We have 2 ISA 2006 servers serving our 2003 domain. Recently we made a change domain wide to restrict authentication to NTLMv2. A few minutes after we did that we began getting calls from people indicating their accounts were locked out. The only people who seemed to be calling were those who were actively using the internet, so I'm wondering if there are any issues with NTLMv2 and ISA. I noticed issues with respect to VPN access but I wasn't sure if it was more widespread than that. By the way, both are ISA servers are 2003 sp2 (same for our dcs).

Hi, From the description, it seems the question is about ISA2006. Here we are mainly focus on Windows Serve question, for ISA related-question, it is recommend you to initial a new thread in the corresponding community to get further support. The community members and support professionals there are more familiar with ISA2006 and can help you in a more efficient way. Forefront Edge Security http://social.technet.microsoft.com/Forums/en-US/category/forefrontedgesecurity/ Hope the issue will be resolved soon.This posting is provided "AS IS" with no warranties, and confers no rights.

Probably this is known issue. When you use MS-CHAP authenitcation protocols (any of them)you must enable NTLMv1 on the server.Natively VPN with PEAP cannot use NTLMv2. Please check this document:http://support.microsoft.com/kb/893318 http://www.sysadmins.lv

Thanks, I'll try posting there.

Thanks for the link. I had come across that kb but since we're not using vpn's I thought it didn't apply.

I would not think the patch could help.The problem is somewhere else. You probably require all the users to authenticate prior goin over the http proxy. And this authentication attempt may not work which would be your case. In that case it would have nothing in common with MS-CHAP.I would rather:- check time synchronization between the client, ISA and DC and pay special attention to time zone settings. For NTLMv2 you need to fit into 30 minutes time skew- how are the client computers configured? Do their browsers use IP address as the addres of the gateway? I would recommand testing and switching to using the setting so that you specify the computer name of the ISA server. In that case, the client would use Kerberos and would not have problems related to NTLMv2 at all.ondrej.

Yes, we do require all users to authenticate before getting out to the internet. We figure the authenticating fails which eventually triggers our lockout policy after the user keeps trying. I'll double check the time settings today, but all the computers in the domain should be getting their time from out DC which is sync'ed via NTP. All the clients are using the computer name of the ISA server.

you said that you "Require all the users to authenticate". Is this the checkbox that you have checked on the proxy settings authentication in the Internal network configuration? The please uncheck the checkbox and do to firewall rules. There just find the rule that enables the users internet access (or create new one purelly for HTTP/HTTPS protocol, from Internal to External). Then configure the rule to have "All authenticated users" instead of "Users" group. This the prefered best practice method, not checking the "Require all users to authenticate" at the proxy settings.How do you configure the clients anyway? Can you change their setting from IP address to the proxy server name as it is registered in active directory?ondrej.