ISA: Authentication   Leave a comment

UNDERSTANDING ISA AUTHENTICATION

Authentication Process
– 3 components:
o Receipt of client credentials
o Validation of client credentials against an authentication provider (ie, AD, RADIUS)
o Delegation of authentication to web servers behind ISA

HTTP Authentication
– Types
o Basic
 Authentication process
• User prompted to enter Windows credentials
• ISA Server receives the HTTP request with the credentials, & if required by the rule, validates the credentials through specified authentication provider
• In passing HTTP request to Web Server, ISA uses credentials to authenticate to Web Server according to configured delegation method
• Web server must be configured to use authentication scheme that matches delegation method used by ISA Server
• When ISA verifies credentials as valid, connection established
o Digest & WDigest
 Authentication credentials are hashed > message digest
 Hash is obfuscated, plus values to identify user/computer/domain
• With WDigest, user/domain are case sensitive
 Time stamp is added
 Notes
• Relies on HTTP 1.1
• Can only be used in Windows Domains
 Authentication process
• Client makes request
• ISA denies request & asks client for information
• Upon receipt Information then used for authentication
• If client authenticated, ISA policies applied
o Integrated Windows
 Authentication process
• Depending upon browser, authentication may not initially prompt for credentials (ie, current Windows user info used for authentication)
• If authentication exchange initially fails > browser prompts for credentials
o Client certificate
 Client provides certificate, which is basis for authentication

Authentication providers
– AD & AD over LDAP
o Credentials include username in form
 SAM account name
 User principal name
 Distinguished name

Client Types
– Web proxy
o Is a client or application that send requests to ISA on port 80, or outgoing web requests on port 8080
– Firewall
o Intercepts all Winsock calls & directs to underlying base service
– SecureNAT
o Can’t send credentials to ISA server, but access based on IP addressing

References:
– Authentication is ISA Server 2006
o http://technet.microsoft.com/library/bb794722.aspx
– Internal client concepts in ISA Server 2006
o http://technet.microsoft.com/en-us/library/bb794762
o

Advertisements

Posted March 1, 2013 by terop

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: