Users are repeatedly prompted for their credentials when they try to access the Internet after you configure a firewall chain between ISA Server computers (883285)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
SYMPTOMSAfter you configure a firewall chain between two or more computers that are running Microsoft Internet Security and Acceleration Server (ISA) 2004 or Internet Security and Acceleration (ISA) Server 2000, users who try to access the Internet are repeatedly prompted for their credentials.CAUSEThis issue may occur after you configure an upstream ISA Server computer and a downstream ISA Server computer to require authentication. Web browsers, such as Microsoft Internet Explorer, may not keep track of which proxy servers they have authenticated against.
In this case, the browser authenticates the first ISA Server computer in the firewall chain. If the browser does not retain the proxy authentication information, the browser may have to authenticate with additional ISA Server computers in the firewall chain.RESOLUTIONTo resolve this issue, allow anonymous access on either the downstream ISA Server computers or the upstream ISA Server computers. Additionally, you can configure the last proxy server in the chain to use NTLM authentication, and then you can configure, in the relevant access rule, the downstream ISA Server computers in the chain to pass credentials to the upstream ISA Server computers. After you change this configuration, the upstream computers will see all requests as coming from the single user account that you configured in the access rule of the downstream computers. Only one computer that is running ISA Server 2004 in the firewall chain requires authentication.STATUS
This behavior is by design.REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
297080
Incomplete HTML pages and random authentication prompts if ISA Server is chained to upstream proxy
810561 RemoveAllProxyAuthorization not applied to SSL tunneling (CONNECT) requests
Modification Type: | Major | Last Reviewed: | 9/7/2004 |
---|
Keywords: | kbenv kbFirewall kbtshoot kbprb KB883285 kbAudITPRO |
---|
|