Web requests from an ISA-local web application may receive unexpected authentication prompts.

  • Article

Consider the following scenario:

1. You configured "Require all users to authenticate" on the Web Proxy properties page of the Internal network.

2. you configured an access rule which allow HTTP traffic from local host to the internal network. The rule applies to all users (anonymous).

3. A secureNAT client application on the ISA Computer (such as Internet Explorer with no proxy settings and no auto-detect) sends an HTTP request to a web server on the internal network.

With these conditions, the request fails with a "12209 ISA server denies the specified uniform resources locator" error. This failure is unexpected because the access rule applies to all users and ISA should not try to authenticate the request.

The problem with Web requests from the local host (the ISA computer) is that the firewall engine gets the listener/authentication requirements from the destination network. For instance, if the listener on the Internal network requires all users to authenticate then requests made from the local host to the Internal network will require authentication.

The firewall engine handles requests from other machines (not from the local host) according to the authentication requirements defined in the source network.

For example, let say you have ISA with three NICs and have three networks "internal", "external" and "perpendicular".

When a http request reaches ISA from a machine on the "perpendicular" network, the authentication requirements are taken from the properties of the "perpendicular" network web proxy listener. In this context, the destination has no effect on the authentication requirements.

Conversely, for web requests originating from the ISA server itself, the requirements are taken from the network object which matches the destination of the request. This behavior is due to a side effect of the firewall engine design.

Workarounds:

1. Set authentication per rule, instead of per listener.

2. Configure the web application on the local host as a web proxy client, instead of being SecureNAT. By default, ISA does not allow CERN proxy requests to the local host listener, so you will have to enable it.

 

Thanks to Jim Harrison for helping with this blog.

 

Doron Juster

ISA Server Sustained engineering group.