There are four types of authentication methods supported by ISA server.
- Client certificates and server certificates
- Basic authentication
- Digest authentication
- Integrated authentication
Client certificates and server certificates
A server certificate is sent to the client when the server authenticates itself, the server requests identification from the client. The client then needs to send the appropriate client certificate to the server. During the logon process the user’s web browser submits encrypted identification (or the certificate) for inspection by SSL server. Certificates are used to verify that the users of the server are who they claim to be. The certificate includes all of the credential information linked to that organization or client that is need.Client certificate (in SSL bridging scenarios)
This authentication method is used when ISA Server requests a client certificate from the client machine, before allowing the resource request to be processed.
The client sends a request to the ISA server and the server sends a certificate to the client.
The ISA server then performs the role of the SSL web server computer.
When the client receives the certificate it is able to verify that the certificate indeed belongs to the ISA server.
A resource request is then sent to the ISA server by the client
The ISA server checks the certificate to verify it is identical to the one it sent to the client in the beginning of the process. (this protects the client making sure no one is spoofing)
ISA server checks to see if the client is allowed access to the resource requested.
Basic Authentication is the same as the http process of authentication. All transactions are in clear text, but usernames and passwords are encoded. No encryption is used = low overhead on system.
The user is prompted by the application they are using for a username and password
The user fills these credentials in correctly remembering that the password is case sensitive.
The application (this could be the web browser) encodes or prearranges the credentials and sends it to the server
The server compares these credentials to its own list of accounts locally, in the domain or trusted domain, and then grants access to the resources that the client has been configured access for.
This method of Authentication will only function in windows 2000 domains.This method of authentication is safer than basic authentication as the user credentials are hashed or encrypted; where as basic authentication sends the credentials over the wire in clear text.
Authentication that is processed in the Digest manner involves the user credentials passing through a one-way process, also known as hashing.
This hashing process results in a message digest (hash) and the original credentials can not be deciphered from the hash string sent to the ISA Server. Unique data is added to the credentials (normally the password) before the hashing process takes place so no other users can sniff the packets with a packet capturer and try to attempt to be an imposter (or spoof).
Data is added to the hash string that identifies the originating computer, username and domain where the user account belongs. Time stamps are also added to the string to provide better password security.
Using an IE browser later that 5.5 would be strongly recommended when dabbling with this type of authentication. Using other lower versions or browsers might result in no access to the resource.This form of authentication is secure, no username or password is sent across the wire at any point. Integrated authentication makes use of Kerbros or the built in (NTLM) Challenge/response authentication protocol.
Pass-through authentication is when ISA Server passes a client's authentication information to the server where the resource requested resides. ISA Server supports this authentication method for both outgoing and incoming Web requests