New Authentication Features in ISA Server 2006

ISA Server 2006 provides the following new authentication features:

·      Single sign on (SSO), in which a user authenticates once with ISA Server and can access any number of servers that are behind ISA Server, without reauthenticating.

·      Two-factor authentication using forms-based authentication and a client certificate.

·      Forms-based authentication support for publishing any Web server.

·      Customizable forms for forms-based authentication and forms for mobile clients, and use of per-user-agent authentication schemes.

·      Fallback from forms-based authentication to Basic authentication, for non-browser clients.

·      Delegation of credentials by using NTLM or Kerberos authentication.

·      Kerberos constrained delegation.

·      Credentials caching.

·      Password management, in which ISA Server can check the status of the user's account and report it to the user. This feature can also be configured to enable users to change their passwords.

·      Secure Sockets Layer (SSL) client certificate constraints.

·      Ability to assign a different digital certificate to each IP address on a network adapter.

·      A new type of forms-based authentication: User name passcode/password, where the passcode is used for ISA Server authentication and the password is used for authentication delegation.

·      Support for Active Directory® directory service authentication using the Lightweight Directory Access Protocol (LDAP), allowing Active Directory authentication when ISA Server is in a workgroup, or in a forest other than the one that contains the accounts of the user. ISA Server also supports multi-forest configurations, in which the user can be authenticated on a different set of LDAP servers.

·      One-time password support for Remote Authentication Dial-In User Service (RADIUS). In ISA Server 2004, this support was provided for RSA SecurID only.

·      Default blocking of authentication delegation.


These features are described in more detail in Authentication in ISA Server 2006.


Nathan Bigman

ISA Server User Education


Comments (6)

  1. Anonymous says:


    I have a similar requirement as Tom earlier. I am trying to use a RADIUS Authentication that is 2-step i.e. uses the Challenge Response to get additional information from the client. But it does not seem to work.

    Is there an update to get this to work ? Is it in the road-map?

    I have tried with several VPNs and it seems to work without any issues.

  2. Anonymous says:

    This issue has been fixed in the next ISA Server 2004 Best Practices Analyzer version.

    You are welcome to download it from the Microsoft Download Center.

  3. wolf says:

    On an ISA 2006 Server that uses Client Certificate Authentication, is it possible to validate the user’s credentials against an LDAP or RADIUS instance.  My server is located in a workgroup that does not have direct access to the AD. Any thoughts on how we could overcome this lack of AD integration.

  4. Dennis says:

    Hi all, any ideas re Wolf’s question? We have a similar need to authenticate VPN and RDP connections using EAP/TLS/User certs, and there is absolutely no way we are going to add ISA servers to the domain. Based on, EAP with user certificate-based authentication requires domain membership. Am i stuck with using RSA for two-factor athentication or was there a workaround of some kind? Thanks!

  5. tom says:

    My company has an authentication solution that provides second-factor authentication through RADIUS (and web services).

    I tried getting the OTP (one time password) feature working with RADIUS forms based auth in ISA 2006 with no success.

    Our solution relies on the RADIUS client (ISA 2006) responding correctly to a RADIUS Access Challenge message (which requests additional authentication info from the client). ISA 2006 seems to respond the the access challenge message by ignoring it, and rejecting the authentication attempt.

    Does ISA 2006 respond to the RADIUS access challenge? I’m happy to engage with someone from Microsoft to provide more info about what we’re doing (protocol messages etc).

  6. Dennis says:

    Just a follow-up to my previous post, the answer is yes, ISA 2006 CAN be installed into a workgroup and be used as a VPN server for EAP / User Cert authentication via RADIUS. ISA 2006 also can validate user credentials for published web sites via RADIUS.

Skip to main content