Not work when using IP address on IE Proxy setting

First, I am new in my current company. The network structure and ISA server were not configured by me. These days, I have been seeing the ISA 2004 server in my company. I found out a very strange problem which I can't understand. The topology is attached.

ISA01(computer name of the ISA server) is filled on all of our clients’ IE proxy settings. Port is 8080. With this setting, IE is able to access internet normally.
However, when I used IP address(172.25.1.1) instead of ISA01 on IE proxy settings, the problem appeared. Upon opening IE, I was always prompted to enter User name and Password. And it failed to authenticate my account even after I inputted many times. Then I switched to use ISA01. Everything went back to normal. I made the same test with different clients and different accounts. The same problem persisted.
I logged on to ISA01 to see the settings. I made some “nslookup” tests. It seems that Domain Controller cannot be found because it always uses the DNS from the ISP. I tried to change the DNS severs on “Adapter 1” from ISP’s to 172.25.1.11, 172.25.1.12
After that:
DC can be resolved correctly;
No more authentication window prompted when using IP address on IE Proxy setting;
I can access internet normally.
I believe it was because ISA server was able to find DC to authenticate my account after I changed the DNS servers. But before I did the change, why could it authenticate user accounts by using ISA01 on the client IE proxy setting, while it did NOT work by using IP address (172.25.1.1). It is really strange. I checked the ISA Console settings and many real time logs, but I didn’t get any finding about this issue.

Computer name works, IP address not work. What is the different ?

Does anyone have any idea about this issue?  

Thanks
Capture.JPG
AaronZHUAsked:
Who is Participating?
 
AaronZHUAuthor Commented:
Hi elawad, first of all, thanks for your comments.
These days, I have been doing many tests. I read many articles on Kerberos and NTLM. And I checked many Security audits on the server. I finally figured out my problem.

The fact is that:
When accessing an server (web proxy service or file service) using host name, Microsoft uses Kerberos authentication, which doesn't require the server to contact DC.
(reference: http://technet.microsoft.com/en-us/library/cc780469)

When accessing an server using IP address, Microsoft uses NTLM authentication, which requires the server to contact DC every time becasue the server needs to pass credentials to DC for authentication every time. That's why I was prompted for credential because the server cannot find DC under my network configuration.
(reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx)

After I created correct DNS records in the "hosts" file, I solved my problem.

0
 
AegilCommented:
I would guess that it cant resolve the IP to the hostname of the server using reverse dns correctly as it was trying to resolve the dns via the isp and failing over the internet facing network. ISPA01 is a hostname for the server and will have the domain name added automatically so ISPA01.domain/username so it will automatically try logging on as a domain user so it will authenticate over the local network / via the domain controller.

If you have two domain controllers its probably better using the hostname anyways for the proxy, then you can just change the ip address of the ISA whenever needed.
0
 
AaronZHUAuthor Commented:
Thanks. But why does the ISA01 need to resolve the IP to the hostname? When clients access ISA proxy server, aren't using hostname and using IP address the same ?

(I surely know that using the hostname is a good choice. But I want to clarify my confusion)
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
elawadCommented:
on your ISA server internal network properties -> we proxy authentication what type of authentication you select there.
0
 
AaronZHUAuthor Commented:
Hello elawad, Interated is selected.
Untitled.jpg
0
 
elawadCommented:
ok try to check the basic authentication along with integrated and see if this solve the issue please.
0
 
AaronZHUAuthor Commented:
I checked the basic along with integrated, but it still prompted user and password window when using IP. After I inputted user and password, no success.
0
 
elawadCommented:
do you have ISA firewall client on your client machines?
0
 
AaronZHUAuthor Commented:
No firewall client installed.
0
 
elawadCommented:
could you install it and turn on the automatic detect settings then try again please
0
 
AaronZHUAuthor Commented:
Yes, I just installed it. Firewall client can automatically detect ISA server. Without proxy setting on IE, IE can access internet through Firewall client successfully. Other applications can access internet as well without proxy setting. But after I turned on proxy on IE again (using IP address),  user and password window again; then Switched to hostname, access successfully.

Under the current configration, my key confusions:
1/ Using hostname or firewall client - how the ISA server finds DC? It should not be able to find it, but actually it finds DC because it can authenticate users successfully.
2/ Using IP address - Not work, but it is normal..
0
 
elawadCommented:
yes thats true, when using either firewall client or isa name the client uses NTLM authentication that is passing your windows logon credentials to authenticate with isa server while if you manually specify the ISA server proxy ip address  your clients pcs are trying to use the basic authentication with your DC that is when you need to re-enter your credentials each time your requesting something from the internet.
0
 
AaronZHUAuthor Commented:
as you said, when using NTLM, the client passes WIndows logon credential to isa server. Without contacting DC, how isa server authenticate my credential ?
0
 
elawadCommented:
not without contacting your dc in both cases your isa should contact ur dc to authenticate users but with ntlm it passes the kerberous ticket given by your dc where as in basic you should always provide ur username and password and that what is happening when your putting the isa ip address not the name.
0
 
AaronZHUAuthor Commented:
You mean, when using NTLM, the isa server gets the DC's IP address from the kerberous ticket that the client passes? The DC's IP address is contained in the kerberous ticket? Then isa server is able to pass credentials to DC to do authentication?
As I know, DC information is provided by DNS. In my case, when I made nslookup on this isa server, it always uses the DNS servers(on Adapter 1) from ISP who is impossible to find our DC at all. That's why I asked many times how my isa server found DC's IP address.

And you said putting isa ip address means basic authentication. But my window look like Picture 1. Basic authentication window should look like Picture 2.

Moreover, if I remove the DNS servers from ISP(on Adapter 1), No more winodw prompted. How can you explain ?

NTLM-auth.jpg
basic-authenticate.jpg
0
 
elawadCommented:
No, let me explain more. when you put your ISA server ip address on the proxy settings of your client it appears that your clients are trying to access the internet using basic authentication that means when you contact your isa server you have to provide your credentials in order for the ISA server to know what privileges you have, and in basic authentication you should provide them manually (your credentials). where as in NTLM authentication clients contact your DC and take the Kerberos tickets that have their information and credentials on them and these tickets will be provided to your ISA server in order to know your privileges and what is allowed for you, and this apparently is happening when you provide the ISA server name not the ip address in the proxy settings of your IE. So, briefly this is the main difference between basic and NTLM authentication methods.

0
 
AaronZHUAuthor Commented:
I figureed out the problem by myself.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.