"I thought he switched off 3rd party" - no - for this data set, I wanted to see what was going on "in situ" first. The intra_array_auth_query is being received in two chunks. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of David Farinic Sent: Wednesday, February 14, 2007 12:56 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification 3.1.421 is old version of WebMonitor3. There was bug: If ms_proxy_intra_array_auth_query request is received in 2 chunks by filters, WM3 failed to send buffered data (only when WebMonitor's AntiVirus scanning was turned ON) (fixed on 12th October.2006) Logged, observed behavior was Authorization denied between array members. It was fixed from WM3 build 20061013. He should download WM3 from www.gfi.com. I thought he switched off 3rd party to eliminate & identify potential sources of problem as a first thing. With Kind Regards DavidF ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, February 14, 2007 12:34 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification 1. Your network definitions are broken - just plain broken. You're operating with the Edge Template, have no addresses assigned to the Internal network and the only hosts using the "Intra-array" net are the ISA servers 2. You have GFI WebMonitor installed, but ISAInfo doesn't know how to read this configuration (yet; David?) Have you tried to disable or remove the filter? GFI WebMonitor3 filter Enabled Description GFI WebMonitor3 filter for ISA server Filter Direction Forward Priority Medium Relative Path WebMonPlg.dll Vendor GFi Software Ltd. Version 3.1.421 I can't speak to the version displayed (David again?), but you should check to ensure you have the latest bits. In the intra-array capture, Proxy2 (192.168.254.2) is attempting to authenticate with Proxy1 (192.168.254.1) via a "GET http://ms_proxy_intra_array_auth_query/"; request and receives a "400" response from Proxy1. Under normal circumstances, this response should never happen. The destination ISA would respond with a "407" if authentication actually failed. Because this request is strictly for authentication to the upstream , ISA interprets any non-200 response as "failed authentication" and reports it back down the chain as such. Repeat the test with isabpapack +repro on both servers and respond with a link to both packages. One change - log on as a domain admin - the bizranet\florin account failed to authenticate to MSDE and so we have no logs. This way, we can see what both servers thought of the communication. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bogdan Florin Sent: Tuesday, February 13, 2007 1:47 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA Intra Array Authentification We'll try it one more time and I'll be as specific as possible: 1. Log on to your problematic ISA Server using an account which has local administrator privileges 2. Breathe in; breathe out 3. Start | Run | cmd 4. Breathe in; breathe out 5. Navigate to the ISABPA installation folder 6. Breathe in; breathe out 7. Type 'isabpapack +repro' (no quotes) 8. Breathe in; breathe out 9. When ISABPAPack prompts you, hit <space> 10. Breathe in; breathe out 11. Move to the test client machine 12. Breathe in; breathe out 13. Perform the action at a client machine which produces the "Error Code: 502 Proxy Error. Logon failure: unknown user name or bad password. (1326) " error. 14. Breathe in; breathe out 15. Return to the ISA Server 16. Breathe in; breathe out 17. In the cmd window where ISABPA is patiently waiting for your return, hit <space> 18. Breathe in; breathe out 19. Observe the messaging in the command window 20. Breathe in; breathe out (repeat while ISABPAPack finishes its tasks) 21. Observe the .cab file that appears on the desktop when the process completes (ISABPAPack also tells you this) 22. Breathe in; breathe out 23. Copy that .cab file to your web site 24. Breathe in; breathe out 25. Respond with a link to the resulting data 26. Breathe in; breathe out Any further respiration is your own responsibility. Everything completed exactly. http://web.bizarnet.ro/IsaPackage.zip Proxy2 have CARP load factor 1 while Proxy"1" have CARP load factor 100 wich conclude that all Web Requests heading to proxy2 it will be retrived from Proxy1. this is the moment when IntraArray authentification return the error. The client computer was manualy setup to ask Proxy2. I will read your comments with much interest. I will be back online over 8 hours. Thank you for your support ! I'm patience to see the end of this intra array mistery. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. DISCLAIMER The information contained in this electronic mail may be confidential or legally privileged. It is for the intended recipient(s) only. Should you receive this message in error, please notify the sender by replying to this mail. Unless expressly stated, opinions in this message are those of the individual sender and not of GFI. Unauthorized use of the contents is strictly prohibited. While all care has been taken, GFI is not responsible for the integrity of the contents of this electronic mail and any attachments included within. This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com All mail to and from this domain is GFI-scanned.