[isalist] Re: ISA Intra Array Authentification

I always thought there was something fishy about Server-side CARP.

t


On 2/12/07 6:12 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> No.
> You still haven¹t answered this question: ³Are these servers in a workgroup or
> domain environment?²
> If you send anything, send ISAInfo; not screen captures.
>  
> There are three cases where this error might occur:
> 1.      Intra-array traffic, where each server queries the others for their
> interpretation of the array membership (uses machine account by default)
> 
> 2.      Server-side CARP (uses machine account by default)
> 
> 3.      Web Chaining (uses the account specified in the rule)
> 
>  
> Quit playing with hardware settings ­ they have nothing to do with this.
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bogdan Florin
> Sent: Sunday, February 11, 2007 10:29 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> I have an idea:
> The security setup on the D:\URLCACHE is the following:
>  
> Administrators ­ full
> Network Service ­ full
> System ­ full
>  
> Does this have something to do with the Authentication error?
>  
>  
> 
> Yours sincerely,
>  
> 
> Bogdan Florin
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: Monday, February 12, 2007 2:39 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> Good ­ that¹s been answered.
> Are these servers in a workgroup or domain environment?
> Are you chaining between ISA servers?
> Have you configured any web chaining rules?
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bogdan Florin
> Sent: Sunday, February 11, 2007 2:28 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> I¹m sorry to see you upset.
>  
> Array properties / IntraArray credentials ? is setup ³Authenticate using the
> computer account of the Array member²
>  
>  
> It is normal to be the same because this proporites are auotmaticaly
> sincronized by the array himself as far as I know.
>  
>  
> Do you have any other ideea ?
>  
>  
>  
> 
> Yours sincerely,
>  
> 
> Bogdan Florin
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: Sunday, February 11, 2007 11:38 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> Stop
> Playing
> With
> Your
> Network
> Configuration
>  
> Stop
> Playing
> With
> NLB
> Settings
>  
> Check the intra-array authentication settings for each server in the array.
> Make sure that they are *THE SAME* for each server.
>  
> What; I donn tawk Engrish gud?!?
>  
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bogdan Florin
> Sent: Sunday, February 11, 2007 1:17 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> ISA1, original ip: xxx.xxx.xxx.187
> ISA2, original ip: xxx.xxx.xxx.189
>  
> I follow the documentation enabling NLB on Internal networks and I specify the
> virtual ip as: xxx.xxx.xxx.190 (same subnet)
>  
> The intra array authentification show problems !
>  
> Than I add a second interface on both servers  (192.168.254.1 and
> 192.168.254.2) and I specify that this new one should be for intra array, I
> also disabled the firewall as described in documentation:
> http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee.mspx
>  
> result > same problems !
>  
>  
> I notice that in Networks I receive this message: You have changed the network
> topology. The network diagram does not reflect these changes. All networks in
> the network topology are listed in the networks tab.
>  And I change topology to Edge Firewall with FULL FULL acces > same result  >
> intra array problems !
>  
> I really have no ideea what can be done.
>  
> And after every change ?.. I wait peacefully till a corect total and complete
> sincronization.
>  
>  
> Any ideea is very warm welcome.
>  
>  
>  
> 
> Yours sincerely,
>  
> 
> Bogdan Florin
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: Sunday, February 11, 2007 5:23 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> It¹s only a ³best practice² if you operate NLB on Windows prior to 2003 SP1.
> There is no valid ³traffic² or ³functionality² requirement to have a separate
> intra-array NIC if you¹re running non-NLB or Windows 2003 SP1 or later.
>  
> The fact is; changing your network or NLB configuration will not affect the
> authentication used to communicate between array members.
> Check the authentication selection & IP address defined for each member in the
> array ­ they *MUST AGREE*.
>  
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Gerald G. Young
> Sent: Sunday, February 11, 2007 7:05 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> Well, technically, not exactly, although it is a best practice.
>  
> There are two ways to work around this. These are:
>  
> 1.     Run NLB in Multicast mode ­ not something I consider a good idea
> because you will most likely end up having to hard code a bunch of network
> devices¹ ARP tables.
> 
> 2.     Use the UnicastInterHostCommSupport Registry key (assuming Windows 2003
> SP1).
> 
>  
> The link for 2., above is http://support.microsoft.com/kb/898867.
>  
> 
> Cordially yours,
> Jerry G. Young II
> Application Engineer, Platform Engineering and Architecture
> NTT America, an NTT Communications Company
>  
> 22451 Shaw Rd.
> Sterling, VA 20166
>  
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Steve Moffat
> Sent: Sunday, February 11, 2007 6:50 AM
> To: ISA Mailing List
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> Intra-Array Communication
> When you use ISA Server integrated NLB, each computer running ISA Server
> services requires an additional network adapter, for intra-array
> communication. We recommend that these network adapters be physically
> connected to each other (for example, through a single switch), and not to
> other network segments, to ensure that they receive only intra-array
> communication. You should then configure intra-array communication to use the
> IP address of the new adapter on each server. The configuration procedures are
> described in the topic Configuring and Securing Intra-Array Communication in
> this document.
>  
> Therefore it needs at least 2 nics
>  
> S
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bogdan Florin
> Sent: Sunday, February 11, 2007 3:00 AM
> To: ISA Mailing List
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> I did this and I found interesting documentation.
>  
> http://www.microsoft.com/technet/isa/2004/plan/network_load_balancing_ee.mspx
>  
> please be kind and confirm if my understanding was right:
>  
> -       to have ISA with one Ethernet card only working in ARRAY there is also
> required to configure Network Load Balancing.
>  
> Or ? TWO Ethernet will be a MUST ?
>  
> Thank you.
>  
>  
> PS: on Isa 2000 it was simple creating the array, joust add second server,
> same settings and work but in 2004 it seems they change something more.
>  
>  
> 
> Yours sincerely,
>  
> 
> Bogdan Florin
> CEO
> InterNetCon - Satellite Internet Services
> www.internetcon.ro <http://www.internetcon.ro>  www.powersat.ro
> <http://www.powersat.ro>
> Phone: +40-264-452383
> Cell: +40-740-074031
> Cell: +40-788-074031
> Fax: +40-264-452207
>  
> 
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jim Harrison
> Sent: Saturday, February 10, 2007 10:21 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: ISA Intra Array Authentification
>  
> Search the help for ³intra-array account².
> Make sure that it¹s set the same for al servers in the array.
>  
> 
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bogdan Florin
> Sent: Monday, February 05, 2007 11:30 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] ISA Intra Array Authentification
>  
> Dear Colleagues,
>  
> I come to you with a simple question and I trough that you can help me faster
> than any other documentation.
>  
> We have an ISA Server 2004 connected to our main domain, with only one
> interface and used purely for caching. The settings are all ok, everything
> works all right. In this enviroments we add another server with intentions to
> have 2 servers in array. We would like to make a fail over at DNS level with
> same record and two IP.
>  
> After this array created successfully, there is one error on each ISA machine:
> Description: ISA Server cannot connect to xxx.xxx.xxx.xxx proxy server because
> the server requires authentication, either when chaining or for intra-array
> communication. However authentication failed because the specified credentials
> were incorrect. Check authentication credentials and try again.
>  
> While XXX.XXX.XXX.XXX is the address of OTHER server. In this spirit I reach
> the conclusion that there is a problem in INTRA ARRAY communication.
>  
> The second server it have CARP Load factor to 1 and the old server have CARP
> Load factor to 100. In this enviroments ?. When an end user connects to the
> second server it got the following error:
>  
> ?        Error Code: 502 Proxy Error. Logon failure: unknown user name or bad
> password. (1326) 
> ?        IP Address: server isa old
> ?        Date: 2/6/2007 7:18:37 AM
> ?        Server: server isa new
> ?        Source: proxy
>  
> I can only conclude that Intra-Array authentification is the problem.
>  
> If you can provide me a fast advice I would appreciate very much.
>  
>  
>  
> 
> Yours sincerely,
>  
> 
> Bogdan Florin
> CEO
> InterNetCon - Satellite Internet Services
> www.internetcon.ro <http://www.internetcon.ro>  www.powersat.ro
> <http://www.powersat.ro>
> Phone: +40-264-452383
> Cell: +40-740-074031
> Cell: +40-788-074031
> Fax: +40-264-452207
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
> All mail to and from this domain is GFI-scanned.
> 


Other related posts: