MS ISA authentication in PI

Similar Messages

• ISA server- Bypass authentication

  Hi 
  My environment: External users access SharePoint intranet site by entering credentials in Microsoft ISA server login page(authenticate to ISA server then accessing all sharepoint sites).
  one client wants to access sharepoint intranet without ISA authentication.Is there any way to access SharePoint intranet site(https://domainname/sites/site1) from internet without ISA authentication.I mean bypass ISA proxy authentication for this particular
  SharePoint site(https://domainname/sites/site1)
  SharePoint site(https://domainname/site/site1) is enabled with anonymous authentication.
  Thanks for any help.

  Hi
  I see this is posted in the wrong forum. Yes you can add the url to the bypass proxy list in IE and it should work.
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Bypass ISA Proxy authentication

  Hi 
  My environment: External users access SharePoint intranet site by entering credentials in Microsoft ISA server login page(authenticate to ISA server then accessing all sharepoint sites).
  one client wants to access sharepoint intranet without ISA authentication.Is there any way to access SharePoint intranet site(https://domainname/sites/site1) from internet without ISA authentication.I mean bypass ISA proxy authentication for this particular
  SharePoint site(https://domainname/sites/site1)
  SharePoint site(https://domainname/site/site1) is enabled with anonymous authentication.
  Thanks for any help.

  Your client can edit his hostfile.
  C:\Windows\System32\drivers\etc\hosts
  Here you specify the IP-Adress of your particular SP server and your URL.

• SQL Reporting services publishing through ISA

  Hello colleagues.
  I have SQL 2012 Reporting Services. Into internal network when I in internet explorer go to https://reports2.domain.ru/reports - all fine. I publishing reports2.domain.ru to External via ISA 2006. Sharepoint don't used.
  From Internet I go to https://reports2.domain.ru/reports, in ISA authentication window I input my login and password and
  see an error: "Error code: 500 Internal Server Error. The target principal name is incorrect."
  I see similar questions on technet, but I don't find solve of my problem.
  Please somebody help me!!

  Hi,
  make sure that the name of the internal reporting Server you entered in the TMG webserver publishing rule matches the CN (Common Name) or SAN (Subject Alternative Name) in the certificate installed on the internal Reporting server
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• SGD + Microsoft ISA 2006

  *-- Reposted as a Question -- (Didn't realise it helped get replys) :) --*
  Hi,
  I am hoping someone would be able to help me out here, we have recently purchased the SUN VDI and SGD which we have been looking at for sometime now, due to budgets this year it has taken some time but i have finally got there in the end and i am very happy with the VDI Service.
  I am trying to get the SGD working externally at the moment but it appears to be having problems when it launches the java engine, the java client shows the following in the console
  Java Plug-in 1.6.0_18
  Using JRE version 1.6.0_18-b07 Java HotSpot(TM) Client VM
  java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file Tester
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(Unknown Source)
  at java.lang.ClassLoader.defineClass(Unknown Source)
  at java.security.SecureClassLoader.defineClass(Unknown Source)
  at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file Tester
  java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file com/tarantella/tta/client/tcc/lwplugin/pluginG/TCCHelper
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(Unknown Source)
  at java.lang.ClassLoader.defineClass(Unknown Source)
  at java.security.SecureClassLoader.defineClass(Unknown Source)
  at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
  at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Exception: java.lang.ClassFormatError: Incompatible magic value 1008813135 in class file com/tarantella/tta/client/tcc/lwplugin/pluginG/TCCHelperTo be quite honest none of that makes any kind of sense to me, but hopefully someone who is quite savey with Java will know what is going on ;)
  I did some logs on ISA using my External IP when access SGD and it did say connection denied to alot of .js paths so i am wondering weather it is the authentication of ISA that is stopping SGD bringing those files down from the server, the problem is i cannot allow it to not use the ISA Authentication as it needs to be over 443 and ISA obviously needs it to be secure using ISA Authentication for me to publish this.
  The procedure i have to use is browse to the SGD URL, Authenticate agaist ISA which then shows me the SGD Screen, I click on Login to Desktop which then gives me the SGD login, I then authenticate into SGD which then displays the JAVA Screen at that point is when it justs sits there doing nothing.
  Any help/advice will be appriciated
  Many Thanks,
  James.

