Kerberos authentication to remote Web servers fails for Web proxy clients (840613)

CAUSE

This behavior occurs because ISA Server 2004 Web proxy client does not support Massachusetts Institute of Technology (MIT) Kerberos version 5 protocol pass-through authentication. If you use your domain account credentials to connect to an external or an internal domain Web site that requires authentication, the Internet Explorer program on the Web proxy client may try to perform the authentication process by using the Kerberos protocol authentication data on the destination server. When this behavior occurs, the pass-through authentication process does not recognize the Kerberos protocol authentication data because ISA Server has removed the Kerberos protocol header.

For example, the pass-through authentication process does not recognize the Kerberos protocol authentication data in the following scenarios:

• When ISA Server is acting as a forward proxy, the ISA Server Web Proxy client uses ISA Server as a Web proxy agent for outbound Internet connections. In this scenario, ISA Server is behind a second ISA Server and may act as the border firewall. When the client tries to perform the authentication process by using the Kerberos protocol authentication data, the second ISA Server does not pass the Kerberos protocol authentication data from the client to the upstream ISA Server that is acting as the firewall. Therefore, the authentication process stops responding.
• When ISA Server is acting as a reverse proxy, the ISA Server Web proxy client that is on the Internet tries to perform the authentication process by using an internal server. The Kerberos protocol authentication data is passed to the ISA Server that is acting as the border firewall. In this scenario, the ISA Server that is acting as the border firewall removes the Kerberos protocol authentication header. The authentication process stops responding.