General discussion


ISA and WPAD causes authentication issue

By peter.berger@genexsrvcs ·
Issue: Turning on auto-detect in IE and setting up WPAD causes authentication issues.

When we manually configure IE to use the IP:8080 for Internet usage, ISA will use our Active Directory credentials and allow us access to the Internet w/o a username and or password.

However, in IE when we turn on "auto detect" and add wpad.dat advertising to the ISA proxy (2000 SP1) it asks us to authenticate with our Active Directory UN/PW before it will let us browse the Inet. I've added WPAD to both DNS and DHCP and it seems to work fine in that aspect.

I'd like to get rid of this UN/PW authentication box and have IE auto-use the logged-in AD credentials to get to the Inet.
I followed Microsoft's instructions on how to setup WPAD.

any 411/help would be great. Thanks.

-- Peter

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to ISA and WPAD causes authe ...

If your using Internet Security & Acceleration Server 2000 [ISA 2000] as your proxy server/ perimeter firewall, AND you are running Windows 2000/2003 server with Active Directory, you need to install and use the ISA server firewall client program. This configures Internet Explorer on client computers. To configure ISA server to allow internet access for domain users [or a specific group of users]. First create a security group in Active Directory. Name it something like Internet users. Then add user groups like domain users to that security group. Next, open up the ISA server management console. Expand Servers & Arrays, expand <your server>, expand Access policy. If there is only on Rule listed e.g. allow rule, click on Site and content rules. In the task bar click view and choose taskpad. Select Create a Site and Content Rule Wizard. This will create a new Rule. Name it something like Domain Internet Users. Once the rule is made and is shown in the right pane double click it and the Internet access Site and Content Rule properties page will open. Click the applies to tab. Choose the radio button Users and groups specified below. Click the add tab to the right. scroll and find the internet users security group you created in active directory. Select that group so it appears under the applies to requests coming from: pane. Click ok. Close the ISA managment console. Users who are members of the security group you created in Active Directory for internet access will now have access without having to imput a user name and password.

Collapse -

by CG IT In reply to

note: ISA server Service pack 2 is available and I would suggest you download and install it along with the feature packs. Further, if you want real time monitoring of inbound/outbound connections through ISA server download the free ISA server monitoring tool from GFI. Really great real time tool for ISA server.

Collapse -

by CG IT In reply to

bottom line to my epistle above is Don't Use a Web proxy for IE. Use the ISA server firewall client program OR use Active Directory Group Policy IE configuration policy for computer configurations. Preferred when using ISA server is the firewall client program.

If your concerned about WPAD vunderability in IE note MS Bulletin MS99-054 Patch for WPAD Spoofing Vulnerability.

IE 5.01 eliminates this vunderability as well as any IE update beyond 5.01.

Collapse -

by CG IT In reply to

one final note on ISA server. If you run IIS services, you have to use a port other than Port 80 for http outbound traffic on ISA server. IIS services use port 80 and will conflict with ISA server.

Collapse -

by peter.berger@genexsrvcs In reply to

IT ADUDE IT: Thanks for the tips. I follow your directions to a tee and am getting the same authentication box with or without using the ISA proxy client. I have made sure that the DHCP/DNS servers WPAD entries are correct. Once I do authenticate I can surf w/ no problem.

I created an AD group called "Extended Internet Access" and put myself into this group. I followed the Content Rule Wizard and made sure this group had rights to surf 24x7. I then made sure that the ISA server is still advertising WPAD on 8080 and that the incoming/outgoing requests do not require authentication, yet I'm still being presented with a box. Stumped. Is there anything else I can do/check. THANKS!!!

Collapse -

found out the problem. Internal DNS didn't know about the ISA server. Ping ISASERVER resulted in nothing. I fixed and now WPAD/autodetect from DHCP works fine. Thanks for the tips. :)

Collapse -

This question was closed by the author

Related Discussions

Related Forums