Understanding By-Design Behavior of ISA Server 2006: Using Kerberos Authentication for Web Proxy Requests on ISA Server 2006 with NLB


Introduction


 


With companies working more and more to achieve scenarios of high availability, ISA Server 2006 Enterprise Edition Integrated NLB is becoming very popular. High availability is also complemented by the need to offer performance improvement with Kerberos Authentication while browsing using Internet Explorer 7.


 



Note: For more information on the benefits offered by Internet Explorer 7 with Kerberos authentication for Web Proxy request, reviews the article Improving Web Proxy Client Authentication Performance on ISA Server 2006 at Microsoft TechNet.


 


Some customers implement ISA Server 2006 Enterprise Edition with NLB and use a virtual name mapped to the virtual IP as proxy server on Internet Explorer. They notice that if they do that the HTTP request that the request sent to the ISA Server 2006 is authenticated using NTLM protocol. This post will explain why this is an expected behavior and how to allow Kerberos authentication while maintaining the NLB configuration.


 


Understanding the Authentication


 


The Internet Explorer 7 is the first version of Microsoft browser that supports Kerberos authentication for Web Proxy request. The only thing that you will need to do is configure the FQDN of the ISA Server 2006 computer in the Internet Explorer 7 Proxy settings. The problem is that some implementations use the following configuration:


 






















Server Name


ISA01.contoso.msft


ISA02.contoso.msft


Server IP


10.20.20.1


10.20.20.2


SPN


http/isa01.contoso.msft


http/isa02.contoso.msft


Virtual Name


Proxy.contoso.msft


Virtual IP


10.20.20.3


 


Using this configuration, what will happen is the client workstation will send the request for the virtual name, however there is no SPN for http/proxy.contoso.com, therefore it will not be possible to get the Kerberos ticket for this resource, the DC will answer with the error ERR_S_PRINCIPAL_UNKNOWN. The end result is that the client and the server negotiate to use NTLM as authentication method and this is an expected behavior.


 


You might be asking: what if I use SETSPN utility to register http/proxy.contoso.com, will it fix this problem? No it will not. As a matter of fact, you will receive KDC Event ID 11 error DS_SERVICE_PRINCIPAL_NAME saying that you have a duplicate SPN, which maps to the KB 321044.


 


Using Kerberos and NLB


 


On a scenario where you are using ISA Server 2006 with NLB and you also want to use Kerberos for Web Proxy authentication what you should do is use Automatic Script Configuration (WPAD). However we had a change from ISA Server 2000 to ISA Server 2004/2006 in the way that we build the server’s list for the configuration file. On ISA Server 2000 we return the fully-qualified names within the function MakeProxies().  In ISA 2004 and later, we use the server IP addresses appropriate to the network where the script was requested.  This change from fpcNameSystem_DNS to fpcNameSystem_IP for ISA 2004/2006 was made to eliminate the common name resolution problems seen in many ISA deployments.


 



Note: For best practices in DNS configuration on ISA Server follow the recommendations from article Configuring DNS Servers for ISA Server at Microsoft TechNet Library.


 


With the adoption of Internet Explorer 7 and the option to use Kerberos for Web Proxy authentication, the use of the IP causes Kerberos authentication to fail and the browser falls back to NTLM authentication. To change how the ISA Server 2004 and 2006 will build the script by using the fully-qualified name rather than the IP address, save and run the following script on the ISA Server:


 



Const fpcCarpNameSystem_DNS = 0


Const fpcCarpNameSystem_WINS = 1


Const fpcCarpNameSystem_IP = 2


 


Dim oISA: Set oISA = CreateObject( “FPC.Root” )


Dim oArray: Set oArray = oISA.GetContainingArray


Dim oWebProxy: Set oWebProxy = oArray.ArrayPolicy.WebProxy


 


If fpcCarpNameSystem_DNS = oWebProxy.CarpNameSystem Then


    WScript.Echo “ISA is already configured to provide DNS names in the WPAD script”


    WScript.Quit


End If


 


oWebProxy.CarpNameSystem = fpcCarpNameSystem_DNS


oWebProxy.Save true


 


WScript.Echo “ISA was configured to provide DNS names in the WPAD script…”


 


Important: shortly after runing this script,  the Firewall Service will restart. Therefore we recommend doing this change after business hours.


