A machine that is configured as a Firewall and Web proxy client (ISA Firewall best practice) should be able to transparently authenticate with the ISA Firewall when the client and the ISA Firewall as both members of the same or trusted domains. So, why would the Firewall and Web proxy clients be asked repeatedly for user credentials?
The problem is related the dreaded Ask unauthenticated users to authenticate setting on the Web proxy listener.
Check this out:
Problem: Firewall clients with Web Proxy settings specified in their browsers are being prompted with a 401: Authentication Required message, even though they are domain members in the ISA Server domain.
Cause: This problem arises when Firewall clients have automatic discovery enabled, and Require all users to authenticate is enabled on the Web Proxy listener of the Internal network. The Winsock Proxy Autodetect (WSPAD) request must be authenticated because Require all users to authenticate is set. The Firewall Client program cannot respond to the 401 response and the request fails.
Solution: Install ISA Server 2004 Standard Edition Service Pack 1. For more information, see the Microsoft Knowledge Base article 885683: “You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery.”