ISA Server Authentication Options
You can configure which authentication method ISA Server will use to authenticate users that connect using Web Proxy clients. ISA Server supports the following authentication methods:
- Basic authentication Basic authentication sends and receives user information as plaintext and does not use encryption. Basic authentication is the least secure authentication method that ISA Server supports. However, because basic authentication is part of the HTTP specification, most browsers support it.
- Digest authentication Digest authentication passes authentication credentials through a process called hashing. Hashing creates a string of characters based on the password but does not send the actual password across the network, ensuring that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all the domain controllers are running Microsoft Windows 2000 or Windows Server 2003 and client computers are running Internet Explorer 5 or later. Digest authentication also works only if the domain controller has a reversibly encrypted copy of the requesting user’s password stored in Active Directory. This is not the default configuration, and so you must enable this. Storing a password in reversible encryption is significantly less secure than the Active Directory default, in which the password is stored in a one-way hash.
- Integrated Windows authentication Uses either the Kerberos version 5 authentication protocol or NTLM protocol, both of which do not send the user name and password across the network. Integrated Windows authentication works with Internet Explorer 2.0 or later. Use Integrated Windows authentication when all the client computers use Internet Explorer. Integrated Windows authentication is the default authentication method used by members of the Windows 2000 Server and Windows Server 2003 families.
- Digital certificates authentication Requests a client certificate from the client before allowing the request to be processed. Users obtain client certificates from a certification authority that can be internal to your organization or a trusted external organization. Client certificates usually contain identifying information about the user and the organization that issued the client certificate. Client certificates are more commonly used to authenticate Internet users rather than internal users trying to access the Internet. Web Proxy clients do not support client certificate authentication.
- Remote Authentication Dial-In User Service RADIUS is an industry-standard authentication protocol. A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response. RADIUS authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet.
ISA Server Clients and Authentication
The ISA Server authentication that you choose depends on the type of ISA Server client you have deployed in your organization.
SecureNAT Clients For SecureNAT clients, there is no user-based authentication. You can restrict access to the Internet based only on network rules and other access rules. If an access rule requires authentication, SecureNAT clients will be blocked from accessing the resources defined by the rule.
Firewall Clients When ISA Server authenticates a Firewall client, it uses the credentials of the user making the request on the computer running the Firewall client. Because ISA Server requests credentials when a session is established, no client configuration is required to enable authentication of users who gain access to ISA Server by using a Firewall client. When the Firewall client requests an object, ISA Server does not ask the client to authenticate, because the session already has an identity.
Web Proxy Clients Web Proxy clients do not automatically send authentication information to the ISA Server computer. By default, ISA Server requests credentials from a Web Proxy client only when processing a rule that restricts access based on a user set element. You can configure which method the client and ISA Server use for authentication.
You can also configure ISA Server to require authentication for all Web requests. When a Web Proxy client requests HTTP content and all users are required to authenticate, ISA Server will always ask for user credentials before checking the firewall policy. Otherwise, ISA Server will try to determine if the first rule (of the ordered firewall policy) matches the client request. If the rule seems to match, but ISA Server requires client authentication to validate the match, ISA Server will request that the client authenticate.
You can configure which authentication method ISA Server will use to authenticate users that connect using Web Proxy clients. ISA Server supports the following authentication methods:
- Basic authentication Basic authentication sends and receives user information as plaintext and does not use encryption. Basic authentication is the least secure authentication method that ISA Server supports. However, because basic authentication is part of the HTTP specification, most browsers support it.
- Digest authentication Digest authentication passes authentication credentials through a process called hashing. Hashing creates a string of characters based on the password but does not send the actual password across the network, ensuring that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all the domain controllers are running Microsoft Windows 2000 or Windows Server 2003 and client computers are running Internet Explorer 5 or later. Digest authentication also works only if the domain controller has a reversibly encrypted copy of the requesting user’s password stored in Active Directory. This is not the default configuration, and so you must enable this. Storing a password in reversible encryption is significantly less secure than the Active Directory default, in which the password is stored in a one-way hash.
- Integrated Windows authentication Uses either the Kerberos version 5 authentication protocol or NTLM protocol, both of which do not send the user name and password across the network. Integrated Windows authentication works with Internet Explorer 2.0 or later. Use Integrated Windows authentication when all the client computers use Internet Explorer. Integrated Windows authentication is the default authentication method used by members of the Windows 2000 Server and Windows Server 2003 families.
- Digital certificates authentication Requests a client certificate from the client before allowing the request to be processed. Users obtain client certificates from a certification authority that can be internal to your organization or a trusted external organization. Client certificates usually contain identifying information about the user and the organization that issued the client certificate. Client certificates are more commonly used to authenticate Internet users rather than internal users trying to access the Internet. Web Proxy clients do not support client certificate authentication.
- Remote Authentication Dial-In User Service RADIUS is an industry-standard authentication protocol. A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response. RADIUS authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet.
ISA Server Clients and Authentication
The ISA Server authentication that you choose depends on the type of ISA Server client you have deployed in your organization.
SecureNAT Clients For SecureNAT clients, there is no user-based authentication. You can restrict access to the Internet based only on network rules and other access rules. If an access rule requires authentication, SecureNAT clients will be blocked from accessing the resources defined by the rule.
Firewall Clients When ISA Server authenticates a Firewall client, it uses the credentials of the user making the request on the computer running the Firewall client. Because ISA Server requests credentials when a session is established, no client configuration is required to enable authentication of users who gain access to ISA Server by using a Firewall client. When the Firewall client requests an object, ISA Server does not ask the client to authenticate, because the session already has an identity.
Web Proxy Clients Web Proxy clients do not automatically send authentication information to the ISA Server computer. By default, ISA Server requests credentials from a Web Proxy client only when processing a rule that restricts access based on a user set element. You can configure which method the client and ISA Server use for authentication.
You can also configure ISA Server to require authentication for all Web requests. When a Web Proxy client requests HTTP content and all users are required to authenticate, ISA Server will always ask for user credentials before checking the firewall policy. Otherwise, ISA Server will try to determine if the first rule (of the ordered firewall policy) matches the client request. If the rule seems to match, but ISA Server requires client authentication to validate the match, ISA Server will request that the client authenticate.