Riiiiiight.. ..and a cigar is just a cigar... :-P -------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------- -----Original Message----- From: MJ [mailto:mjtech@xxxxxxxxx] Sent: Monday, January 23, 2006 8:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue http://www.ISAserver.org I mean welcoming me!! -----Original Message----- From: MJ [mailto:mjtech@xxxxxxxxx] Sent: Monday, January 23, 2006 11:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue http://www.ISAserver.org Is this a tricky message, or you're really coming me? Thanks any way -----Original Message----- From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Monday, January 23, 2006 1:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue http://www.ISAserver.org I tried and I tried and I tried but I can not hold back no more. MJ, welcome to the Andrew club! You are now an honorary member. John T eServices For You > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Saturday, January 21, 2006 4:49 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > http://www.ISAserver.org > > how that disagreed with the description of the problem? > > I was trying use "Require All Users to Authenticate" with the prompt, this > KB Article did just that for me. > > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 21, 2006 7:35 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > http://www.ISAserver.org > > Interesting, since this disagreed with your description of the problem. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Saturday, January 21, 2006 4:18 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > http://www.ISAserver.org > > it's working now. > > the answer is in this KB Article 885683 > > Thanks all for trying to help me. > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 21, 2006 5:18 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > http://www.ISAserver.org > > That's the category all right, although I don't' have any experience > with it causing such behavior. > Try to disable the filter and retry your tests. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Saturday, January 21, 2006 2:09 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > http://www.ISAserver.org > > Will this 3rd-party be GFI Web Monitor? > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 21, 2006 4:58 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > http://www.ISAserver.org > > There are several circumstances where the user *will* see this prompt: > - The user can't type > - ISA can't resolve the user's credentials (typed or interactive) > - The selected ISA auth methods aren't known to the client app > - ISA has a 3rd-party filter installed that's mucking the whole process > > Since: > - ISA is a member server in the root domain > - auth failures are occurring in the child domain accounts > - by extension, auth failures are *not* occurring for root domain > accounts? > > ..it's time to start looking into your domain structure for errors. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Saturday, January 21, 2006 1:40 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > http://www.ISAserver.org > > which sounds right, and if asked it should use the credentials used to > logon > to the computer/domain, and the user shouldn't see this prompt. > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Saturday, January 21, 2006 4:36 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > http://www.ISAserver.org > > You will *never* completely rid yourself of "anonymous" log entries and > you'll only drive yourself to bad girls (like Susan) if you try. > > *All* browsers and many other applications make their requests as > anonymous first and only provide authentication if they're asked. > > -------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > -------------------------------------------- > > -----Original Message----- > From: MJ [mailto:mjtech@xxxxxxxxx] > Sent: Saturday, January 21, 2006 1:34 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > http://www.ISAserver.org > > did that, and started to prompt again. > > I don't know what else will I do to fix this problem, but I am going to > work > with MS Support later and hopefully they will figure out what's going > on. > > Thanks > > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Saturday, January 21, 2006 4:26 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > http://www.ISAserver.org > > Yes- require authentication, and have the rule based on a group with > defined > users ;) > > t > > ----- > "I'll see your Llama and up you a Badger." > John T > > > > ----- Original Message ----- > From: "MJ" <mjtech@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Saturday, January 