Another Case where Users are randomly prompted for Authentication while Browsing Internet through ISA Server 2006


1. Introduction


 


There are many reasons that users could be prompt for password while browsing Internet through ISA Server. One of the most common scenarios is when ISA Server loses connectivity with Domain Controller and generates the events 5783 and 5719. If this is the case here some articles that can assist you on that:


Improving Web Proxy Client Authentication Performance on ISA Server 2006


Troubleshooting Intermittent Pop-up Credentials in ISA Server


 


There are other scenarios where ISA Server does not have performance problems, communication with the Domain Controller is working just fine but the infamous authentication prompt keeps showing up. What could be the reason? Well reason could be on the client workstation, not really on ISA Server. Tom Shinder wrote a very good article about this and shows how to resolve that in this blog post:


http://blogs.isaserver.org/shinder/2009/04/24/cached-client-credentials-may-cause-unexpected-user-prompts/


 


As you can see there are many scenarios where the symptom is the same however the root cause is different and this is the goal of this article. The scenario that this article will cover has the same symptom (users being randomly prompt for authentication) however the root cause is different.


 



Note: For the 5783 and 5719 Event ID’s, I was actually able to repro the behavior in a lab and you can see the demo here. This simulation was created using a virtual environment and a tool that emulates network conditions. The result on a real environment could vary. The values showed in the simulation don’t guarantee that on a real environment the issue also will happen. There is no guarantee that you will get the same result trying to simulate the issue on your own.


 


 


2. Data Gathering


 


For issues of this nature one of the most recommended action plan to get data is by using ISA Data Packager in repro mode with Web Proxy and Web Publishing Template. For more information on how to use this tool read the article here.


 


3. Reviewing Netmon Trace


 


One interesting thing while reading netmon trace was the HTTP response from ISA where it shows the supported authentication methods, has Kerberos, NTLM and Basic authentication (which is not a default authentication method on ISA, integrated only is the default) as shown in figure 1:


 


Figure 1 – Authentication negotiation.


 


These methods were sent by ISA because the following authentication methods were selected in the internal network:


 


 


Figure 2 – Authentication methods selected on the internal network.


 


By un-checking Basic authentication the issue got resolved since it will not fallback to Basic and prompt for authentication in scenarios where integrated was not supported by the application. But then other concerns arise:


 


·         What about my non IE browsers that doesn’t support integrated authentication?


·         What about a third party application that I have that don’t support basic authentication?


 


One thing that is important to remember is that by using basic authentication user’s credentials are transiting in clear text, so it is strongly recommended that you understand the security threat that this type of authentication introduces. Regardless of the decision that you will make it based on your scenario this important point needs to be considered (unless you use IPSec on your internal network).


 


If you MUST use basic authentication then the troubleshooting steps could be more deep and hard since the reason why the prompt appears is because NTLM (or Kerberos) failed during the negotiation and then ISA Server asked user’s credential using Basic. But why NTLM is failing? It could be because of many elements, since on this specific case ISA is just doing what is suppose to be done, it is time to start narrowing down which client is having this behavior, evaluate case by case and also get data from the client side to understand what is happening. Here are some good references in troubleshooting issues like that on the client side:


 


Internet Explorer May Prompt You for a Password


http://support.microsoft.com/kb/258063


 


Internet Explorer always prompts for authentication when browsing to Web sites already logged on to


http://support.microsoft.com/kb/820780


 


You may be continually prompted to authenticate in Internet Explorer 6 when you browse Web sites that you already logged on to in Windows Server 2003


http://support.microsoft.com/kb/885436


 


NTLM Authentication Does Not Work If Internet Explorer Is Configured to Use HTTP 1.1 Through Proxy Connections


http://support.microsoft.com/kb/322822


 


 


Author


Yuri Diogenes


Sr Security Support Escalation Engineer


Microsoft CSS Forefront Edge Team


 


Technical Reviewer


Thomas Detzner


Escalation Engineer


Microsoft Forefront Edge Team


Comments (1)

  1. Sandeep Dhonde says:

    This article is quiet good. The problem for auhentication in ISA 2006 in my case was resolved by removing ISP's DNS IPs from alternate dns tab on nic of ISA 2006 server.First, step should be dcdiag /s:DC from ISA 2006,netdiag /v and this will give you the correct picure of ur ISA server.

Skip to main content