Microsoft KB Archive/883285

= Users are repeatedly prompted for their credentials when they try to access the Internet after you configure a firewall chain between ISA Server computers =

Article ID: 883285

Article Last Modified on 9/7/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
After you configure a firewall chain between two or more computers that are running Microsoft Internet Security and Acceleration Server (ISA) 2004 or Internet Security and Acceleration (ISA) Server 2000, users who try to access the Internet are repeatedly prompted for their credentials.



CAUSE
This issue may occur after you configure an upstream ISA Server computer and a downstream ISA Server computer to require authentication. Web browsers, such as Microsoft Internet Explorer, may not keep track of which proxy servers they have authenticated against. In this case, the browser authenticates the first ISA Server computer in the firewall chain. If the browser does not retain the proxy authentication information, the browser may have to authenticate with additional ISA Server computers in the firewall chain.



RESOLUTION
To resolve this issue, allow anonymous access on either the downstream ISA Server computers or the upstream ISA Server computers. Additionally, you can configure the last proxy server in the chain to use NTLM authentication, and then you can configure, in the relevant access rule, the downstream ISA Server computers in the chain to pass credentials to the upstream ISA Server computers. After you change this configuration, the upstream computers will see all requests as coming from the single user account that you configured in the access rule of the downstream computers. Only one computer that is running ISA Server 2004 in the firewall chain requires authentication.



STATUS
This behavior is by design.

