PRB: ISA Web Publishing Rule Using NTLM May Cause Random Authentication Prompts (327753)

SYMPTOMS

When you use a Web publishing rule that is restricted by NTLM authentication (that is, when Integrated is enabled under Incoming Web Requests), the client may receive random authentication prompts if the back-end IIS Web server that Internet Security and Acceleration Sever (ISA) publishes does not recognize the credentials that the client has used to authenticate to ISA.

This may occur even if the Web server permits anonymous access.

This issue may or may not be visible, depending on the Web page that is requested. The problem typically occurs with Web pages that reference many objects, such as inline images.

CAUSE

Under certain circumstances, Microsoft Internet Explorer sends extraneous initial NTLM Authorization HTTP headers on already authenticated connections. When this request to ISA is sent on an already authenticated connection between the client and ISA, the request (including the NTLM Authorization header) is forwarded to the back-end Web server.

By default, IIS has both Anonymous and Integrated authentication enabled and therefore recognizes the request as the start of a new NTLM handshake. Because of the NTLM Authorization HTTP header, IIS continues the NTLM handshake instead of serving the resource anonymously. When the client completes the NTLM handshake, if the IIS server does not recognize the credentials, IIS returns a "401 Unauthorized" response, and Internet Explorer displays an authentication prompt.

These symptoms only occur if the IIS server does not recognize the credentials that are used to authenticate against ISA.

RESOLUTION

To stop the Web server from responding to the NTLM handshake, click to clear the Integrated Authentication check box on the back-end IIS Web server. When you do this, the Web server serves the page anonymously, and this problem does not occur.