Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
Symptoms
If users visit a Web site that requires authentication, they may be repeatedly prompted to provide their credentials. This symptom occurs even after the users type valid credentials.
Cause
This issue occurs if either of the following conditions are true:
-
The published Web server requires Kerberos authentication.
-
The published Web server and the Microsoft Internet Security and Acceleration (ISA) Server-based computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition-based computer both have Windows integrated authentication enabled, and both require authentication.
This condition may occur in a reverse scenario where ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition uses the same HTTP headers for authentication that are used by the Web server. When a user accesses ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, they are prompted for credentials. After ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition accepts the credentials, ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition forwards the request without the credentials to the published Web site. This causes the Web site to also prompt the user for authentication. These multiple authentication requests cause the Web browser to interpret that the credentials are incorrect. Therefore, the user is prompted again for credentials. Users may be prompted to type credentials many times if the Web browser opens several connections.
Resolution
To resolve this issue, use one of the following methods.
Method 1
Enable NTLM authentication only or enable both Kerberos and NTLM authentication on the published Web site and then publish the Web server in ISA Server or in Microsoft Forefront Threat Management Gateway, Medium Business Edition.
For more information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:
324274 How to configure IIS Web site authentication in Windows Server 2003
215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
For additional information about how to publish Web servers in ISA Server, visit the following Microsoft Web site:
Method 2
Enable only Basic authentication on both the published Web site and on the corresponding Web listener on the ISA Server computer. To do this, follow these steps:
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.Note Because user credentials are sent by plain text in basic authentication, we recommend that you create a secure Web publishing rule in ISA Server to help make traffic more secure. You can also use SSL along with this workaround so that the authentication is not in clear text. For more information, see the "Secure Web Publishing rules" topic in the ISA Server Help documentation.
-
Enable only Basic authentication on the published Web site.
-
Enable only Basic authentication on the corresponding Web listener in ISA Server or in Microsoft Forefront Threat Management Gateway, Medium Business Edition. To do this, follow these steps:
-
Start the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Management tool.
-
Expand the ISA Server-based or Microsoft Forefront Threat Management Gateway, Medium Business Edition-based computer node, and then click Firewall Policy.
-
In the Details pane, click the corresponding Web publishing rule.
-
On the Tasks tab, click Edit Selected Rule.
-
On the Listener tab, click the Web listener, and then click Properties.
-
On the Preferences tab, click Authentication, click to select the Basic check box, and then click OK three times.
Notes-
For ISA Server 2006 or for Microsoft Forefront Threat Management Gateway, Medium Business Edition, click the Authentication tab, click HTTP Authentication in the Method clients use to authenticate to ISA Server list, and then click the Basic check box.
-
Click Yes if you receive a message that states that passwords will be sent without data encryption.
-
-
-
Enable Basic Delegation on the corresponding Web publishing rule on the ISA Server computer. To do this, follow these steps (on ISA Server 2004):
-
Start the ISA Server Management tool if it is not already started.
-
Expand the ISA Server-based computer node, and then click Firewall Policy.
-
In the Details pane, click the corresponding Web publishing rule.
-
On the Tasks tab, click Edit Selected Rule.
-
On the Users tab, click to select the Forward Basic authentication credentials (Basic delegation) check box, and then click OK.
Note For ISA Server 2006 or for Microsoft Forefront Threat Management Gateway, Medium Business Edition, click the Authentication Delegation tab, select Basic authentication in the Method used by ISA Server to authenticate to the published Web Server list , and then click OK. The Basic Authentication option is available only if you have selected HTTP Authentication or HTML Form Authentication in the Listener tab -
