The Web Proxy Service and Integrated Authentication: Correcting An Error.
There are times when you think you're on top of the world, and that you've actually mastered a subject. If you ever feel like that you better start worrying because if you're in the IT industry, grim reality will knock you down so fast it'll make your head spin! This is a business where not only can you not take for granted what experts say, you can't even trust things you see with your own eyes!
Case in point: Integrated Authentication and the Web Proxy Service
During the ISA Server beta test phase, there were quite a few newsgroup posts on the msnews server regarding problems with the Web Proxy service and passing Integrated Authentication credentials. A number of highly regarded posters stated that the Web Proxy Service did not support passing Integrated Authentication credentials to a server that had been published by a Web Publishing Rule.
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Since I believe in testing as many things as possible before believing them, I decided to test this hypothesis. I published several different web sites using different ISA Servers. Each web site was configured to require Integrated Authentication, and all other types of authentication, including Anonymous, Digest and Basic Authentication were disabled. I restarted the w3svc on the machines and then published them.
I confirmed that the posters were right. I could not contact these sites. When I tried to connect to a site published through a Web Publishing Rule, I would always see what appears below:
This looks pretty straightforward, right? No logon dialog box appears, just a 401.2 error stating that the request was unauthorized.
You Can't Always Believe Your Eyes
Based on my repeated testing on multiple web sites and multiple web servers, I felt pretty secure in my belief that ISA Server could not pass Integrated Authentication information through the Web Proxy Service.
However, Rob Delany in a message thread here on isaserver.org http://www.isaserver.org/ubb/Forum5/HTML/000034.html was steadfast in his observation that Integrated Authentication does work on the internal web server, and that is was having no problems using Integrated Authentication on his published OWA web site.
At first I figured that Rob was mistaken, and that perhaps we was using cached information or there was a misconfiguration on his web server that was allowing anonymous or Basic Credentials to be sent. However, he was insistent that everything was set up correctly. He also mentioned as an aside that all clients were using Internet Explorer 5.5.
Integrated Authentication Mystery Resolved!
When Rob mentioned that he was using IE 5.5 on all his clients, a light bulb went off in my head. I have never used IE 5.5 because there are some stability issues with that version. Windows 2000 is uses IE 5.0 by default and I never found any reason to upgrade to IE 5.5.
Therefore, I created a Virtual Machine in VMWare and installed IE 5.5 in the Virtual Machine (I didn't want to put IE 5.5 on any production machines). Guess what I saw when trying to access a web site requiring Integrated Authentication from the IE 5.5 machine? I saw what appears below:
(note: the site name has been removed to protect the guilty)
Bob was right. And so was everyone else who questioned my assertion that Integrated credentials could not be passed to a server published by the Web Proxy Service. The problem appears to be related to a bug in IE 5.01 that prevented Integrated Authentication credentials from passing through the Web Proxy Service to the internal web server. It was not a problem with the Web Proxy Service or Web Publishing Rules after all!
I have also said that Digest Authentication credentials will not be passed by the Web Proxy Service. However, there was one poster on the www.isaserver.org web boards who said he believed that Digest Authentication at the internal web site would work.
Since I discovered the issue with Integrated Authentication, I decided to test out Digest Authentication using IE 5.5 on a Windows 2000 Professional machine. I did get a log on dialog box, but after entering my credentials in several different ways, I always came up with the same result, as seen below.
Therefore, I still believe that you cannot use Digest Authentication on the internal web server that you are publishing through the Web Publishing Wizard. However, if someone comes up with a way to make this work, I'll be glad to write a retraction regarding Digest Authentication too!
No matter how confident you are in this business, you better not get too comfortable because something is going to happen that will knock you down fast. Don't' believe everything you read without testing it first, and then don't believe your eyes after you've tested it!
It's important not only to test scenarios on different servers and sites, but also to test with different clients. This article pointed out a problem with the client side of a client/server interaction. I entirely neglected the client side, and therefore wasn't able to come to a correct conclusion. My thanks to Rob and all the other posters on the www.isaserver.org web boards for helping all of us come to the truth!
I hope you found this article interesting and/or useful. If you have any questions on what we discussed here, please feel free to post to the message boards at www.isaserver.org or write to me at [email protected]. I'll try to answer your question as soon as possible. Thanks! -Tom