Can ISA Server authenticate machine accounts for access control?

  • Article

Can ISA Server use machine accounts for access control? For example, to allow a user working from home full access from a corporate laptop, but limited access from a home computer.

The answer is only in very specific circumstances.

ISA Server evaluates authentication conditions for an access rule from settings on the User tab of the rule, and identifies the computer from which a request originates on the From tab of a rule. A rule is evaluated and applied if all the rule's conditions are met. Within a particular tab, a rule is applied if any of the conditions are met. For example, if the Users tab indicates that authentication is applied to 3 groups, then a user only need belong to one of the groups in order for the rule to be applied.

On the Users tab, ISA Server allows you to specify users, groups, and security principals for rule authentication. If you specify a computer account on the User tab, only applications running under the Local System or Network Service account on the specified computer will be authenticated - when the computer authenticates to a domain controller using Kerberos. This occurs when the Web proxy listener of the ISA Server network is enabled for Windows Integrated authentication, and the client support Kerberos authentication (for example, Internet Explorer 7.0). If you specify such a computer account on the Users tab, this does not replace a value on the From tab. The From tab must still have a source network object that includes the IP address of the computer.

So how does this work? You specify a computer account (DomainName\ComputerName$ ) on the User tab. With this setting, any service (running under the Local System or Network Service account) that runs a Kerberos-enabled client will be authenticated, and access allowed or denied in accordance with the rule. Remember that the From tab source network object must include the computer IP address.

If only a domain users group is specified on the Users tab, then authentication of the client browser using the computer account is not applicable for the rule. If a rule has both a domain user group and computer accounts groups specified, then at least one of the User tab conditions must be met. The request must be able to successfully authenticate using the user account or the computer account.

So what can you do if you want to differentiate user access by computer? For clients connecting remotely from home and corporate computers, one VPN solution is as follows:

  • Create an access rule from the VPN Quarantine Clients network to the destination network. This network will contain the home computer. Specify a more limited access policy for this rule, and add user accounts if required.
  • Create an access rule from theVPN Clients network to the destination network. This network will contain the corporate laptop. Specify a more permissive access policy for this rule, and add user accounts if required.

For this solution to work you must have a Quarantine configuration on each of the corporate computers.

Rayne Wiselman (ISA Server User Experience Team)