Problem:ASA clientless access with IE

schwarz-michael · ‎09-06-2012

Hello,

I have configured a ASA5510 for clientless access by using the ASA http bookmark. The web server require an authentication by sending a web server logon screen. If I enter the user credentials at IE7 or IE9 browser on the the web server logon screen the authentication fails, the web server logon screen appears again and again without any error message. If I use the firefox browser instead of IE browser the web server authentication works without any problems. These problem appears only by using the ASA device, the local lan access with IE7 and IE9 and web server authentication works without any problems. Is that possible to configure the ASA http bookmark with the domain credential? Have anybody an idea to solve this problem?

Thank You.

Michael

Mohammad Alhyari · ‎09-09-2012

HI Micheal ,

please get the following :

-captures on the ASA that will show us what is happening between the server and the ASA:

access-list capin permit tcp ASA_IP SERVER_IP eq 80

access-list capin permit tcp SERVER_IP eq 80 ASA_IP

Do the test and then collect the captures :

copy /pcap capture:capin tftp:

- captures when the authentication is working fine ( eiither locally or via firefox through the portal ) .

also do you have any idea what is the authenticaton requested by the server ( BASIC , NTLM ,,,,) .

HTH .

Mohammad.

schwarz-michael · ‎09-13-2012

Hello,

I have captured the traffic with IE7/8/9 ,

IE7 and IE9 use NTLM for authentication by sending a POST paket to the server.

SRV -> Client

Microsoft-IIS/7.5

http.www_authenticate:Negotiate

http.www_authenticate: NTLM

Client -> SRV

CSCO_W RAPPED=1&proxy=0 &handler=2&req_method=GET&realm= &ucte_headers=R0 VUIC9TY2…

Client -> SRV

POST

type =NTLM&ucte_body= &auth_attempt=1& username=xxxxxxxx&password=xxxxxxx&Continue=Continue

after that the Client send a FIN paket answering with FIN/ACK by the server.

The IE8 use NTLM (NTLMSSP) for authentication by sending a GET paket to the server.

Client -> SRV

GET ..Frontoffice.aspx NTLMSSP_AUTH User:xxxxxx

after that the server send next silverlight web site.

best regards,

Michael

thomasdupont · ‎04-01-2013

I am also experiencing a very similar issue. Were you ever able to get this resolved?

thomasdupont · ‎04-01-2013

After a few weeks working with Cisco TAC on this issue, they have come back and told me it is my IE settings, though they cannot tell me what settings could cause this or what I should do to get IE to work. I really feel like Cisco is just washing their hands of the problem and leaving me on my own.

We tried smart tunneling to get to the particular web page, but that comes back with "Page cannot be displayed". If we don't use smart tunneling for this particular page, it just asks for logon information over and over.

We can use the web portal to get to other internal web pages with no problems. We only experience this issue with two particular internal websites. We can use Safari and Firefox and we are able to get to these sites. This only fails when using IE.

For better or worse, our company has standardized on IE as the browser we will use and support across all of our platforms, so I really need to get this working.

Any suggestions from anyone would be appreciated.