To configure authentication methods for Web
In the console tree of ISA Server Management, click
In the details pane, click the Networks tab, and then
select the applicable network.
On the Tasks tab, click Edit Selected
On the Web Proxy tab, click Authentication.
Select the authentication method that may be used to
authenticate clients connecting to the selected network.
Select Require all users to authenticate, to force
clients from this network to authenticate using one of the selected
If you select RADIUS, Digest, or Basic authentication, click
Select Domain and type the name of the domain to use when
If you select RADIUS authentication, you must enable the system
policy's RADIUS configuration group (in the Authentication
If you select RADIUS authentication, click RADIUS
Servers to configure the servers to use for RADIUS
To open ISA Server Management, click Start, point to
All Programs, point to Microsoft ISA Server, and then
click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand
Microsoft Internet Security and Acceleration
Server 2006, expand Arrays, expand
Array_Name, expand Configuration, and then
For ISA Server 2006 Standard Edition, expand Microsoft
Internet Security and Acceleration Server 2006, expand
Server_Name, expand Configuration, and then
Requiring all users to authenticate may block traffic to sites,
such as Windows Update, that do not support user authentication. To
ensure that you do not unintentionally block traffic to such sites,
we recommend enforcing user authentication on firewall policy
access rules and publishing rules, instead of selecting Require
all users to authenticate.
Users who log on to the network with the Basic authentication
methods must belong to a specific domain. Usually, the Windows
domain that is used for Basic authentication is the local domain in
which the Web server is active. A different domain can be
specified, if required.
When no domain is explicitly specified, ISA Server uses its own
If you select RADIUS authentication, you cannot select any
other authentication method.
If you do not select an authentication method and if the
firewall policy includes rules that require users to authenticate,
authentication will fail and the request will be denied.
Kerberos authentication depends upon User Datagram Protocol
(UDP) packets that are commonly fragmented. If your ISA Server
computer or array is in a domain, and you enable the blocking of IP
fragments, Kerberos authentication will fail. For example, if the
computer uses Kerberos for authentication during user logon, logon
will fail. We recommend that you do not enable the blocking of
packets containing IP fragments in scenarios where Kerberos
authentication is used.