21, 2006 1:10 PM > Subject: [isalist] RE: [islets] RE: ISA 2004 authentication issue > > > > http://www.ISAserver.org > > > > that's how I exactly did few minutes ago, but I am still seeing > > "unauthenticated users" > > > > do you I need to enable the "Require All Users to Authenticate" again. > > Just > > asking :) > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Saturday, January 21, 2006 4:06 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: ISA 2004 authentication issue > > > > > > http://www.ISAserver.org > > > > Create a "local" ISA group, and add the domain's "Domain Users" group > to > > it. > > Then remove "All Users" from the rule and add only the new group you > > specified. > > > > Give that a shot and let us know... > > > > t > > > > ----- > > "I'll see your Llama and up you a Badger." > > John T > > > > > > > > ----- Original Message ----- > > From: "MJ" <mjtech@xxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Saturday, January 21, 2006 12:46 PM > > Subject: [isalist] RE: ISA 2004 authentication issue > > > > > >> http://www.ISAserver.org > >> > >> then what group should I selcet? > >> > >> -----Original Message----- > >> From: Steve Moffat [mailto:steve@xxxxxxxxxx] > >> Sent: Saturday, January 21, 2006 3:34 PM > >> To: [ISAserver.org Discussion List] > >> Subject: [isalist] RE: ISA 2004 authentication issue > >> > >> > >> http://www.ISAserver.org > >> > >> Exactly.............All Users is the anonymous group > >> > >> -----Original Message----- > >> From: MJ [mailto:mjtech@xxxxxxxxx] > >> Sent: Saturday, January 21, 2006 4:25 PM > >> To: ISA Mailing List > >> Subject: [isalist] RE: ISA 2004 authentication issue > >> > >> http://www.ISAserver.org > >> > >> I do have all users selected > >> > >> do you I need to select specific groups or what? > >> > >> Thanks > >> > >> -----Original Message----- > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >> Sent: Saturday, January 21, 2006 3:21 PM > >> To: [ISAserver.org Discussion List] > >> Subject: [isalist] RE: ISA 2004 authentication issue > >> > >> > >> http://www.ISAserver.org > >> > >> MJ- is your outbound access rule set to "All Users" or do you have it > >> set to a group containing your domain users? > >> > >> I too require user-based logs, and have "require authentication" > checked > >> (integrated only selected) and have set the "Users" to a group I > created > >> that contains "Domain Users" as the only group that has access. > While > >> this creates several "denied" entries for "anonymous," all users are > >> logged appropriately, and have seamless access. > >> > >> When you/PSS get it sorted out, please do tell us what the problem > >> was... > >> You've got something strange going on... > >> > >> t > >> > >> ----- > >> "I'll see your Llama and up you a Badger." > >> John T > >> > >> > >> > >> ----- Original Message ----- > >> From: "MJ" <mjtech@xxxxxxxxx> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >> Sent: Saturday, January 21, 2006 12:08 PM > >> Subject: [isalist] RE: ISA 2004 authentication issue > >> > >> > >>> http://www.ISAserver.org > >>> > >>> sounds good. > >>> > >>> then please tell me how to fix it, if you say that I don't need then > I > >> > >>> promise you I will turn off that option. > >>> > >>> Thanks > >>> > >>> -----Original Message----- > >>> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > >>> Sent: Saturday, January 21, 2006 3:04 PM > >>> To: [ISAserver.org Discussion List] > >>> Subject: [isalist] RE: ISA 2004 authentication issue > >>> > >>> > >>> http://www.ISAserver.org > >>> > >>> Yep, but there's a secret registry entry that will fix it ;-) > >>> > >>> Thomas W Shinder, M.D. > >>> Site: www.isaserver.org > >>> Blog: http://spaces.msn.com/members/drisa/ > >>> Book: http://tinyurl.com/3xqb7 > >>> MVP -- ISA Firewalls > >>> **Who is John Galt?** > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > >>>> Sent: Saturday, January 21, 2006 1:48 PM > >>>> To: [ISAserver.org Discussion List] > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> http://www.ISAserver.org > >>>> > >>>> As I think about it more, I do remember putting a check mark in the > >>>> "Require all users to authenticate" once. Shortly afterwards, > after > >>>> a hundred phone calls about people getting login prompts, I had to > >>>> turn it back off. > >>>> > >>>> -----Original Message----- > >>>> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > >>>> Sent: Saturday, January 21, 2006 2:34 PM > >>>> To: [ISAserver.org Discussion List] > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> http://www.ISAserver.org > >>>> > >>>> Okay, NOW I remember that option... > >>>> > >>>> -----Original