Another Case where Users are randomly prompted for Authentication while Browsing Internet through ISA Server 2006
1. Introduction
There are many reasons that users could be prompt for password while browsing Internet through ISA Server. One of the most common scenarios is when ISA Server loses connectivity with Domain Controller and generates the events 5783 and 5719. If this is the case here some articles that can assist you on that:
Improving Web Proxy Client Authentication Performance on ISA Server 2006
Troubleshooting Intermittent Pop-up Credentials in ISA Server
There are other scenarios where ISA Server does not have performance problems, communication with the Domain Controller is working just fine but the infamous authentication prompt keeps showing up. What could be the reason? Well reason could be on the client workstation, not really on ISA Server. Tom Shinder wrote a very good article about this and shows how to resolve that in this blog post:
As you can see there are many scenarios where the symptom is the same however the root cause is different and this is the goal of this article. The scenario that this article will cover has the same symptom (users being randomly prompt for authentication) however the root cause is different.
Note: For the 5783 and 5719 Event ID’s, I was actually able to repro the behavior in a lab and you can see the demo here . This simulation was created using a virtual environment and a tool that emulates network conditions. The result on a real environment could vary. The values showed in the simulation don’t guarantee that on a real environment the issue also will happen. There is no guarantee that you will get the same result trying to simulate the issue on your own.
2. Data Gathering
For issues of this nature one of the most recommended action plan to get data is by using ISA Data Packager in repro mode with Web Proxy and Web Publishing Template. For more information on how to use this tool read the article here.
3. Reviewing Netmon Trace
One interesting thing while reading netmon trace was the HTTP response from ISA where it shows the supported authentication methods, has Kerberos, NTLM and Basic authentication (which is not a default authentication method on ISA, integrated only is the default) as shown in figure 1:
Figure 1 – Authentication negotiation.
These methods were sent by ISA because the following authentication methods were selected in the internal network:
Figure 2 – Authentication methods selected on the internal network.
By un-checking Basic authentication the issue got resolved since it will not fallback to Basic and prompt for authentication in scenarios where integrated was not supported by the application. But then other concerns arise:
· What about my non IE browsers that doesn’t support integrated authentication?
· What about a third party application that I have that don’t support basic authentication?
One thing that is important to remember is that by using basic authentication user’s credentials are transiting in clear text, so it is strongly recommended that you understand the security threat that this type of authentication introduces. Regardless of the decision that you will make it based on your scenario this important point needs to be considered (unless you use IPSec on your internal network).
If you MUST use basic authentication then the troubleshooting steps could be more deep and hard since the reason why the prompt appears is because NTLM (or Kerberos) failed during the negotiation and then ISA Server asked user’s credential using Basic. But why NTLM is failing? It could be because of many elements, since on this specific case ISA is just doing what is suppose to be done, it is time to start narrowing down which client is having this behavior, evaluate case by case and also get data from the client side to understand what is happening. Here are some good references in troubleshooting issues like that on the client side:
Internet Explorer May Prompt You for a Password
http://support.microsoft.com/kb/258063
Internet Explorer always prompts for authentication when browsing to Web sites already logged on to
http://support.microsoft.com/kb/820780
You may be continually prompted to authenticate in Internet Explorer 6 when you browse Web sites that you already logged on to in Windows Server 2003
http://support.microsoft.com/kb/885436
NTLM Authentication Does Not Work If Internet Explorer Is Configured to Use HTTP 1.1 Through Proxy Connections
http://support.microsoft.com/kb/322822
Author
Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Edge Team
Technical Reviewer
Thomas Detzner
Escalation Engineer
Microsoft Forefront Edge Team