since I logged the query
I have replaced an ISA 2004 server with an ISA 2006 server for a customer. They have a group of users who have very strictly monitored internet access. They log in to AD to access local resources but when they were using the ISA 2004 these users were prompted when they tried to access any web page for alternative credentials. The username they used for internet access has a password that is changed very hour!! so these users cannot access the internet whilst un supervised.
The user accounts used to access AD have no internet access through the ISA 2006 but the user that changes it's password every hour does have internet access. What I am trying to achieve is what the customer tells me they had before whereby AD logged them on using one username and password but when they tried to access the internet they were prompted for credentials to access the ISA server.
Normal users should not get prompted, currently I have set the system so that all users use basic authentication so that they are all prompted for credentials
Hope this clarifies the situation
I have replaced an ISA 2004 server with an ISA 2006 server for a customer. They have a group of users who have very strictly monitored internet access. They log in to AD to access local resources but when they were using the ISA 2004 these users were prompted when they tried to access any web page for alternative credentials. The username they used for internet access has a password that is changed very hour!! so these users cannot access the internet whilst un supervised.
The user accounts used to access AD have no internet access through the ISA 2006 but the user that changes it's password every hour does have internet access. What I am trying to achieve is what the customer tells me they had before whereby AD logged them on using one username and password but when they tried to access the internet they were prompted for credentials to access the ISA server.
Normal users should not get prompted, currently I have set the system so that all users use basic authentication so that they are all prompted for credentials
Hope this clarifies the situation
usually if the computer the users are logging on to is joined to the domain and they are logging on using username and password of the domain that has internet access, the ISA server should not prompt for any username and password it will authenticate the users using their domain credentials, unless they are working on a computer that are not joined to the domain so in this case they will be prompt for credentials each time they are requesting website. That is the normal scenario could u clarify more your request to be able to help more.
Then you have to turn off Integrated Authentication and use Basic Authentication.
Networks-->Internal-->Prop terties--> Web Proxy Tab-->Authentication button.
This may not work for Firewall Client,...they probably always use Integrated and nothing else, and will not prompt,...but this is not something that I ever do or are ever willing to do,...so I am a bit unsure about that.
Their attempt at creating "security" by this manner is making it less secure,..not more secure,...because credentials get passed from the client to the ISA in clear text
Networks-->Internal-->Prop
This may not work for Firewall Client,...they probably always use Integrated and nothing else, and will not prompt,...but this is not something that I ever do or are ever willing to do,...so I am a bit unsure about that.
Their attempt at creating "security" by this manner is making it less secure,..not more secure,...because credentials get passed from the client to the ISA in clear text
ASKER
Hi Elawad
You are completely right in what you have said, that is how it should work and how it works for me with other customers, I'm not sure how this worked with their last ISA server(2004).
Hi Pwindell
Your solution is what I have set up for them currently but like you I would rather not use basic and prefer integrated authentication.
I primarily logged this question in case I had missed something obvious but it appears I have not
Thanks for everyones responses
You are completely right in what you have said, that is how it should work and how it works for me with other customers, I'm not sure how this worked with their last ISA server(2004).
Hi Pwindell
Your solution is what I have set up for them currently but like you I would rather not use basic and prefer integrated authentication.
I primarily logged this question in case I had missed something obvious but it appears I have not
Thanks for everyones responses
ASKER
I think I have found a solution for this, I will try it and report back
http://msdn.microsoft.com/en-us/library/ms826234.aspx
http://msdn.microsoft.com/en-us/library/ms826234.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Er it worked!
Wanting "alternate credentials" is the root of your problem. You have to stop wanting that, and find a better concept to follow.
At best you might try to use both Intergrated and basic at the same time,...if it will let you,...I don't remember if it will or not,...and even if it does I don't know if you will get what you want.