[isalist] Re: ISA Intra Array Authentification

 

1.       Your network definitions are broken  - just plain broken.
You're operating with the Edge Template, have no addresses assigned to
the Internal network and the only hosts using the "Intra-array" net are
the ISA servers

2.       You have GFI WebMonitor installed, but ISAInfo doesn't know how
to read this configuration (yet; David?)  Have you tried to disable or
remove the filter?

 

GFI WebMonitor3 filter

Enabled

 Description

GFI WebMonitor3 filter for ISA server

 Filter Direction

Forward

 Priority

Medium

 Relative Path

WebMonPlg.dll

 Vendor

GFi Software Ltd.

 Version

3.1.421

 

I can't speak to the version displayed (David again?), but you should
check to ensure you have the latest bits.

 

In the intra-array capture, Proxy2 (192.168.254.2) is attempting to
authenticate with Proxy1 (192.168.254.1) via a "GET
http://ms_proxy_intra_array_auth_query/"; request and receives a "400"
response from Proxy1.

Under normal circumstances, this response should never happen.  The
destination ISA would respond with a "407" if authentication actually
failed.

Because this request is strictly for authentication to the upstream ,
ISA interprets any non-200 response as "failed authentication" and
reports it back down the chain as such.

 

Repeat the test with isabpapack +repro on both servers and respond with
a link to both packages.

One change - log on as a domain admin - the bizranet\florin account
failed to authenticate to MSDE and so we have no logs.

This way, we can see what both servers thought of the communication.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bogdan Florin
Sent: Tuesday, February 13, 2007 1:47 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification

 

We'll try it one more time and I'll be as specific as possible:

1.      Log on to your problematic ISA Server using an account which has
local administrator privileges

2.      Breathe in; breathe out

3.      Start | Run | cmd

4.      Breathe in; breathe out

5.      Navigate to the ISABPA installation folder

6.      Breathe in; breathe out

7.      Type 'isabpapack +repro' (no quotes)

8.      Breathe in; breathe out

9.      When ISABPAPack prompts you, hit <space>

10.  Breathe in; breathe out

11.  Move to the test client machine

12.  Breathe in; breathe out

13.  Perform the action at a client machine which produces the "Error
Code: 502 Proxy Error. Logon failure: unknown user name or bad password.
(1326) " error.

14.  Breathe in; breathe out

15.  Return to the ISA Server

16.  Breathe in; breathe out

17.  In the cmd window where ISABPA is patiently waiting for your
return, hit <space>

18.  Breathe in; breathe out

19.  Observe the messaging in the command window

20.  Breathe in; breathe out (repeat while ISABPAPack finishes its
tasks)

21.  Observe the .cab file that appears on the desktop when the process
completes (ISABPAPack also tells you this)

22.  Breathe in; breathe out

23.  Copy that .cab file to your web site

24.  Breathe in; breathe out

25.  Respond with a link to the resulting data

26.  Breathe in; breathe out

 

Any further respiration is your own responsibility.

 

Everything completed exactly.

 

http://web.bizarnet.ro/IsaPackage.zip

 

Proxy2 have CARP load factor 1 while Proxy"1" have CARP load factor 100
wich conclude that all Web Requests heading to proxy2 it will be
retrived from Proxy1. this is the moment when IntraArray
authentification return the error. The client computer was manualy setup
to ask Proxy2.

 

I will read your comments with much interest. I will be back online over
8 hours.

 

 

Thank you for your support ! I'm patience to see the end of this intra
array mistery.

All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.

Other related posts: