ISA 2006: GPO blocking user authentication?!
Ok we've had real problems getting our ISA 2006 up and running. Currently it's not operational which is obviously a huge problem, so any ideas would be greatly appreciated.
Client PC's when logged in as domain admins are able to get internet access fine. However if a non admin account tries to access we receive a 403 forbidden error.
We traced this, and found that the clients weren't passing authentication credentials to the ISA server, they're just anonymous requests so the ISA fails due to it only accepting authenticated users.
As a test, we put a computer object in an unmanaged OU without any group policies, gpupdated the machine and tried the internet. Works fine. Passed authentication and all rules applied perfectly to the 'all authenticated users' group. We tested this with a student/teacher account, worked fine.
So we start disabling GPO's inherited by the original OU until we find that one of our GPO's (Curriculum User Settings) seemed to be causing the problem.
We did the following:
Disable the GPO (Fixes authentication problems, proxy and all rules work but obviously user settings destroyed!)
Deleted all settings within the GPO manually :bored: (Authentication remained broken)
Our only conclusion is that somehow that GPO has decided to arbitrarily break authentication with ISA 2006 and its clients. It's totally beyond me.
Now the REALLY weird part...
If we allow access to ALL users. We can get to google as students, but if we try wikipedia or other sites we get a 400 error.
Can anyone please shed any light to this really odd problem. I've found a thread that's kind of similar but I can't be sure if it really helps:
Any ideas? Cos I'm totally out.
At the moment my manager is VPNing into the network, rewriting the GPO from scratch, in the hope that will sort it. Not good!