  Well, I've not seen this before, but I've never seen anyone attempting to use ISA Server, either - I'd hope someone with more knowledge / experience with this product can offer some advice. Until then, guess you're stuck with me ...
  Anyway It would appear that the Tester.class applet is being prevented from being downloaded to your client, or is corrupted in some way. ISA Server is almost certainly causing this.
  I'd first just confirm you can connect from that client to an SGD host without going through an ISA server - connect to https://sgddemo.sun.com and login anonymously, make sure that works.
  You may want to first open up your Java Control Panel, and check your "Temporary Cache Files -> (View)" and then "Resources". you should see a few Java-related files, Tester.class, ttalwwin32G-jps.jar, and ttalwG-jps.jar - if present, make a note of their sizes. Delete these, and then connect to the above URL, they'll be re-loaded.
  Delete these again, then attempt to access via your ISA server again; are any of them reloaded? What's their size?
  As for connecting through ISA Server, I'm afraid I know little about its details, but I think it could be problematic. Are you running SGD in secure (https/aips) mode? Are you running firewall traversal mode? Once authenticated to ISA server, how is traffic directed to the SGD webserver? Is it proxied, or can you get a direct connection?
  Recall that SGD has two connections between the client and the SGD server - the first is the web browser - http or https - that handles logging you in, building a webtop, launching applications, etc. The second is the AIP connection - this is your display traffic, and can be encrypted or left unencrypted. This connection is initiated by a separate client component, and uses tcp port 3144 (for unencrypted connections), 5307 (for encrypted), and most commonly port 443, in "firewall traversal" or "firewall forwarding" mode. In this mode, both https and aip traffic are tunneled on port 443, and are "demultiplexed" on the SGD server.
  I'd thinking that firewall forwarding might have the best chance of succeeding in this environment, as ISA server won't be able to recognize the Java class libraries for what they are, since they're encrypted. But I'm still concerned about routing and such in an SSL environment - I'm not convinced you'll be able to route a client connection properly through the ISA server.
  Anyway, a quick way to setup security/firewall traversal is using the "tarantella security enable" command line - it'll create a self-signed cert, install it, and configure firewall traversal. Or, if you have a permanent cert, will install that as well.
  Here's where I'd recommend you use the Secure Gateway as an alternative entry point to your network ...

• Connecting through ISA firewall

  I am tring to connect Contribute 3.11 through our company ISA
  authentication (firewall). The network provider tells me that ports
  20 and 21 are open for FTP but about halfway through the connection
  process, I get prompted for authentication username and password. 3
  tries and I'm out
  . I have also tried full domainname\username with
  password and that bombs too. Has anybody else seen this or know how
  to get around it?
  I can connect just fine on my home PC so I know my
  destination settings and permissions are OK. Any help is greatly
  appreciated.

  1. You can specify proxy settings in Contribute by going to
  Edit > Preferences > FTP Proxy.
  2. try disabling any antivirus software or firewall running
  on your system.
  3. make sure you install the ISA Firewall Client in your
  System:
  http://www.isaserver.org/tutorials/Manually_installing_the_ISA_firewall_client.html
  4. to verify if FTP is indeed enabled, try to type this in
  IE: ftp://ftp.irs.gov
  see if you can access the folders; if not, your system admin
  is lying; ftp is not enabled
  5. go to control panel > internet options > advanced;
  make sure that user http 1.1 through proxy connections is checked

• Use of  HeaderVariableLogonModule with ISA (Proxy server)

  Hi,
  We are planning to use the ISA 2010 Server as as reverse proxy to acess the  SAP Portal 7.0 (EHP1). We are going to use the ISA authentication to access the SAP Portal. If we use ISA authentication, I don't want the Portal login page to appear. Once user is authenticated in the ISA server, it should come directly to portal without asking the Portal authentication again..
  Can I achieve this scenario with HeaderVariableLogonModule ?.
  Thanks

  Hi,
  You can prevent Header Spoofing this by writing your own login module on top of HeaderVariable login module or by having proper firewall rules in place which allows access of Portal only through the ISA server.
  Check the link below for further details:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/d0/a3d940c2653126e10000000a1550b0/content.htm
  Regards,
  Vijith

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• Publish RD Gateway and Web Access with One-Time Password (OTP) / Two-factor Authentication WITHOUT ISA/TMG server

  Hi everybody,
  I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
  We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
  I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
  Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
  The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
  Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
  After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
  The setup is supposed to be like this:
  LAN:
  1 DC (2008 R2)
  RD Farm (2012)
  1 SA Server (2012)
  DMZ:
  RD Gateway/Web Access (2012)
  Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
  When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
  Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
  (without the OTP extension).
  If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
  contain the correct OTP extension.
  The problem comes here.
  When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: Unknown username or password.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: server
  Source Network Address: 192.168.x.x
  Source Port: 63003
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
  The problem is that no matter what i try the above problem stays there.
  Is it not possible to just forward ALL authentication handeling to a remote server?
  The only solution I've found to get it working someday in the future is this:
  "Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
  Also this link describes it:
  http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
  Please, bring me some answers before my head explodes! :)
  PS, long question = maybe some errors, ask me if something is unclear.