 


The End Result


 


Let’s see on the scenario below, what will be the final result after running this script and configure the client computer to use the virtual name of the array:


 


1. Client sends the DNS Query for proxy.contoso.msft (virtual name that is mapped to the virtual IP):



10.20.20.200      10.20.20.20 DNS   DNS:QueryId = 0x9413, QUERY (Standard query), Query  for proxy.contoso.msft of type Host Addr on class Internet


 


2. DNS Server answers with the virtual IP address of the NLB:



10.20.20.20 10.20.20.200      DNS   DNS:QueryId = 0x9413, QUERY (Standard query), Response – Success, 10.20.20.3


 


3. Client then performs the ARP resolution for this IP and receives the answer:



10.20.20.200      proxy.contoso.msft      ARP   ARP:Request, 10.20.20.200 asks for 10.20.20.3


 



proxy.contoso.msft      10.20.20.200      ARP   ARP:Response, 10.20.20.3 at 02-BF-0A-14-14-03


 


4. Client starts the TCP Handshake with the destination server:



10.20.20.200      proxy.contoso.msft      TCP   TCP:Flags=……S., SrcPort=1240, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=792829912, Ack=0, Win=65535 (scale factor 0) = 65535


 



proxy.contoso.msft      10.20.20.200      TCP   TCP:Flags=…A..S., SrcPort=HTTP Alternate(8080), DstPort=1240, PayloadLen=0, Seq=2467905888, Ack=792829913, Win=16384 (scale factor 0) = 16384


 



10.20.20.200      proxy.contoso.msft      TCP   TCP:Flags=…A…., SrcPort=1240, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=792829913, Ack=2467905889, Win=65535 (scale factor 0) = 65535


 


5. Since the client is configured to “use automatic configuration script” it sends the request for the array.dll. Notice that the HTTP header shows the virtual name:



10.20.20.200      proxy.contoso.msft      HTTP  HTTP:Request, GET /array.dll


– Http: Request, GET /array.dll


    Command: GET


  + URI: /array.dll?Get.Routing.Script


    ProtocolVersion: HTTP/1.1


    Accept:  */*


    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Win32)


    Host:  proxy.contoso.msft:8080


    HeaderEnd: CRLF


 


6. The ISA Server answers the request with the script file. Here it is the place that the script that you ran will make a difference, you will see the computer name rather than the IP address that it is there by default:



proxy.contoso.msft      10.20.20.200      HTTP  HTTP:Response, HTTP/1.1, Status Code = 200, URL: /array.dll


– Http: Response, HTTP/1.1, Status Code = 200, URL: /array.dll


    ProtocolVersion: HTTP/1.1


    StatusCode: 200, Ok


    Reason: OK


    Date:  Sun, 22 Jun 2008 17:45:50 GMT


    Connection:  close


    ContentType:  application/x-ns-proxy-autoconfig


    Cache-Control:  max-age=3000


    HeaderEnd: CRLF


  – payload: HttpContentType =  application/x-ns-proxy-autoconfig


     AutoConfig: //Copyright (c) 1997-2006 Microsoft Corporation


     AutoConfig: BackupRoute=”DIRECT”;


     AutoConfig: UseDirectForLocal=true;


     AutoConfig: function MakeIPs(){


     AutoConfig: }


     AutoConfig: DirectIPs=new MakeIPs();


     AutoConfig: cDirectIPs=0;


     AutoConfig: function MakeCARPExceptions(){


     AutoConfig: this[0]=”*.windowsupdate.com”;


     AutoConfig: this[1]=”windowsupdate.microsoft.com”;


     AutoConfig: this[2]=”*.windowsupdate.microsoft.com”;


     AutoConfig: this[3]=”*.update.microsoft.com”;


     AutoConfig: this[4]=”download.windowsupdate.com”;


     AutoConfig: this[5]=”download.microsoft.com”;


     AutoConfig: this[6]=”*.download.windowsupdate.com”;


     AutoConfig: this[7]=”wustat.windows.com”;


     AutoConfig: this[8]=”ntservicepack.microsoft.com”;


     AutoConfig: }


     AutoConfig: CARPExceptions=new MakeCARPExceptions();


     AutoConfig: cCARPExceptions=9;


     AutoConfig: function MakeNames(){


     AutoConfig: this[0]=”*.contoso.msft”;


     AutoConfig: this[1]=”*.contoso.msft”;


     AutoConfig: }


     AutoConfig: DirectNames=new MakeNames();


     AutoConfig: cDirectNames=2;


     AutoConfig: HttpPort=”8080″;


     AutoConfig: cNodes=2;


     AutoConfig: function MakeProxies(){


     AutoConfig: this[0]=new Node(“ISACONTN2.contoso.msft“,2531460408,1.000000);


     AutoConfig: this[1]=new Node(“ISACONTN1.contoso.msft“,3457248957,1.000000);


     AutoConfig: }


     AutoConfig: Proxies = new MakeProxies();


     AutoConfig: function Node(name, hash, load){


     AutoConfig:  this.name = name;


     AutoConfig:  this.hash = hash;


