Another one of the stellar sessions we had at the MVP conference last week was given by Jim Harrison. If you don't know Jim, he's one of the technical PMs on the ISA Firewall team. Jim is a literal river of technical information when it comes to the ISA Firewall, so if you ever get a chance to hear Jim speak, do so!
Jim talked about the 2006 ISA Firewall's new authentication schemes. In case you're not aware, previous versions of the ISA Firewall supported authentication delegation, but only delegation of basic credentials. With the new ISA Firewall, you can delegate credentials other than basic, including NTLM and Kerberos (via Kerberos Constrained Delegation).
However, with new features come new troubleshooting problems. Jim brought up one of the most common ones being an authentication error that leads to the user seeing page that says "you are not authorized to see this page".
The problem comes when the ISA Firewall admin configures the Web publishing rule to use forms-based authentication, but then doesn't configure authentication delegation correctly. You'll see this problem when you configure the ISA Firewall to either delegate authentication using a method not supported on the Web server, or allowing authentication directly to the Web server but not enabling a method that can be used from the Internet.
Jim had dozens of cool examples, many to many to mention here. However, you will have the chance to hear the talk yourself if you attend TechEd this year. If you're going to TechEd, then put Jim's session on the top of your list!