Users are repeatedly prompted for their credentials when they try to access the Internet after you configure a firewall chain between ISA Server computers (883285)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

After you configure a firewall chain between two or more computers that are running Microsoft Internet Security and Acceleration Server (ISA) 2004 or Internet Security and Acceleration (ISA) Server 2000, users who try to access the Internet are repeatedly prompted for their credentials.

CAUSE

This issue may occur after you configure an upstream ISA Server computer and a downstream ISA Server computer to require authentication. Web browsers, such as Microsoft Internet Explorer, may not keep track of which proxy servers they have authenticated against. In this case, the browser authenticates the first ISA Server computer in the firewall chain. If the browser does not retain the proxy authentication information, the browser may have to authenticate with additional ISA Server computers in the firewall chain.

RESOLUTION

To resolve this issue, allow anonymous access on either the downstream ISA Server computers or the upstream ISA Server computers. Additionally, you can configure the last proxy server in the chain to use NTLM authentication, and then you can configure, in the relevant access rule, the downstream ISA Server computers in the chain to pass credentials to the upstream ISA Server computers. After you change this configuration, the upstream computers will see all requests as coming from the single user account that you configured in the access rule of the downstream computers. Only one computer that is running ISA Server 2004 in the firewall chain requires authentication.

STATUS

This behavior is by design.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

297080 Incomplete HTML pages and random authentication prompts if ISA Server is chained to upstream proxy

810561 RemoveAllProxyAuthorization not applied to SSL tunneling (CONNECT) requests

Modification Type:MajorLast Reviewed:9/7/2004
Keywords:kbenv kbFirewall kbtshoot kbprb KB883285 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.