     AutoConfig:  this.load = load;


     AutoConfig:  this.score = 0;


     AutoConfig:  return this;


     AutoConfig: }


     AutoConfig: function FindProxyForURL(url, host){


     AutoConfig:  var hash=0, urllower, i, fIp=false, ip, nocarp=false, skiphost=false;


     AutoConfig:  var list=””, pl, j, score, ibest, bestscore;


     AutoConfig:  urllower = url.toLowerCase();


     AutoConfig:  if((urllower.substring(0,5)==”rtsp:”) ||


     AutoConfig:    (url


 


7. At this point, the client will use the script to calculate which ISA Server it will use and then send the request to it:



10.20.20.200      isacontn2.contoso.msft  HTTP  HTTP:Request, GET http://www.microsoft.com/isaserver


 


8. Since the rules that allows client to browse Internet requires authentication, the ISA Server will send the 407:



isacontn2.contoso.msft  10.20.20.200      HTTP  HTTP:Response, HTTP/1.1, Status Code = 407, URL: http://www.microsoft.com/isaserver


 


9. The client then goes to the DC and request a ticket (KRB_TGS_REQ) for the correct SPN as you can see below:



10.20.20.200      10.20.20.20 KerberosV5  KerberosV5:TGS Request Realm: CONTOSO.MSFT Sname: HTTP/isacontn2.contoso.msft


 


10. The DC replies with the ticket (KRB_TGS_REP):



10.20.20.20 10.20.20.200      KerberosV5  KerberosV5:TGS Response Cname: Administrator


 


11. The client workstation sends the request to the ISA Server using the Kerberos ticket built in:



10.20.20.200      isacontn2.contoso.msft  HTTP  HTTP:Request, GET http://www.microsoft.com/isaserver


  – ProxyAuthorization: Negotiate


   – Authorization:  Negotiate


    – NegotiateAuthorization:


       Scheme: Negotiate


     – GssapiKrb5: 0x1


        Kerberos:


 


 


Conclusion


 


As you can see it is possible to align the use of NLB and auto configuration scripts while using Kerberos for Web Proxy authentication.


 


Last but not least, the other point to remember is that the proxy server name will also be cached by Internet Explorer. If you want to change this behavior on the client side, apply the steps from KB 271361.


 


 


Authors:


 


Yuri Diogenes


Microsoft CSS Forefront (ISA/TMG) Team


 


Jim Harrison


Microsoft Forefront (ISA/TMG) Sustained Engineering Team


 


Technical Reviewer:


 


Doron Juster


Microsoft Forefront (ISA/TMG) Sustained Engineering Team


 

Comments (13)

  1. Anonymous says:

    Due lots of questions on this subject we just published a post on ISA Server Team Blog about this behavior.

  2. Anonymous says:

    Hi Yuri/Jim,

    So if we have a prefernce for using NLB without CARP (in order to have *proper* HA) is there a way to ensure Kerberos authentication can be used?

    From my understanding, we cannot assign the same SPN to both ISA server computer objects, yet we would need to use a generic alias of proxy.domain.com which maps to the NLB VIP.

    In an IIS world, we can get around this by assiging the SPN to a service account, but I don’t think we can do this with ISA…

    Any ideas?

    Thanks

    JJ

  3. Anonymous says:

    Introduction Since the release of Windows Server 2008 Streaming Media Services , many ISA admins have

  4. Anonymous says:

    Introduction Since the release of Windows Server 2008 Streaming Media Services , many ISA admins have

  5. Thanks Jason. It is always good to have a positive feedback from you.

  6. Anonymous says:

    Great article chaps…very useful!

  7. Anonymous says:

    Last two months for some reason were pretty busy of calls for ISA Server issues where customers were

  8. Goktug Yildirim says:

    Hello,

    As I read the comments I could not understand whether the final comment is the answer of Jason Jones answer.

    Is it possible to use Kerberos while suing  NLB with TMG?

  9. Drew Murray says:

    The traces are wrong – the traces show reference to 10.20.20.200 – this address is not in the table above and is neither the NLB nor the address of the 2 ISA's

    The traces should show that the inital get request once authenticated goes DIRECT to one of the returned ISA's and not the 10.20.20.200 address

    I just noticed that in my test rig.

  10. brice says:

    using isa 2006 script for improving web access rule

  11. Gordon Wright says:

    What if you are using ISA Server 2006 Enterprise Edition without NLB. We use a hardware load balancer instead of NLB. Can we still get kerberos authentication to work?

  12. Anonymous says:

    I recently worked on an interesting support case that I thought I would share. The customer was experiencing

  13. JSB_MCSE says:

    ORI Yosefi is developing a reputation for posting incorrect information.