It has more to do with the HTTP protocol specification. A client will first send a request without including any authentication. If authentication is required the server, www/proxy/whatever, will send back an authentication required response (407, 12209, etc). It then depends on how the client application is written as to what happens next. Most clients will see that response, prompt for authentication from the user, and automatically retry the request this time including the authentication header. MS servers and IE do this all in the background using Integrated authentication which is why people using MS software don't see authentication prompts sometimes. 1) The "web log" can only determine who is making the request if the client actually sends the authentication with the request. All major browsers remember authentication at least until the browser is closed, which is why you don't see prompts for every request. They automatically send it with every request that is made to that particular server. 2) If a site is denied to any request a 407 is sent, it's the browser that controls the prompting not the server. The server just says that this action is not allowed without specifying credentials. The browser could be written to just return the error instead of prompting, but then you'd never get logged in without a manual login action. Again, it's all in the HTTP specification. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT7 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Greg [mailto:GregBrady@xxxxxxxxxx] Sent: Monday, October 21, 2002 6:19 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Proxy Authentication Questions http://www.ISAserver.org To put it in simpler terms: 1) If the web logs can determine who makes the request (with outgoing authentication), then there is no reason for a prompt, as the service knows whose session it is. 2) If a site is denied to ANY request, why have a prompt at all? Just return the 407 error. And for pop-ups, don't even return that. This isn't a terrible problem, as I am now redirecting to local page. Its more of a "why'd they do that" question. But thank you Mark. Greg ----- Original Message ----- From: "Mark" <marcoswelker@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, October 21, 2002 3:26 PM Subject: [isalist] Re: Web Proxy Authentication Questions > http://www.ISAserver.org > > > >-Why do users get a logon prompt when a site is denied, but not when it > is > redirected? > > > That's exactly my question. If the site is denied, why is there a prompt? > > I see it in this way: since ISA server is redirecting you to another site > which is not denied, then it would be like if you were going to an allowed > site in first place. So no prompt. > > > Outgoing web requests are authenticated -usernames are recorded in the web logs - so the proxy service knows whose session it is. And if a site is > denied to everyone, then a prompt adds no value anyway. > > > ISA is sometimes stupid. It prompts you for authentication in a hope for a valid credential. > > >>-If the site&Content rules deny AnyRequest (including anonymous), then > why > do we get login prompts at all (there is no >>reason for the web proxy to > require authentication for denied sites)? > > >Q297324 rid the recurring logon prompts when opening any allowed site, > but > NOT when browsing denied sites. > > Q297324 > "When a destination set is configured, the client receives an HTTP 407 > error for each domain that is RESTRICTED". > > I mean, after you modified the registry, there were no changes? > > > >>-If I turn off Reject http requests from firewall and securenat clients, > are http requests from firewall clients subject to the >>deny rules in the > site & content rules, and if so, why no prompts? > > >Unfortunately, that doesn't use the web proxy service - not in the web > log > and no caching. > That´s correct. Only Firewall Service. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: gregbrady@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')