[isalist] Re: ISA Intra Array Authentification
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 Feb 2007 05:52:25 -0800
"I thought he switched off 3rd party" - no - for this data set, I wanted
to see what was going on "in situ" first.
The intra_array_auth_query is being received in two chunks.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of David Farinic
Sent: Wednesday, February 14, 2007 12:56 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
3.1.421 is old version of WebMonitor3.
There was bug: If ms_proxy_intra_array_auth_query request is received
in 2 chunks by filters, WM3 failed to send buffered data (only when
WebMonitor's AntiVirus scanning was turned ON) (fixed on 12th
October.2006)
Logged, observed behavior was Authorization denied between array
members.
It was fixed from WM3 build 20061013.
He should download WM3 from www.gfi.com.
I thought he switched off 3rd party to eliminate & identify potential
sources of problem as a first thing.
With Kind Regards DavidF
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, February 14, 2007 12:34 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
1. Your network definitions are broken - just plain broken.
You're operating with the Edge Template, have no addresses assigned to
the Internal network and the only hosts using the "Intra-array" net are
the ISA servers
2. You have GFI WebMonitor installed, but ISAInfo doesn't know how
to read this configuration (yet; David?) Have you tried to disable or
remove the filter?
GFI WebMonitor3 filter
Enabled
Description
GFI WebMonitor3 filter for ISA server
Filter Direction
Forward
Priority
Medium
Relative Path
WebMonPlg.dll
Vendor
GFi Software Ltd.
Version
3.1.421
I can't speak to the version displayed (David again?), but you should
check to ensure you have the latest bits.
In the intra-array capture, Proxy2 (192.168.254.2) is attempting to
authenticate with Proxy1 (192.168.254.1) via a "GET
http://ms_proxy_intra_array_auth_query/"; request and receives a "400"
response from Proxy1.
Under normal circumstances, this response should never happen. The
destination ISA would respond with a "407" if authentication actually
failed.
Because this request is strictly for authentication to the upstream ,
ISA interprets any non-200 response as "failed authentication" and
reports it back down the chain as such.
Repeat the test with isabpapack +repro on both servers and respond with
a link to both packages.
One change - log on as a domain admin - the bizranet\florin account
failed to authenticate to MSDE and so we have no logs.
This way, we can see what both servers thought of the communication.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bogdan Florin
Sent: Tuesday, February 13, 2007 1:47 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA Intra Array Authentification
We'll try it one more time and I'll be as specific as possible:
1. Log on to your problematic ISA Server using an account which has
local administrator privileges
2. Breathe in; breathe out
3. Start | Run | cmd
4. Breathe in; breathe out
5. Navigate to the ISABPA installation folder
6. Breathe in; breathe out
7. Type 'isabpapack +repro' (no quotes)
8. Breathe in; breathe out
9. When ISABPAPack prompts you, hit <space>
10. Breathe in; breathe out
11. Move to the test client machine
12. Breathe in; breathe out
13. Perform the action at a client machine which produces the "Error
Code: 502 Proxy Error. Logon failure: unknown user name or bad password.
(1326) " error.
14. Breathe in; breathe out
15. Return to the ISA Server
16. Breathe in; breathe out
17. In the cmd window where ISABPA is patiently waiting for your
return, hit <space>
18. Breathe in; breathe out
19. Observe the messaging in the command window
20. Breathe in; breathe out (repeat while ISABPAPack finishes its
tasks)
21. Observe the .cab file that appears on the desktop when the process
completes (ISABPAPack also tells you this)
22. Breathe in; breathe out
23. Copy that .cab file to your web site
24. Breathe in; breathe out
25. Respond with a link to the resulting data
26. Breathe in; breathe out
Any further respiration is your own responsibility.
Everything completed exactly.
http://web.bizarnet.ro/IsaPackage.zip
Proxy2 have CARP load factor 1 while Proxy"1" have CARP load factor 100
wich conclude that all Web Requests heading to proxy2 it will be
retrived from Proxy1. this is the moment when IntraArray
authentification return the error. The client computer was manualy setup
to ask Proxy2.
I will read your comments with much interest. I will be back online over
8 hours.
Thank you for your support ! I'm patience to see the end of this intra
array mistery.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
DISCLAIMER
The information contained in this electronic mail may be confidential or
legally privileged. It is for the intended recipient(s) only. Should you
receive this message in error, please notify the sender by replying to
this mail. Unless expressly stated, opinions in this message are those
of the individual sender and not of GFI. Unauthorized use of the
contents is strictly prohibited. While all care has been taken, GFI is
not responsible for the integrity of the contents of this electronic
mail and any attachments included within.
This mail was checked for viruses by GFI MailSecurity. GFI also develops
anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker),
and network security and management software (GFI LANguard) -
www.gfi.com
All mail to and from this domain is GFI-scanned.
Other related posts:
