Kerberos authentication to remote Web servers fails for Web proxy clients

You try to use the Microsoft Internet Security and Acceleration (ISA) Server 2004, 2006, Forefront Threat Management Gateway Medium Business Edition or Threat Management Gateway Windows Essential Business Server Web proxy client to connect to an external or an internal domain Web site that requires authentication. The authentication data must be passed to ISA Server, or Microsoft Forefront Threat Management Gateway, Medium Business Edition WEBS before the authentication data reaches its destination. The duplicate (pass-through) authentication process does not recognize the Kerberos version 5 protocol authentication data. You are prompted to re-enter your credentials.

This behavior occurs because ISA Server 2004 Web proxy client or the Microsoft Forefront Threat Management Gateway, Medium Business Edition WEBS web proxy client does not support Massachusetts Institute of Technology (MIT) Kerberos version 5 protocol pass-through authentication. If you use your domain account credentials to connect to an external or an internal domain Web site that requires authentication, the Internet Explorer program on the Web proxy client may try to perform the authentication process by using the Kerberos protocol authentication data on the destination server. When this behavior occurs, the pass-through authentication process does not recognize the Kerberos protocol authentication data because ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition WEBS web proxy sever has removed the Kerberos protocol header.

For example, the pass-through authentication process does not recognize the Kerberos protocol authentication data in the following scenarios:

• When ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition WEBS web proxy server is acting as a forward proxy, the ISA Server Web Proxy client uses ISA Server as a Web proxy agent for outbound Internet connections. In this scenario, ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition server is behind a second ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server and may act as the border firewall. When the client tries to perform the authentication process by using the Kerberos protocol authentication data, the second ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server does not pass the Kerberos protocol authentication data from the client to the upstream ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server that is acting as the firewall. Therefore, the authentication process stops responding.
• When ISA Server is acting as a reverse proxy, the ISA Server Web proxy client or the Microsoft Forefront Threat Management Gateway, Medium Business Edition WEBS web proxy client that is on the Internet tries to perform the authentication process by using an internal server. The Kerberos protocol authentication data is passed to the ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server that is acting as the border firewall. In this scenario, the ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server that is acting as the border firewall removes the Kerberos protocol authentication header. The authentication process stops responding.

This behavior is by design.

If you use local credentials for an account that exists on the destination Web site server, the Internet Explorer program that is on the Web proxy client uses NTLM authentication. The authentication process succeeds.