Microsoft KB Archive/327753

= PRB: ISA Web Publishing Rule Using NTLM May Cause Random Authentication Prompts =

Article ID: 327753

Article Last Modified on 5/18/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



This article was previously published under Q327753



SYMPTOMS
When you use a Web publishing rule that is restricted by NTLM authentication (that is, when Integrated is enabled under Incoming Web Requests), the client may receive random authentication prompts if the back-end IIS Web server that Internet Security and Acceleration Sever (ISA) publishes does not recognize the credentials that the client has used to authenticate to ISA.

This may occur even if the Web server permits anonymous access.

This issue may or may not be visible, depending on the Web page that is requested. The problem typically occurs with Web pages that reference many objects, such as inline images.



CAUSE
Under certain circumstances, Microsoft Internet Explorer sends extraneous initial NTLM Authorization HTTP headers on already authenticated connections. When this request to ISA is sent on an already authenticated connection between the client and ISA, the request (including the NTLM Authorization header) is forwarded to the back-end Web server.

By default, IIS has both Anonymous and Integrated authentication enabled and therefore recognizes the request as the start of a new NTLM handshake. Because of the NTLM Authorization HTTP header, IIS continues the NTLM handshake instead of serving the resource anonymously. When the client completes the NTLM handshake, if the IIS server does not recognize the credentials, IIS returns a &quot;401 Unauthorized&quot; response, and Internet Explorer displays an authentication prompt.

These symptoms only occur if the IIS server does not recognize the credentials that are used to authenticate against ISA.



RESOLUTION
To stop the Web server from responding to the NTLM handshake, click to clear the Integrated Authentication check box on the back-end IIS Web server. When you do this, the Web server serves the page anonymously, and this problem does not occur.

Keywords: kbprb kbisa2004yes KB327753

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.