To put it in simpler terms: 1) If the web logs can determine who makes the request (with outgoing authentication), then there is no reason for a prompt, as the service knows whose session it is. 2) If a site is denied to ANY request, why have a prompt at all? Just return the 407 error. And for pop-ups, don't even return that. This isn't a terrible problem, as I am now redirecting to local page. Its more of a "why'd they do that" question. But thank you Mark. Greg ----- Original Message ----- From: "Mark" <marcoswelker@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, October 21, 2002 3:26 PM Subject: [isalist] Re: Web Proxy Authentication Questions > http://www.ISAserver.org > > > >-Why do users get a logon prompt when a site is denied, but not when it > is > redirected? > > > That's exactly my question. If the site is denied, why is there a prompt? > > I see it in this way: since ISA server is redirecting you to another site > which is not denied, then it would be like if you were going to an allowed > site in first place. So no prompt. > > > Outgoing web requests are authenticated -usernames are recorded in the web logs - so the proxy service knows whose session it is. And if a site is > denied to everyone, then a prompt adds no value anyway. > > > ISA is sometimes stupid. It prompts you for authentication in a hope for a valid credential. > > >>-If the site&Content rules deny AnyRequest (including anonymous), then > why > do we get login prompts at all (there is no >>reason for the web proxy to > require authentication for denied sites)? > > >Q297324 rid the recurring logon prompts when opening any allowed site, > but > NOT when browsing denied sites. > > Q297324 > "When a destination set is configured, the client receives an HTTP 407 > error for each domain that is RESTRICTED". > > I mean, after you modified the registry, there were no changes? > > > >>-If I turn off Reject http requests from firewall and securenat clients, > are http requests from firewall clients subject to the >>deny rules in the > site & content rules, and if so, why no prompts? > > >Unfortunately, that doesn't use the web proxy service - not in the web > log > and no caching. > That´s correct. Only Firewall Service. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: gregbrady@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')