ISA authentication...

[DerekK]

Hi all. I moved yesterday our ISA proxy (in cache mode) to another machine. We used to have an ISA 2000 SP1 in a Windows 2000 Server SP3 machine and now we have moved to a Windows 2003 Server with ISA 2000 SP2 (i'm waiting for the auth to acquire ISA2004) brand new machine. We use integrated authentication in the building but basic one with branch offices. The point is that in that places wher they're using basic authentication they used to write only the username and the password but now they are not able to connect if they don't use the "domain\username" form.

I found this: http://support.microsoft.com/default...b;en-us;319376 but is not working for me even I've SP2 for ISA installed.

Anyone who can helps me?

Thank you all guys.

[SirDice]

Also, if the user accounts exists in the domain where the ISA server itself is member, the "username" syntax is enough to authenticate the user.

Did anything change regarding the domain membership of the ISA server? I.e. moved to a different domain?

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix.

Did you obtain this fix?

[DerekK]

Originally posted here by SirDice
Did anything change regarding the domain membership of the ISA server? I.e. moved to a different domain?

Actually the old ISA Server is one of the domain's DC and the new is not. We only have one domain.

Did you obtain this fix?

Is included in the Service Pack 2 for ISA Server 2000 which is installed in the new server.

Thank you.

[SirDice]

Actually the old ISA Server is one of the domain's DC and the new is not.

This is probably it. On the old server the accounts where "local".

[DerekK]

Originally posted here by SirDice
This is probably it. On the old server the accounts where "local".

Yes, I though the same but then in the microsoft paper they say this:

WORKAROUND
If the user specifies "domainname\username" instead of only "username" when the user is prompted for credentials in the browser, the user is immediately authenticated against the correct domain where the user account exists. Also, if the user accounts exists in the domain where the ISA server itself is member, the "username" syntax is enough to authenticate the user.

[SirDice]

Yeah. I read it too. But it won't be the first time a KB article claims one thing and in reallity something else happens.

But IIRC you can set the default domain where you define to use integrated/basic or digest authentication.

[DerekK]

Yes, where you define the use of basic authentication there is a text box to put the default domain on it, i filled it with "domain.com", "DOMAIN" (that is how is filled in the old server) and finally, and after read this microsfot paper , with a backslash "\", but the result is the same...

[SirDice]

This is the main reason why I stopped being an MS admin.......It should do this but it does that?!?!? I'm lost... It's probably something really silly..but what?!?

[DerekK]

Yes, I agree with you... one of the reasons I only changed the hard but not the soft (to ISA 2004) was that I've trouble enough for now and I didn't want to afford big changes with the clients... but now I've to told everyone (around 500 people) to change the authentication method even if I installed the same version of the software....