• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Proxy authentication problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Proxy authentication problem Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Proxy authentication problem - 13.Feb.2007 9:21:36 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Wow...at this writing, there are more hits on this thread than any other in this section by a factor of 2. Guess there are a lot of lurkers bumping up against this!

And lurkers and posters alike may now have a solution...

I've only tested this on one problem machine, so my sample size is admittedly tiny. But after installing all the relevant updates released to WSUS today (13 Feb 2007)--and my bet is that it's KB928090, "MSO7-016: Cumulative security update for Internet Explorer"--IE7 was able to authenticate against the ISA server with "Enable Windows Integrated Authentication" turned on! It was a machine that, moments before the patch install, was unable to authenticate. If I have time, I'm going to check again tomorrow after WSUS has pushed this update to more computers. Cross your fingers, folks. 
I also don't know if the problem is solved by making Kerberos work reliably, or "solved" by dropping back to NTLM. Will take a look at some IE headers too if I have a chance. But I note with great interest that http://support.microsoft.com/default.aspx?scid=kb;EN-US;321728 was revised on 8 February, and it now says that IE7 DOES authenticate to proxies with Kerberos. This gives me hope that it now also RELIABLY authenticates with Kerberos. Would be interested in reading if anyone else sees what I'm seeing.

(in reply to micm)
Post #: 21
RE: Proxy authentication problem - 14.Feb.2007 3:38:41 AM   
micm

 

Posts: 12
Joined: 15.Jan.2007
Status: offline
Interesting!

I've not yet approved this update, but once I have and it's made its way to a few of the machines that were causing issues previously, I'll turn Integrated Auth back on in GP and see if it remains solved!

Thanks for the heads up!

(in reply to JeffVandervoort)
Post #: 22
RE: Proxy authentication problem - 27.Feb.2007 9:27:14 AM   
zachdgreen

 

Posts: 1
Joined: 27.Feb.2007
Status: offline
I have a similar problem, but the IE7 security update did not fix my problem. We recently setup a new ISA 2004 proxy server to replace the old one, and using GPO we pushed the server name change to almost all computers. A few computers have an issue receiving the new GP, so to make sure they are going to the correct server, we changed the dns record of the old ISA server to the address of the new one. Now all computers, regardless of which proxy server address they have, go to the new server. However, now on the computers with IE7 that are using the old ISA server address, the users are prompted for authentication. Like others, removing the "Enable Integrated Windows Authentication" fixed the prompting for authentication problem. But do any of you guys know what would cause the authentication error only on IE7 that is being redirected using DNS? If IE7 has the address of the new server, it works fine. Any ideas?

Thanks.

(in reply to micm)
Post #: 23
RE: Proxy authentication problem - 14.Mar.2007 1:52:19 AM   
veydajar

 

Posts: 3
Joined: 15.Sep.2006
Status: offline
Interesting. A similar problem has arisen recently in my environment. Except that I haven't rolled out IE7 into production environment just yet (we have a custom LOB web-app that's not compatible yet).

Some (about 5 out of 250) domain member computers are experiencing difficulties logging onto proxy (a basic authentication window pops up), and that problem is of come-and-go type - appears and disappears for no apparent reason.

Also, clients can't authenticate to proxy using basic authentication - even if such domain account exists and the credentials are input correctly (tested on non-domain computers only, tho). According to ISA webproxy logs, the client computer doesn't even try to authenticate, all it does is bang the server with unsuccessful anonymous attempts.

What's even more curious - on one of the computers the integrated authentication works when it's assigned its IP address by DHCP, and it doesn't work when the same address is given out statically.

There is only one (deny) rule in the ISA list that requires authentication, and both integrated and basic authentication are enabled for Internal, the 'require all users to authenticate' is off.

(in reply to zachdgreen)
Post #: 24
RE: Proxy authentication problem - 23.Mar.2007 7:34:16 AM   
AdamG

 

Posts: 1
Joined: 23.Mar.2007
Status: offline
Hi I was wondering if there was anyway to set NTLM as the primary authentication method and have Kerberos as secondery

(in reply to veydajar)
Post #: 25
RE: Proxy authentication problem - 11.Apr.2007 6:25:07 AM   
veydajar

 

Posts: 3
Joined: 15.Sep.2006
Status: offline
Well I've solved MY problem.

