Force Authentication on ISA 2006

sictuser
sictuser used Ask the Experts™
on
Hi

I am trying to force authentication on an ISA server. The server is running ISA 2006. I only need a particular group of users to use alternate credentials, all other users should use integrated authentication. At present I am having to use basic authentication on the internal network for everyone so that this particular group of users can get internet access. If I use integrated authentication then this group of users is simply denied access to the ISA whilst all other users get seamless internet access.
I have tried to force authentication via group policy and IE security settings but to no avail

Any help would be gratefully received

Thanks in advance

Adrian
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011

Commented:
The way you are doing it is the way you do it.
Wanting "alternate credentials" is the root of your problem.  You have to stop wanting that, and find a better concept to follow.
At best you might try to use both Intergrated and basic at the same time,...if it will let you,...I don't remember if it will or not,...and even if it does I don't know if you will get what you want.
 
 
What do you by alternate credentials? Other user name or RADIUS credentials?

What exactly are you trying to achieve?

Author

Commented:
Thanks for the responses, sorry to take so long to reply, been away from office since I logged the query

I have replaced an ISA 2004 server with an ISA 2006 server for a customer. They have a group of users who have very strictly monitored internet access. They log in to AD to access local resources but when they were using the ISA 2004 these users were prompted when they tried to access any web page for alternative credentials. The username they used for internet access has a password that is changed very hour!! so these users cannot access the internet whilst un supervised.

The user accounts used to access AD have no internet access through the ISA 2006 but the user that changes it's password every hour does have internet access. What I am trying to achieve is what the customer tells me they had before whereby AD logged them on using one username and password but when they tried to access the internet they were prompted for credentials to access the ISA server.

Normal users should not get prompted, currently I have set the system so that all users use basic authentication so that they are all prompted for credentials

Hope this clarifies the situation
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Commented:
usually if the computer the users are logging on to is joined to the domain and they are logging on using username and password of the domain that has internet access,  the ISA server should not prompt for any username and password it will authenticate the users using their domain credentials, unless they are working on a computer that are not joined to the domain so in this case they will be prompt for credentials each time they are requesting website. That is the normal scenario could u clarify more your request to be able to help more.
Most Valuable Expert 2011

Commented:
Then you have to turn off Integrated Authentication and use Basic Authentication.

Networks-->Internal-->Propterties-->Web Proxy Tab-->Authentication button.

This may not work for Firewall Client,...they probably always use Integrated and nothing else, and will not prompt,...but this is not something that I ever do or are ever willing to do,...so I am a bit unsure about that.

Their attempt at creating "security" by this manner is making it less secure,..not more secure,...because credentials get passed from the client to the ISA in clear text

Author

Commented:
Hi Elawad

You are completely right in what you have said, that is how it should work and how it works for me with other customers, I'm not sure how this worked with their last ISA server(2004).

Hi Pwindell

Your solution is what I have set up for them currently but like you I would rather not use basic and prefer integrated authentication.

I primarily logged this question in case I had missed something obvious but it appears I have not

Thanks for everyones responses

Author

Commented:
I think I have found a solution for this, I will try it and report back

http://msdn.microsoft.com/en-us/library/ms826234.aspx
Commented:
This has solved the problem

I copied the text into a VB script and then ran it from a command prompt with either true or false after the command. True forces an authentication box to popup and fasle turns it off.

Hope this helps others

Author

Commented:
Er it worked!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial