I always thought there was something fishy about Server-side CARP. t On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > No. > You still haven¹t answered this question: ³Are these servers in a workgroup or > domain environment?² > If you send anything, send ISAInfo; not screen captures. > > There are three cases where this error might occur: > 1. Intra-array traffic, where each server queries the others for their > interpretation of the array membership (uses machine account by default) > > 2. Server-side CARP (uses machine account by default) > > 3. Web Chaining (uses the account specified in the rule) > > > Quit playing with hardware settings they have nothing to do with this. > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Bogdan Florin > Sent: Sunday, February 11, 2007 10:29 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > I have an idea: > The security setup on the D:\URLCACHE is the following: > > Administrators full > Network Service full > System full > > Does this have something to do with the Authentication error? > > > > Yours sincerely, > > > Bogdan Florin > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: Monday, February 12, 2007 2:39 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > Good that¹s been answered. > Are these servers in a workgroup or domain environment? > Are you chaining between ISA servers? > Have you configured any web chaining rules? > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Bogdan Florin > Sent: Sunday, February 11, 2007 2:28 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > I¹m sorry to see you upset. > > Array properties / IntraArray credentials ? is setup ³Authenticate using the > computer account of the Array member² > > > It is normal to be the same because this proporites are auotmaticaly > sincronized by the array himself as far as I know. > > > Do you have any other ideea ? > > > > > Yours sincerely, > > > Bogdan Florin > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: Sunday, February 11, 2007 11:38 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > Stop > Playing > With > Your > Network > Configuration > > Stop > Playing > With > NLB > Settings > > Check the intra-array authentication settings for each server in the array. > Make sure that they are *THE SAME* for each server. > > What; I donn tawk Engrish gud?!? > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Bogdan Florin > Sent: Sunday, February 11, 2007 1:17 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > ISA1, original ip: xxx.xxx.xxx.187 > ISA2, original ip: xxx.xxx.xxx.189 > > I follow the documentation enabling NLB on Internal networks and I specify the > virtual ip as: xxx.xxx.xxx.190 (same subnet) > > The intra array authentification show problems ! > > Than I add a second interface on both servers (192.168.254.1 and > 192.168.254.2) and I specify that this new one should be for intra array, I > also disabled the firewall as described in documentation: > http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee.mspx > > result > same problems ! > > > I notice that in Networks I receive this message: You have changed the network > topology. The network diagram does not reflect these changes. All networks in > the network topology are listed in the networks tab. > And I change topology to Edge Firewall with FULL FULL acces > same result > > intra array problems ! > > I really have no ideea what can be done. > > And after every change ?.. I wait peacefully till a corect total and complete > sincronization. > > > Any ideea is very warm welcome. > > > > > Yours sincerely, > > > Bogdan Florin > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: Sunday, February 11, 2007 5:23 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > It¹s only a ³best practice² if you operate NLB on Windows prior to 2003 SP1. > There is no valid ³traffic² or ³functionality² requirement to have a separate > intra-array NIC if you¹re running non-NLB or Windows 2003 SP1 or later. > > The fact is; changing your network or NLB configuration will not affect the > authentication used to communicate between array members. > Check the authentication selection & IP address defined for each member in the > array they *MUST AGREE*. > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Gerald G. Young > Sent: Sunday, February 11, 2007 7:05 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > Well, technically, not exactly, although it is a best practice. > > There are two ways to work around this. These are: > > 1. Run NLB in Multicast mode not something I consider a good idea > because you will most likely end up having to hard code a bunch of network > devices¹ ARP tables. > > 2. Use the UnicastInterHostCommSupport Registry key (assuming Windows 2003 > SP1). > > > The link for 2., above is http://support.microsoft.com/kb/898867. > > > Cordially yours, > Jerry G. Young II > Application Engineer, Platform Engineering and Architecture > NTT America, an NTT Communications Company > > 22451 Shaw Rd. > Sterling, VA 20166 > > Office: 571-434-1319 > Fax: 703-333-6749 > Email: g.young@xxxxxxxx > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Steve Moffat > Sent: Sunday, February 11, 2007 6:50 AM > To: ISA Mailing List > Subject: [isalist] Re: ISA Intra Array Authentification > > Intra-Array Communication > When you use ISA Server integrated NLB, each computer running ISA Server > services requires an additional network adapter, for intra-array > communication. We recommend that these network adapters be physically > connected to each other (for example, through a single switch), and not to > other network segments, to ensure that they receive only intra-array > communication. You should then configure intra-array communication to use the > IP address of the new adapter on each server. The configuration procedures are > described in the topic Configuring and Securing Intra-Array Communication in > this document. > > Therefore it needs at least 2 nics > > S > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Bogdan Florin > Sent: Sunday, February 11, 2007 3:00 AM > To: ISA Mailing List > Subject: [isalist] Re: ISA Intra Array Authentification > > I did this and I found interesting documentation. > > http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee.mspx > > please be kind and confirm if my understanding was right: > > - to have ISA with one Ethernet card only working in ARRAY there is also > required to configure Network Load Balancing. > > Or ? TWO Ethernet will be a MUST ? > > Thank you. > > > PS: on Isa 2000 it was simple creating the array, joust add second server, > same settings and work but in 2004 it seems they change something more. > > > > Yours sincerely, > > > Bogdan Florin > CEO > InterNetCon - Satellite Internet Services > www.internetcon.ro <http://www.internetcon.ro> www.powersat.ro > <http://www.powersat.ro> > Phone: +40-264-452383 > Cell: +40-740-074031 > Cell: +40-788-074031 > Fax: +40-264-452207 > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Jim Harrison > Sent: Saturday, February 10, 2007 10:21 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: ISA Intra Array Authentification > > Search the help for ³intra-array account². > Make sure that it¹s set the same for al servers in the array. > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Bogdan Florin > Sent: Monday, February 05, 2007 11:30 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] ISA Intra Array Authentification > > Dear Colleagues, > > I come to you with a simple question and I trough that you can help me faster > than any other documentation. > > We have an ISA Server 2004 connected to our main domain, with only one > interface and used purely for caching. The settings are all ok, everything > works all right. In this enviroments we add another server with intentions to > have 2 servers in array. We would like to make a fail over at DNS level with > same record and two IP. > > After this array created successfully, there is one error on each ISA machine: > Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy server because > the server requires authentication, either when chaining or for intra-array > communication. However authentication failed because the specified credentials > were incorrect. Check authentication credentials and try again. > > While XXX.XXX.XXX.XXX is the address of OTHER server. In this spirit I reach > the conclusion that there is a problem in INTRA ARRAY communication. > > The second server it have CARP Load factor to 1 and the old server have CARP > Load factor to 100. In this enviroments ?. When an end user connects to the > second server it got the following error: > > ? Error Code: 502 Proxy Error. Logon failure: unknown user name or bad > password. (1326) > ? IP Address: server isa old > ? Date: 2/6/2007 7:18:37 AM > ? Server: server isa new > ? Source: proxy > > I can only conclude that Intra-Array authentification is the problem. > > If you can provide me a fast advice I would appreciate very much. > > > > > Yours sincerely, > > > Bogdan Florin > CEO > InterNetCon - Satellite Internet Services > www.internetcon.ro <http://www.internetcon.ro> www.powersat.ro > <http://www.powersat.ro> > Phone: +40-264-452383 > Cell: +40-740-074031 > Cell: +40-788-074031 > Fax: +40-264-452207 > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. > All mail to and from this domain is GFI-scanned. >