[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Not work when using IP address on IE Proxy setting

Posted on 2011-11-01
17
Medium Priority
?
368 Views
Last Modified: 2012-05-12
First, I am new in my current company. The network structure and ISA server were not configured by me. These days, I have been seeing the ISA 2004 server in my company. I found out a very strange problem which I can't understand. The topology is attached.

ISA01(computer name of the ISA server) is filled on all of our clients’ IE proxy settings. Port is 8080. With this setting, IE is able to access internet normally.
However, when I used IP address(172.25.1.1) instead of ISA01 on IE proxy settings, the problem appeared. Upon opening IE, I was always prompted to enter User name and Password. And it failed to authenticate my account even after I inputted many times. Then I switched to use ISA01. Everything went back to normal. I made the same test with different clients and different accounts. The same problem persisted.
I logged on to ISA01 to see the settings. I made some “nslookup” tests. It seems that Domain Controller cannot be found because it always uses the DNS from the ISP. I tried to change the DNS severs on “Adapter 1” from ISP’s to 172.25.1.11, 172.25.1.12
After that:
DC can be resolved correctly;
No more authentication window prompted when using IP address on IE Proxy setting;
I can access internet normally.
I believe it was because ISA server was able to find DC to authenticate my account after I changed the DNS servers. But before I did the change, why could it authenticate user accounts by using ISA01 on the client IE proxy setting, while it did NOT work by using IP address (172.25.1.1). It is really strange. I checked the ISA Console settings and many real time logs, but I didn’t get any finding about this issue.

Computer name works, IP address not work. What is the different ?

Does anyone have any idea about this issue?  

Thanks
Capture.JPG
0
Comment
Question by:AaronZHU
  • 9
  • 7
17 Comments
 
LVL 8

Expert Comment

by:Aegil
ID: 37061587
I would guess that it cant resolve the IP to the hostname of the server using reverse dns correctly as it was trying to resolve the dns via the isp and failing over the internet facing network. ISPA01 is a hostname for the server and will have the domain name added automatically so ISPA01.domain/username so it will automatically try logging on as a domain user so it will authenticate over the local network / via the domain controller.

If you have two domain controllers its probably better using the hostname anyways for the proxy, then you can just change the ip address of the ISA whenever needed.
0
 

Author Comment

by:AaronZHU
ID: 37061935
Thanks. But why does the ISA01 need to resolve the IP to the hostname? When clients access ISA proxy server, aren't using hostname and using IP address the same ?

(I surely know that using the hostname is a good choice. But I want to clarify my confusion)
0
 
LVL 7

Expert Comment

by:elawad
ID: 37068224
on your ISA server internal network properties -> we proxy authentication what type of authentication you select there.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AaronZHU
ID: 37068531
Hello elawad, Interated is selected.
Untitled.jpg
0
 
LVL 7

Expert Comment

by:elawad
ID: 37068558
ok try to check the basic authentication along with integrated and see if this solve the issue please.
0
 

Author Comment

by:AaronZHU
ID: 37074000
I checked the basic along with integrated, but it still prompted user and password window when using IP. After I inputted user and password, no success.
0
 
LVL 7

Expert Comment

by:elawad
ID: 37074837
do you have ISA firewall client on your client machines?
0
 

Author Comment

by:AaronZHU
ID: 37075576
No firewall client installed.
0
 
LVL 7

Expert Comment

by:elawad
ID: 37075653
could you install it and turn on the automatic detect settings then try again please
0
 

Author Comment

by:AaronZHU
ID: 37076064
Yes, I just installed it. Firewall client can automatically detect ISA server. Without proxy setting on IE, IE can access internet through Firewall client successfully. Other applications can access internet as well without proxy setting. But after I turned on proxy on IE again (using IP address),  user and password window again; then Switched to hostname, access successfully.

Under the current configration, my key confusions:
1/ Using hostname or firewall client - how the ISA server finds DC? It should not be able to find it, but actually it finds DC because it can authenticate users successfully.
2/ Using IP address - Not work, but it is normal..
0
 
LVL 7

Expert Comment

by:elawad
ID: 37076132
yes thats true, when using either firewall client or isa name the client uses NTLM authentication that is passing your windows logon credentials to authenticate with isa server while if you manually specify the ISA server proxy ip address  your clients pcs are trying to use the basic authentication with your DC that is when you need to re-enter your credentials each time your requesting something from the internet.
0
 

Author Comment

by:AaronZHU
ID: 37076704
as you said, when using NTLM, the client passes WIndows logon credential to isa server. Without contacting DC, how isa server authenticate my credential ?
0
 
LVL 7

Expert Comment

by:elawad
ID: 37077449
not without contacting your dc in both cases your isa should contact ur dc to authenticate users but with ntlm it passes the kerberous ticket given by your dc where as in basic you should always provide ur username and password and that what is happening when your putting the isa ip address not the name.
0
 

Author Comment

by:AaronZHU
ID: 37080597
You mean, when using NTLM, the isa server gets the DC's IP address from the kerberous ticket that the client passes? The DC's IP address is contained in the kerberous ticket? Then isa server is able to pass credentials to DC to do authentication?
As I know, DC information is provided by DNS. In my case, when I made nslookup on this isa server, it always uses the DNS servers(on Adapter 1) from ISP who is impossible to find our DC at all. That's why I asked many times how my isa server found DC's IP address.

And you said putting isa ip address means basic authentication. But my window look like Picture 1. Basic authentication window should look like Picture 2.

Moreover, if I remove the DNS servers from ISP(on Adapter 1), No more winodw prompted. How can you explain ?

NTLM-auth.jpg
basic-authenticate.jpg
0
 
LVL 7

Expert Comment

by:elawad
ID: 37081269
No, let me explain more. when you put your ISA server ip address on the proxy settings of your client it appears that your clients are trying to access the internet using basic authentication that means when you contact your isa server you have to provide your credentials in order for the ISA server to know what privileges you have, and in basic authentication you should provide them manually (your credentials). where as in NTLM authentication clients contact your DC and take the Kerberos tickets that have their information and credentials on them and these tickets will be provided to your ISA server in order to know your privileges and what is allowed for you, and this apparently is happening when you provide the ISA server name not the ip address in the proxy settings of your IE. So, briefly this is the main difference between basic and NTLM authentication methods.

0
 

Accepted Solution

by:
AaronZHU earned 0 total points
ID: 37126348
Hi elawad, first of all, thanks for your comments.
These days, I have been doing many tests. I read many articles on Kerberos and NTLM. And I checked many Security audits on the server. I finally figured out my problem.

The fact is that:
When accessing an server (web proxy service or file service) using host name, Microsoft uses Kerberos authentication, which doesn't require the server to contact DC.
(reference: http://technet.microsoft.com/en-us/library/cc780469)

When accessing an server using IP address, Microsoft uses NTLM authentication, which requires the server to contact DC every time becasue the server needs to pass credentials to DC for authentication every time. That's why I was prompted for credential because the server cannot find DC under my network configuration.
(reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx)

After I created correct DNS records in the "hosts" file, I solved my problem.

0
 

Author Closing Comment

by:AaronZHU
ID: 37151724
I figureed out the problem by myself.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question