locked
Problem with IE8 autentication and ISA2006

    Question

  • hi, i have a problem with IE8. I've a DC and an ISA2006 member of the domain, and clients with winXP SP3. During the work-session of a user who will add to the internet-group, that can surf by a isa rule, but if the user is just logged-on and open IE8, it appears the message of ISA that access is denied, Proxy Error...if the user logoff and then newly logon, than it is just all ok, he can surf. And then if this user where removed from the internet-group, he can just use internet; only if the user make a logoff and then a logon again, he cannot surf. With IE6 it works all fine, but since I installed IE8 this function doesn't work no more. On ISA2006 the authentication is set only on "Integrated". I don't understand what's the problem! Can you help me, please?
    Wednesday, July 14, 2010 7:50 AM

Answers

  • It can after some time because the ticket expire and it has to get a new one. An easy workaround will be to use the IP of the ISA Server as Proxy Server rather than the name. When you use the IP on the Proxy Settings for IE (Tools/Internet Options/Connections/LAN Settings/Proxy) the auth negotiation will always be NTLM, since Kerberos requires the FQDN/NetBIOS of the server. This way IE8 will behave like IE6 for authentication, however keep in mind that if you do that you are losing one great improvement from IE7 which is the capability to use Kerberos and therefore put less pressure on ISA and DC as described on the article that I pointed out on the previous reply.

    HTH,


    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    • Marked as answer by LucaDV-TecITA Monday, July 19, 2010 8:44 AM
    Saturday, July 17, 2010 1:21 PM

All replies

  • This is because the way that IE8 works on the proxy authentication standpoint. IE7 and higher use Kerberos for proxy authentication while IE6 and lower uses NTLM. ISA Server will negotiate the authentication with the browser and will authenticate according to the method that is supported on both side. So, from the ISA perspective there is nothing really to be done on your scenario.

    The difference is here:

    With IE7
    1. Client sends the GET request to www.microsoft.com (for example). This request goes as anonymous.
    2. ISA will send the 407 asking for authentication.
    3. Client will contact the DC to get a Service Ticket to give to ISA.
    4. Client will send another GET Request now with the credentials and the ticket.
    5. ISA will verify the request and allow (or deny according to the rule).
    Note: in this case since ISA doesn't go to the DC and rely on user's token to access the resource, ISA will verify that the user doesn't below to the group and will deny the request.

    With IE6
    1. Client sends the GET request to www.microsoft.com (for example). This request goes as anonymous.
    2. ISA will send the 407 asking for authentication.
    3. Client sends another GET request with the credentials (NTLM)
    4. ISA goes to the DC to authenticate the user.
    Note: since ISA goes to the DC it will get an update version of the user's group information and will veriy that the user now belongs to this group.

    5. ISA will allow the user to pass through.

    I was able to repro the same behavior here on my lab and it works as it should. BTW, more info about IE6 x IE7 authentication part see: http://technet.microsoft.com/en-us/library/bb984870.aspx

    Note that NTLM is session based, so for every request ISA will have to go to the DC, this add more network traffic and more pressure to the DC. With IE7 and higher the pressure on the DC is much lower, unfortunetly there is this side effect due the nature of the kerberos authentication for this scenario.

    HTH,


    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    Saturday, July 17, 2010 1:06 AM
  • So is there no chance to remake the authentication faster during the session of a user? I observed that after a few hours the user (was added to the internet-group during his session) can surf. But i need this immediatly, is there really no chance for this option? Can IE8 send authentication and ticket request at every process?
    Saturday, July 17, 2010 6:26 AM
  • It can after some time because the ticket expire and it has to get a new one. An easy workaround will be to use the IP of the ISA Server as Proxy Server rather than the name. When you use the IP on the Proxy Settings for IE (Tools/Internet Options/Connections/LAN Settings/Proxy) the auth negotiation will always be NTLM, since Kerberos requires the FQDN/NetBIOS of the server. This way IE8 will behave like IE6 for authentication, however keep in mind that if you do that you are losing one great improvement from IE7 which is the capability to use Kerberos and therefore put less pressure on ISA and DC as described on the article that I pointed out on the previous reply.

    HTH,


    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes
    • Marked as answer by LucaDV-TecITA Monday, July 19, 2010 8:44 AM
    Saturday, July 17, 2010 1:21 PM
  • Thanks for your help!
    Monday, July 19, 2010 8:45 AM