Understanding ISA’s different Authentication types.

It is important to understand the types of authentication that ISA can use to validate with other servers and applications. This tutorial will outline the authentication methods, but will not focus on the configuration of each. Look out for other tutorials in my section on the configuration side of Authentication. Please note that all of the tests are performed using IE5.5 browsers and above, some browsers do not support other authentication types other than basic authentication.

There are four types of authentication methods supported by ISA server.

  1. Client certificates and server certificates

  2. Basic authentication

  3. Digest authentication

  4. Integrated authentication

Client certificates and server certificates
A server certificate is sent to the client when the server authenticates itself, the server requests identification from the client. The client then needs to send the appropriate client certificate to the server.
During the logon process the user’s web browser submits encrypted identification (or the certificate) for inspection by SSL server. Certificates are used to verify that the users of the server are who they claim to be. The certificate includes all of the credential information linked to that organization or client that is need.

Client certificate (in SSL bridging scenarios)

  1. This authentication method is used when ISA Server requests a client certificate from the client machine, before allowing the resource request to be processed.

  2. The client sends a request to the ISA server and the server sends a certificate to the client.

  3. The ISA server then performs the role of the SSL web server computer.

  4. When the client receives the certificate it is able to verify that the certificate indeed belongs to the ISA server.

  5. A resource request is then sent to the ISA server by the client

  6. The ISA server checks the certificate to verify it is identical to the one it sent to the client in the beginning of the process. (this protects the client making sure no one is spoofing)

  7. ISA server checks to see if the client is allowed access to the resource requested.

Please note: Client certificates should be installed in the web proxy service certificate store on the ISA server computer where the requests from the clients are sent to. In an array this can be one machine or multiple machines depending on the configuration for that organization. Certificates should also be mapped to user accounts.

Server certificates
The server is requested to authenticate itself, when SSL objects are request by a client from a server. Any disruption in communication would mean a re-authentication process

  1. Server certificates should be installed on the ISA server in the Local server’s certificate store.

  2. The certificate name must be identical to the name of the ISA server or of published Web servers

  3. When a client requests SSL objects from a server, it requests that the server authenticate itself.

  4. If ISA Server terminates an SSL connection, then the ISA Server will have to authenticate itself to the client.

Basic authentication
Basic Authentication is the same as the http process of authentication. All transactions are in clear text, but usernames and passwords are encoded. No encryption is used = low overhead on system.

  1. The user is prompted by the application they are using for a username and password

  2. The user fills these credentials in correctly remembering that the password is case sensitive.

  3. The application (this could be the web browser) encodes or prearranges the credentials and sends it to the server

  4. The server compares these credentials to its own list of accounts locally, in the domain or trusted domain, and then grants access to the resources that the client has been configured access for.

Digest authentication

Note: This method of Authentication will only function in windows 2000 domains.

This method of authentication is safer than basic authentication as the user credentials are hashed or encrypted; where as basic authentication sends the credentials over the wire in clear text.

  1. Authentication that is processed in the Digest manner involves the user credentials passing through a one-way process, also known as hashing.

  2. This hashing process results in a message digest (hash) and the original credentials can not be deciphered from the hash string sent to the ISA Server. Unique data is added to the credentials (normally the password) before the hashing process takes place so no other users can sniff the packets with a packet capturer and try to attempt to be an imposter (or spoof).

  3. Data is added to the hash string that identifies the originating computer, username and domain where the user account belongs. Time stamps are also added to the string to provide better password security.

Integrated authentication

Please Note: Using an IE browser later that 5.5 would be strongly recommended when dabbling with this type of authentication. Using other lower versions or browsers might result in no access to the resource.

This form of authentication is secure, no username or password is sent across the wire at any point. Integrated authentication makes use of Kerbros or the built in (NTLM) Challenge/response authentication protocol.

Pass-through authentication

Please note: Kerberos is not supported in pass through authentication.

Pass-through authentication is when ISA Server passes a client’s authentication information to the server where the resource requested resides. ISA Server supports this authentication method for both outgoing and incoming Web requests.

  1. A Get request is send by the client to the resource server (web server)

  2. The web server responds with a 401 error = authentication required and what authentication the web server supports.

  3. ISA Server presents the Authentication required response to the client, and the client sends the information requested by the ISA server, the ISA Server then passes the client authentication information to the Web server.

  4. The client then communicates directly with the server.

Summary: I have collated and summarized allot of authentication information and hope this will help you in your quest. It is difficult to troubleshoot a problem when you are not sure of how the browser or application is authenticating. Hopefully this information will help you in you quest.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top