Microsoft KB Archive/840613

= Kerberos authentication to remote Web servers fails for Web proxy clients =

Article ID: 840613

Article Last Modified on 12/2/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
You try to use the Microsoft Internet Security and Acceleration (ISA) Server 2004 Web proxy client to connect to an external or an internal domain Web site that requires authentication. The authentication data must be passed to ISA Server before the authentication data reaches its destination. The duplicate (pass-through) authentication process does not recognize the Kerberos version 5 protocol authentication data. You are prompted to re-enter your credentials.



CAUSE
This behavior occurs because ISA Server 2004 Web proxy client does not support Massachusetts Institute of Technology (MIT) Kerberos version 5 protocol pass-through authentication. If you use your domain account credentials to connect to an external or an internal domain Web site that requires authentication, the Internet Explorer program on the Web proxy client may try to perform the authentication process by using the Kerberos protocol authentication data on the destination server. When this behavior occurs, the pass-through authentication process does not recognize the Kerberos protocol authentication data because ISA Server has removed the Kerberos protocol header.

For example, the pass-through authentication process does not recognize the Kerberos protocol authentication data in the following scenarios:
 * When ISA Server is acting as a forward proxy, the ISA Server Web Proxy client uses ISA Server as a Web proxy agent for outbound Internet connections. In this scenario, ISA Server is behind a second ISA Server and may act as the border firewall. When the client tries to perform the authentication process by using the Kerberos protocol authentication data, the second ISA Server does not pass the Kerberos protocol authentication data from the client to the upstream ISA Server that is acting as the firewall. Therefore, the authentication process stops responding.
 * When ISA Server is acting as a reverse proxy, the ISA Server Web proxy client that is on the Internet tries to perform the authentication process by using an internal server. The Kerberos protocol authentication data is passed to the ISA Server that is acting as the border firewall. In this scenario, the ISA Server that is acting as the border firewall removes the Kerberos protocol authentication header. The authentication process stops responding.



STATUS
This behavior is by design.



MORE INFORMATION
If you use local credentials for an account that exists on the destination Web site server, the Internet Explorer program that is on the Web proxy client uses NTLM authentication. The authentication process succeeds.

Keywords: kbprb KB840613

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.