Message----- > >>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >>>> Sent: Friday, January 20, 2006 11:59 PM > >>>> To: [ISAserver.org Discussion List] > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> http://www.ISAserver.org > >>>> > >>>> In 2004, you can still configure the the authentication method for > >>>> the web proxy listener. Go to the properties for the network, > select > >> > >>>> Web Proxy, and then click the "Authentication" button. > >>>> > >>>> This allows you to choose the auth methods supported for your > >> clients. > >>>> This > >>>> is where the OP had to select "require all users to authenticate." > >>>> Just > >>>> > >>>> making sure someone didn't put him in "basic auth" land... > >>>> > >>>> t > >>>> > >>>> > >>>> ----- > >>>> "I'll see your Llama and up you a Badger." > >>>> John T > >>>> > >>>> > >>>> > >>>> ----- Original Message ----- > >>>> From: "Ball, Dan" <DBall@xxxxxxxxxxx> > >>>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >>>> Sent: Friday, January 20, 2006 8:32 PM > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> > >>>> http://www.ISAserver.org > >>>> > >>>> It's ISA2004, not 2000, it uses regular groups. Unless there is a > >>>> setting with that name that completely escapes my memory. > >>>> > >>>> -----Original Message----- > >>>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >>>> Sent: Friday, January 20, 2006 11:08 PM > >>>> To: [ISAserver.org Discussion List] > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> http://www.ISAserver.org > >>>> > >>>> The authentication method wasn't changed to "basic" by chance, was > >> it? > >>>> Still at "Integrated Authentication?" > >>>> > >>>> t > >>>> > >>>> ----- > >>>> "I'll see your Llama and up you a Badger." > >>>> John T > >>>> > >>>> > >>>> > >>>> ----- Original Message ----- > >>>> From: "MJ" <mjtech@xxxxxxxxx> > >>>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >>>> Sent: Friday, January 20, 2006 7:31 PM > >>>> Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > >>>> > >>>> > http://www.ISAserver.org > >>>> > > >>>> > I rebooted and didn't fix it. > >>>> > I believe that something was change by some body else while > >>>> > troubleshooting another problem about not being able to hit some > >>>> > web sites. > >>>> > Thanks > >>>> > > >>>> > -----Original Message----- > >>>> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > >>>> > Sent: Friday, January 20, 2006 10:21 PM > >>>> > To: [ISAserver.org Discussion List] > >>>> > Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > > >>>> > > >>>> > http://www.ISAserver.org > >>>> > > >>>> > Had that happen a couple of times, a reboot usually cleared it. > >>>> > Anything changed? > >>>> > > >>>> > -----Original Message----- > >>>> > From: MJ [mailto:mjtech@xxxxxxxxx] > >>>> > Sent: Friday, January 20, 2006 9:14 PM > >>>> > To: [ISAserver.org Discussion List] > >>>> > Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > > >>>> > http://www.ISAserver.org > >>>> > > >>>> > ISA is a member server of the root domain,and all users are in > the > >>>> child > >>>> > domain. > >>>> > the funny thing is that this been working for about 2 months with > >>>> > no problems. > >>>> > > >>>> > -----Original Message----- > >>>> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > >>>> > Sent: Friday, January 20, 2006 8:59 PM > >>>> > To: [ISAserver.org Discussion List] > >>>> > Subject: [isalist] RE: ISA 2004 authentication issue > >>>> > > >>>> > > >>>> > http://www.ISAserver.org > >>>> > > >>>> > There can be a lot of different reasons for it, but it > "shouldn't" > >>>> > happen. Is your ISA server a member of said domain? > >>>> > > >>>> > -----Original Message----- > >>>> > From: MJ [mailto:mjtech@xxxxxxxxx] > >>>> > Sent: Friday, January 20, 2006 8:16 PM > >>>> > To: [ISAserver.org Discussion List] > >>>> > Subject: [isalist] ISA 2004 authentication issue > >>>> > > >>>> > http://www.ISAserver.org > >>>> > > >>>> > ISA Server 2004, with "Windows Authentication" and "Require > >>>> All Users > >>>> To > >>>> > Authenticate" > >>>> > > >>>> > Now with this ISA shouldn't prompt domain users for a user and a > >>>> > password. > >>>> > > >>>> > The one I have still prompting. Is there a reason for this? > >>>> How can I > >>>> > fix > >>>> > it? > >>>> > > >>>> > Thanks > >>>> > > > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > mjtech@xxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > mjtech@xxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > mjtech@xxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mjtech@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mjtech@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.