This kind of thing happens when you have a 'mostly' anonymous web site, and it isn't quite setup correctly. Let me see if I can explain: You have a web site that has 10 directories under the root. Being a careful admin, you have setup the whole web site to use the IUSR account for anonymous access, the System and Administrators groups have full access, and have removed the Everyone group completely. Now when you surf the site anonymously, you should be able to get everywhere (using the IUSR account to get past the security). Next, you decide that you want a little extra security on one of the directories, so on that particular directory you remove the IUSR account and add a normal user and give that user read rights to the secure directory. When a user tries to access resources in the secure directory, Windows notices that the IUSR account is not allowed, and it asks the user to supply different credentials. The user does this, so now they will be surfing in this particular zone with a different username - not the IUSR account anymore. So, they can see the resources in the directory they are in just fine - except for one thing: The secure directory asks for things (like pictures in the images directory) outside of the secure directory. Since the user is now surfing with a set of credentials OTHER THAN the IUSR or an Administrator, they are not allowed to view the resources in the other directories that ARE viewable if they use the IUSR (anonymous) account. That all make sense? Anyway, I would look at your web server first, namely the permissions on the files and folders. I don't think it is ISA because ISA is allowing you to send packets to the web server. Also, another place to look is the web log files - turn logging all the way on and log everything, then look to see where the IUSR account is being used and where a specific user account is being used. Matt Walkowiak -----Original Message----- From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx] Sent: Wednesday, June 05, 2002 10:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] multiple authentications boxes & OWA http://www.ISAserver.org I know similar issues have been discussed here recently... this is yet another manifestation of (perhaps) the same problem... has anyone found the definitive solution for this ISA bug? When a user tries to access an internal web server from the Internet (published thru ISA using Web Publishing Rules with its appropriate Destination Set), the user gets multiple authentication boxes... the web page contents (buttons, images, frames, etc.) appear little by little on the browers, as the user enters username/password/domain repeatedly... this causes the web application to be practically unusable. Note: I don't see that the specifics on the web server have anything to do with the problem, but in this case it is users accessing Exchange's OWA (Outlook Web Access) from the Internet. Exchange/OWA/IIS/ISA are all in the same box in this case. Also, the same users can access OWA with no problem from the internal LAN. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: matt.walkowiak@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')