  Hi,
  Based on our experience, if the NTLM error occurs, please check the password.
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Perimeter authentication with ISA server and AD

  Hi,
  We have a Microsoft ISA server that does all authentication at the perimeter. I'm trying to set up a WLS 10 that can inspect and pass on the authenticated Subject to the (SQLServer) database when performing searches.
  I have configured the environment according to the steps in [url  http://e-docs.bea.com/wls/docs100/secmanage/sso.html], and I have set up my security realm with an Active Directory Authentication provider and a Negotiate Identity Assertion provider. But soemthing is obviously not working, since I see no signs of the authenitcated subject in the server log, and Security.getCurrentSubject() returns an empty Subject. What am I doing wrong?
  Thanks
  Edited by tdirrenb at 04/18/2008 6:33 AM
  Edited by tdirrenb at 04/18/2008 6:34 AM

  Hi Vinod,
  Looks like this is a AAA issue. Moving this to AAA domain for faster response.
  thanks,
  Vinay

• ISA Proxy Error Authentication

  Hi,
  I have problem when I try to use a service proxy hosted in my OSB, I get the error:
  *"Proxy Authentication Requiered (The ISA Server requieres authorization to fullfill the request. Access to the Web Proxy filter is denied)"*
  thanks for your attention
  Greetings

  Looks like the underlying service is looking for some credentials so that it will provide response message. There are various ways you can send credentials in your request.
  Find out what kind of credentails it requires ?
  Thanks,
  Vijay

• Safari crashes behind Microsoft ISA proxy \ Authenticating to MS services

  I recently updated to Leopard but I'm experiencing multiple issues with Safari. Whenever I'm at the office Safari crashes repetitively whenever I try to access a site requiring authentication (mainly Microsoft based). at the office .
  This issue started after upgrading (thus not a clean install) to Leopard. Only happens in Safari (firefox no problem).
  This only happens when I'm in the office where I connect via a Microsoft ISA server. On the same machine with 10.4 I never once had this issue.
  One note is that since the upgrade to Leopard, authentication with ISA server does not work in the traditional way of domain\username (as it did before and should also now), but requires that I omit the domain name, this may be a clue to the cause? My Laptop is not part of any Windows domain I use a different user locally than to access any online services.
  I cannot upload crash details via the crash reporter (might be blocked on the proxy server)
  I would like to hear any suggestions.
  Thanks
  DT

  I've had this problem logged as a bug on Radar since September (yes before Leopard shipped). The bug report was closed as a duplicate but I got it re-opened when 10.5.1 shipped and it was still present. It used to be just https access that caused Omniweb and Safari to crash when I authenticated to the ISA proxy in work.
  After applying the latest updates (Security Update 2007-009 and Quicktime Broadcaster 1.5.2) any app that uses the proxy crashes. So http web access as well as https access not cause a crash. The Omni update check app crashes and takes the app in question with it when you launch it. Software update crashes. So do others but I forget the details.
  This only happens at work. Fine on other networks. If I browse on the same machine using IE under Windows XP in a Parallels VM using Shared networking there are no problems. This is a Leopard problem . Didn't happen under Tiger.
  Not good.
  This is not good.

• ISA server authentication for Nokia N95

  Gents,
  I have just bought a N95 and I am facing problems on setting the proxy configuration for a ISA server.
  I could config the LAN settings but my proxy requires an authentication by username and password and until now I could not figure out how to make it.
  My actual settings are:
  Nokia N95 (N95-1 - Model: RM-159)
  WLAN security mode: 802.1X
  * WLAN Security settings:
  * WPA/WPA2: EAP
  * EAP plug-in settings:
  * EAP-TLS (Only this one is selected).
  * Personal ceritificate: from certificate (user people)
  * Authority certificate: Certificate of your ISA Server
  * User name in use: from certificate
  * User name: Your User Name (Can be eventualy: Your Domain\Your User Name
  * Realm in use: from certificate
  * Realm: Empty
  Could anyone help me out?
  Thanks...

  Hi
  I see this is posted in the wrong forum. Yes you can add the url to the bypass proxy list in IE and it should work.
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Use of CE/WCCP with Microsoft ISA server acting as an authentication proxy.

  We have a design where all web users are authenticated against Active Directory by Microsofts ISA server proxy service prior to accessing web resources.
  Is it possible to implement a CE behind the ISA server, and still have the proxy authenticate users credentials?
  My concern is that WCCP will redirect traffic to the content engine first, if the content is not available, wil the content engine then forward to the proxy for authentication prior to the request going out to the web?
  Cheers,

  Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
  If anyone else in the forum has some advice, please reply to this thread.
  Thank you for posting.

• Authenticating via Microsoft ISA Server using Integrated protocol

  *** Cross-posted in Advanced Language Topics forum ***
  Does anyone know how to configure a URLConnection object to authenticate via a Microsoft ISA Server using the Integrated protocol?
  Authenticating using the Basic protocol is easy:
  URLConnection conn = <whatever>;
  String username = <whatever>;
  String password = <whatever>;
  String auth = username + ":" + password;
  String encodedAuth = new BASE64Encoder().encode(auth.getBytes());
  conn.setRequestProperty("Proxy-Authorization", "Basic " + encodedAuth);Does anyone know what to change to authenticate with the Integrated protocol?
  Thanks,
  Shaun

  Just visiting...
  Shaun