spacer
spacer search

After Hours Information Technology - ahit.com.au
The small IT business for your small business.

Search
spacer
header
Main Menu
Home
News
Links
Web Hosting
Domain Lookup
Speed Test
Search
Contact Us
Privacy Policy
News Feeds
Microsoft ISA Server
Administrator
 
Home

The case of the unusual credential popup PDF Print E-mail
Frequently Asked Questions - Microsoft ISA Server

I recently replied to a post by someone on the www.ISAserver.org forums where he was having a problem with a particular site and defined destination set not working.

(See http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014532 for original posting)

Basically he had a destination to that contained the site in question, lets say secure.sitename.com and then he had a S&C (Site & Content) rule allowing access to that destination set all the time for all users (anonymous access.)
Like a good administrator he normally required user authentication for Internet usage but had set this up as a "can go anywhere" site.

The problem was, when someone who wasn't specifically allowed internet access tried to access that site, they were prompted to enter user credentials... despite his rule allowing it.

Fortunately, we've encountered this type of thing before when trying to set up other "freebie" sites for users, such as whitepages.com.au & yellowpages.com.au (Australia phone listings). In those cases the original website tries to load images from other another site. From memory it was something like sensismedia.com.au/blahblah/imagename.jpg.

Now these images could have been "static" pictures on the page or often as part of add banner rotations.

The killer of course is we've defined a rule that says we allow secure.sitename.com, not images.sitename.com and so that's why the user is prompted for credentials.
Normally it's really easy to see what's actually causing this credential popup. 2 methods come to mind:

1) Simply go to the page, cancel the popup request for credentials... over and over if need be and when the page finally finishes loading, click "View" "Source" from your browser toolbar and then do a text search for "http". This will find either a "a href" link to another site or an "img src" for images. If the later, and the URL is different from the site you're visiting, then there's your culprit

2) The second method is a little more long winded. When prompted for credentials, enter some that have "full" internet access and browse around the site, then about 10 minutes after you've finished, go to the (default location) c:\program files\microsoft isa server\ISAlogs and search for the IP address of the client machine you were using in the days logfiles. eg: find "10.10.10.5" webdyyyymmdd.log > where.txt
Now you can look at "where.txt" and it will show everywhere that machine has browsed to. Do a quick text search for the username you entered above and you can see exactly what is forcing the credential popup. More often than not it's an image or a flash file. In the case of the problem mentioned from www.ISASERVER.org, this was a secure site so the browser won't let your view source!

In the case of the problem mentioned from www.ISASERVER.org, this was a secure site so the browser won't let your view source!

One caveat with the logging of access for secure sites is that it lists basically ONLY the base URL eg: secure.sitename.com and not the "full" URL of secure.sitename.com/app/blahblah.html as ISA maintains the users "privacy". In actual fact, ISA is rally just passing the results of the browsers request direct to the client as it can't see "inside" the encrypted SSL (Secure Sockets Layer) data stream.

Fortunately for Jim an educated guess managed to identify the culprit. It was a "secure site" logo/image that was coming from the external site.
Sometimes you can get lucky with secure site by doing the 2nd method above and it'll show the external site.
Oh, and remember, when defining the sites in a destination set that will be accessed via HTTPS (secure), NEVER EVER put in a subdirectory, only ever put the base URL name. As above , ISA cant see inside the secure data stream and because it cant decipher what's coming in to check if it's allowed based on matching the subdir in the destination list, it'll deny the whole thing regardless!

 

 

< Prev   Next >
spacer
Who's Online
We have 36 guests online
Locations of visitors to this page
Polls
I plan on installing Microsoft Vista:
  
Popular
Syndicate

 

Copyright 2004 2005 After Hours Information Technology http://www.ahit.com.au
spacer