locked
ISA server 2006 disable Kerberos/Negotiation Web Proxy Authentication use only NTLM RRS feed

  • Question

  •    

    Hey All

    Not too sure if this is the correct forum or not but here goes anyhow.

    I have been trying to disable the Kerberos/ negotiation authentication schemes within the web proxy portion of the ISA 2006 services.

     

    This was possible in ISA server 2004 and seems to be in ISA 2006 using a very basic VBS script to modify the FPC.Root object and add the 'UseOnlyNTLMForWindowsAuth' paramater to the VendorParameterSets within this object with a value of 1.

     

    According to this article this should work fine in ISA 2006:

    http://support.microsoft.com/kb/927265/en-us

     

    But it doesn't it keeps authenticating users with all schemes? Has anyone else managed to get this working in ISA 2006 standard?

     

    There is a fix on the above link a hotfix but it states to only use this fix if you are experiencing the exact issue the kb article is reporting as it could have other consequences and hasn't been fully tested as yet....

     

    If anyone could let me know if the hotfix will solve the issue or any other fix for the problem would be much appreciated Smile

     

    Best Regards

     

    Ben

    Monday, June 16, 2008 4:52 AM

Answers

  •  

    Hey Guys

    Just an update incase anybody else has this problem I can let you know it does work and here is how....

    I tried to apply the hotfix for 2006 but it wouldn't allow me stating that the incorrect version was installed (incidently it was for 2004se not 2006)... Then I installed the KB939455 supportability update which updated the version of the required files:

    Linktranslation.dll 5.0.5720.154 247,136 25-Oct-2006 09:24 x86
    Msfpc.dll 5.0.5720.154 549,216 25-Oct-2006 09:24 x86
    Msfpccom.dll 5.0.5720.154 6,409,568 25-Oct-2006 09:24 x86
    W3filter.dll 5.0.5720.154 890,208 25-Oct-2006 09:24 x86

    to higher versions than mentioned above. After doing this I have ran the VBS script which changes the authentication scheme to UseOnlyNTLMforWindowsAuth and now my content keeper filtering system is stopping all firefox users and therefore using NTLM not kerberos....

    Hopefully if anyone else has this issue this could help them out.

    Regards

    Ben Langford.

    • Marked as answer by NimAjNeB Wednesday, June 18, 2008 3:16 AM
    Wednesday, June 18, 2008 3:16 AM