Authentication with ISA server 2006

I will discuss authentication with ISA server 2006 in reverse proxy scenario(publishing services e.g. exchange services like OWA,Activesync,outlook anywhere, or website publishing). ISA server can be configured to authenticate users while trying to access above mentioned services published through ISA server. If ISA server is configured to authenticate a user it gets the user to authenticate from a authenticating server e.g. a domain controller. Authenticating servers can be domain controller as mentioned earlier,a radius server,RSA server,ldap server(a domain controller once again but ldap authentication is used in this case).

so its like shown below

Authenticating server(internal)-------ISA server<------(((((internet))))))----External User

Authentication methods

Different Authentication methods are available on ISA server 2006

  • Form based authentication
  • http(basic,integrated or digest)
  • SSL client certificate authentication method

And  authentication validation methods used are

  • windows active directory
  • Ldap
  • Radius
  • Radius OTP
  • RSA SecureID

To simplify the explanation of how this works together lets take one combination in consideration i.e. Form based authentication with authentication validation method as windows active directory(one of the simplest and quiet commonly used).

Windows active directory method can be used when ISA server is part of the domain of which user is a member.So lets take an example of OWA publishing discussed in my earlier post. A user who is member of the domain and wants to access OWA externally . He is on internet and opens browser on his machine and enters public domain name used to access OWA e.g https://mail.corpa.com/owa then the request comes to the ISA server. ISA server would see what is the authentication method selected and in this example we are using Form based authentication so ISA server would present user with Form based authentication page. Then user enters his domain credentials and submits them and this is sent to ISA server and ISA server after recieving them would send them to the domain controller of the domain as it knows that authentication validation method used is windows active directory. Then domain controller validates the user and provides validation information to the ISA server. Depending upon this validation input from the domain controller i.e. user is valid or not access is allowed to the user. After validation user is able to see his inbox.

I have not discussed a component called "Authentication Delegation" in above explanation as it requires separate dedicated explanation or post but for now lets remember that authentication delegation on the publishing rule is configured as per authentication method used on the published server in this case authentication method on OWA directory hosted on the CAS server and its basic authentication in our case. So we used basic authentication for authentication delegation.

How above information fits in our explantion for authentication for OWA access? It comes in picture after domain controller has validated the user, then user credentials are forwarded  by ISA server to CAS server in basic authentication format for authentication from the CAS server. CAS server then gets the user validated and from the domain controller and then after validation provides inbox to the user. Now this completes the picture after including the authentication delegation in our explanation. So what is happening here, we are validating user twice. At first ISA server does the authentication (gets the validation done from a authenticating server e.g. domain controller). Then CAS server does it(asks the domain controller to validate the user) i.e. "Two point authentication"

You can also by pass the ISA authentication and get the user to validate from the CAS server making it only one point authentication if you want to and if you have such requirement. I have seen many scenarios where administrators wanted that. I will explain how you can configure pass through authentication(i.e. by pass authentication on ISA) on the ISA server in a separate post.

All other combinations have above process in common although method of taking user credentials would change and validating method and server would change. But process would stay the same ie. ISA would get request for access and ISA server would look at the method used to ask for credentials from user and then method of validation and accordinly would send request to authenticating server.

Authenticating servers also demand an explanation so let me explain in brief that each authenticating server would have certain requirements so that it can validate the user.Windows active directory method demands that ISA server should be part of the domain similary other methods have there own requirements. Ldap method has its own requirements like creating ldap server set and using that to authenticate the user from domain controllers. Depending upon the existing resources and requirements administrators make choices of which authentication validation they would like to use. e.g. if ISA server is part of the domain you might like to use windows active diectory method.But in case ISA server is not part of the domain then you might like to go for Ldap authentication or Radius Authentication each has its own requirements. if you have RSA server on your network you might like to use RSA SecureId method and as i said each method has its own requirements. I would write dedicated posts for each one of them for more explanation. Thats how authentication on ISA server works.