Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

PRB: ISA Web Publishing Rule Using NTLM May Cause Random Authentication Prompts


View products that this article applies to.

This article was previously published under Q327753

↑ Back to the top


Symptoms

When you use a Web publishing rule that is restricted by NTLM authentication (that is, when Integrated is enabled under Incoming Web Requests), the client may receive random authentication prompts if the back-end IIS Web server that Internet Security and Acceleration Sever (ISA) publishes does not recognize the credentials that the client has used to authenticate to ISA.

This may occur even if the Web server permits anonymous access.

This issue may or may not be visible, depending on the Web page that is requested. The problem typically occurs with Web pages that reference many objects, such as inline images.

↑ Back to the top


Cause

Under certain circumstances, Microsoft Internet Explorer sends extraneous initial NTLM Authorization HTTP headers on already authenticated connections. When this request to ISA is sent on an already authenticated connection between the client and ISA, the request (including the NTLM Authorization header) is forwarded to the back-end Web server.

By default, IIS has both Anonymous and Integrated authentication enabled and therefore recognizes the request as the start of a new NTLM handshake. Because of the NTLM Authorization HTTP header, IIS continues the NTLM handshake instead of serving the resource anonymously. When the client completes the NTLM handshake, if the IIS server does not recognize the credentials, IIS returns a "401 Unauthorized" response, and Internet Explorer displays an authentication prompt.

These symptoms only occur if the IIS server does not recognize the credentials that are used to authenticate against ISA.

↑ Back to the top


Resolution

To stop the Web server from responding to the NTLM handshake, click to clear the Integrated Authentication check box on the back-end IIS Web server. When you do this, the Web server serves the page anonymously, and this problem does not occur.

↑ Back to the top


Keywords: KB327753, kbisa2004yes, kbprb

↑ Back to the top

Article Info
Article ID : 327753
Revision : 2
Created on : 5/18/2004
Published on : 5/18/2004
Exists online : False
Views : 374