(Updating to include TGM 2010)

I'm currently using ISA2004 in a lab that requires authentication for all users.

If I perform a network capture I see that depending on the machine configuration I will use KERBEROS or NTLM.

So the request for www.google.com goes to the proxy server, the proxy server comes back with a 407.  In the header the following authentication types are listed in Proxy-Authenticate tags:

Negotiate, Kerberos, NTLM, Basic realm="fqdn.of.proxy.server"

For instance in IE if I specify my proxy by IP it uses NTLM, if I specify by its FQDN then it will use Kerberos.

Is it possible to configure these?  IE can I modify something so NTLM or Basic or Kerberos will never be a choice?  IE can I see it so the only suitable authentication mechanism is BASIC or KERBEROS?

• Edited by illafam Tuesday, September 03, 2013 5:23 AM

Hi,

I do not remember how that was with ISA2004, but in TMG you go on Web Access Policies, select "proxy authentication" and then you can select Integrated (that is Kerberos and as fallback NTLM) and Basic authentication. Other authentication types in TMG are Digest, SSL certificate (if I am not mistaken, that was not supported in 2004) and Radius.

Hope that helps,

Lutz

• Marked as answer by Quan GuMicrosoft contingent staff, Moderator Friday, September 06, 2013 6:31 AM

Thanks, I installed TMG 2010 on another machine and the setting is right in the GUI.  You are right though there is only a check mark for Integrated.  I tried configure HTTP on the firewall rule and tried to modify the "Proxy-Authourization: NTLM" header but I don't think I can simply strip NTLM and leave the other two.. maybe it needs to strip all of them?

 

Hi

As far as I know , NTLM,Kerberos and Negotiate are included in Integrate authentication method , you can select web proxy authentication method as Basic ,Digital ,WDigital and Integrate in ISA2004. If,you select Integrate authentication ,IE will select different method based on configuration such as requesting  a IP or FQDN.

• Marked as answer by Quan GuMicrosoft contingent staff, Moderator Friday, September 06, 2013 6:31 AM

So if I set TGM to allow BASIC and NTLM my client will always use NTLM.  To get around this I think I can define a net network set with the requesting clients IP and set it to BASIC.

My next question is about how often I should be required to authenticate.  In this case lets say my proxy is in North America, and my client is in Asia.  So we have about 200-300ms of latency.  When authenticating via NTLM a 3 way handshake occurs.  When the client is in North America this is not an issue as it happens fast.  With the latency though it starts to impact the user experience.

Looking at a network capture it appears this occurs on every url i connect to.  Lets say for instance I type in domain.com into the browser, and domain.com redirects me to www.domain.com, which then may redirect me somewhere else.  For each URL i hit I see the NTLM handshake occur.   Other situations which make this difficult is if the site has like 7-8 url tracker/cookie things going on, then the NTLM handshake appears to happen for each ad site as well.

Is it possible to make it so ISA does not need to request my credentials over and over?