The "Network security: LAN Manager authentication level" was set to "Send NTLMv2 response only\refuse LM&NTLM" at the Default Domain Policy level.

DOH!
So I lowered it to "Send NTLMv2 response only\refuse LM" and everything runs smoothly now.

(in reply to AdamG)
Post #: 26
RE: Proxy authentication problem - 3.May2007 8:38:48 PM   
kwhelan

 

Posts: 43
Joined: 30.Aug.2004
Status: offline
this has driven some of our users insane here.Can someone please help with how to group policy the change,I can't find anyway to send it to all our workstations in AD,is there a script or something I anm Missing to apply this globaly to our Domain please

(in reply to veydajar)
Post #: 27
RE: Proxy authentication problem - 3.May2007 9:38:38 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
This setting is not settable through Group Policy as furnished by Microsoft. One of my earlier posts in this thread shows the registry setting that is required. 3 relatively easy choices:
  1. Create your own ADM file to set the setting.
  2. Create a .reg script that you run during the logon script.
  3. Install DesktopStandard Registry Extension (free download, and now a Microsoft product) on all your clients (installable via GPO), and use that to set the setting so I could back it out easily when/if Microsoft decides to fix the problem.

Since I already had Registry Extension available to me, I used option 3. That will also allow me to easily reverse the change when/if Microsoft decides to fix this mess.

Wonder if anyone knows if ISA 2004 SP3 fixes it? I notice the KB says there are proxy authentication fixes...not clear on whether it applies to us.

(in reply to kwhelan)
Post #: 28
RE: Proxy authentication problem - 3.May2007 9:53:41 PM   
kwhelan

 

Posts: 43
Joined: 30.Aug.2004
Status: offline
thanks am looking into option 3 now. I installed sp3 this morning and have had one user complain since then so I guess its not fixed yet,unless it was somehow saved in his old user profile on that client,
i have found that enablenegotiate reg key under HKLM/Software,,,,as well as HKCU ,,,and again after loading the default user profile hive from the workstation.I was concerned that I would have to massage that default profile which is a right pain for 200 + machines.

(in reply to JeffVandervoort)
Post #: 29
RE: Proxy authentication problem - 4.May2007 8:14:58 AM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
> am looking into option 3 now.

Ironically, IE7 causes problems with Registry Extensions, too. If you use IE7 on the computers where you run GPMC, it will crash when you select a Registry node. Here's the workaround--

http://www.desktopstandard.com/kb/article.aspx?id=10569

> unless it was somehow saved in his old user profile on that client

If it was fixed, the user could use Windows Integrated Authentication. So if the problem is still occurring, it definitely isn't fixed, independent of user profile. (And it may be an IE7 issue, not an ISA issue...at that's what I'm inferring from MS PSS's somewhat cryptic comments on the subject). Thanks for the info.

(in reply to kwhelan)
Post #: 30
RE: Proxy authentication problem - 16.May2007 1:07:37 AM   
kwhelan

 

Posts: 43
Joined: 30.Aug.2004
Status: offline
After disabling the Integrated Auth reg key globaly for the domain it has fixed all clients authentication problems we were having except it has introduced a new one.
Some news sites (not all)that have video footage etc loaded in flash players wont load the movie clip.Youtube etc still work perfectly but our local country version of Yahoo doesn't.All videos just don't play and the isalogs show failed due to being unathenticated,
I am using webproxy and firewall client but its not passing auth through.turning the integrated back on I get  a popup authentication box for realm.isaserver.blah blah
this then enables the video to play.
I don't understand why these sites are using kerberos but turning integrated off isn't the complete answer.Msoft need to sort this mess ASAP please

(in reply to JeffVandervoort)
Post #: 31
RE: Proxy authentication problem - 30.Aug.2007 5:11:55 AM   
dolfic

 

Posts: 1
Joined: 30.Aug.2007
Status: offline
the problem still exist with many ie7 update
no news about the problem ? , i have the same problem , many pc with ie7 and an isa server 2006 and prompt some times but after a restart or with integrated auth turn off works well

have you good news about this problem ?

(in reply to kwhelan)
Post #: 32
RE: Proxy authentication problem - 30.Aug.2007 6:48:14 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Speaking for myself, I haven't tried it in a while with my XP notebook. I probably should take it in and give it a try.

I did try it with my new Vista notebook. It doesn't have the problem...same user account, same ISA server, same domain. It's the only Vista machine in use on the domain, though, so I don't have enough data to know if it always works with Vista, or just happens to work with this particular Vista computer.

(in reply to dolfic)
Post #: 33
RE: Proxy authentication problem - 13.Mar.2008 5:21:23 PM   
tboggs13

 

Posts: 12
Joined: 2.Jan.2006
Status: offline
I have been having this problem sporadically for 6 months. It started with one user, and after trying many different things, it finally cleared up. I assumed it was one of the changes I made to the Network Settings on ISA or the IE settings I tweaked in GP. Then I found out that around the time I fixed the problem for that user another user started having the problem. I did some more tweaking and his problem went away. Then another cropped up and finally another.

It seems to impact users and not desktops. The same user will have the problem even if we blow out their profile and re-image their desktop. Yet, we can give them a new user object and it doesn't happen or we can login and it doesn't happen.

Any chance that ISA is caching credentials on it's end?

I will say that disabling Integrated authentication has resolved the issue for the two users that were experiencing the problem today.

(in reply to JeffVandervoort)
Post #: 34
RE: Proxy authentication problem - 13.Mar.2008 5:42:59 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
As far as disabling Integrated Authentication, thatís the only way I have found to get around the issue. IE 7 does cache the password when you are prompted for authentication and saved by placing a check mark in the remember my password box. The credentials are stored in the users local profile under Documents and Settings\Application Data\Microsoft\Credentials\<SID>\Credentials. You should be careful what credentials you use because the cached credentials will be what is authenticated to the ISA; not the users logon credentials.

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to tboggs13)
Post #: 35
RE: Proxy authentication problem - 7.May2009 5:07:26 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Over a year since the last post to this thread...my IE7 clients are still running with "Enable Windows Integrated Authentication" turned off, but I'm curious if that's still necessary.

Anyone know if the problem's been solved by a subsequent patch? Is it still a problem with IE8?

(in reply to JeffVandervoort)
Post #: 36
RE: Proxy authentication problem - 30.Aug.2009 2:11:07 AM   
me3@neuralfibre.com

 

Posts: 1
Joined: 30.Aug.2009
Status: offline
We are having this problem on one of our sites currently.

The details I have so far are

a) 10% approx machines affected - more 3rd party visitors, but not always.

b) ISA 2K4, Server 2003, 2003 Domain Native, IE7, XP client. (unclear on Vista)

c) "Disable integrated auth" fixes it

d) Autoproxy using FQDN fails
e) Manual proxy using FQDN fails
f) Manual proxy using IP Address succeeds

This looks like a Security Zone behaviour to me. At a guess, it's putting tghe proxy into a certain zone based on the URL.

Anyone have further thoughts? Still having the issue?

Thanx
Paul

(in reply to JeffVandervoort)
Post #: 37
RE: Proxy authentication problem - 30.Aug.2009 11:55:15 AM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Don't think it could be a zone problem here...we push ZoneMaps via GPP and include the DNS domain name. We specify the proxy server by FQDN in WPAD so it should be trusted.

Honestly, haven't removed the "Disable Integrated Auth" setting since we first set it so I don't know if we're having the problem. We're on IE8 now at this site, so it would be worth trying again.

Hate to experiment, though, when the risk is that a chunk of users can't use the web!

(in reply to me3@neuralfibre.com)
Post #: 38
RE: Proxy authentication problem - 31.Aug.2009 4:53:16 PM   
ISAadmin11

 

Posts: 3
Joined: 31.Aug.2009
Status: offline
I have multiple clients with IE7 that occasionally, randomly, receive this error. In addition, I have at least one client with IE8 that also receives the error.

Has anyone performed a packet capture from a client? When looking at the communication between the client and the domain controllers, I've seen a couple different results:

From XP clients: error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52)
From Vista clients:  error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)

Are you receiving similar errors? Any thoughts?

(in reply to JeffVandervoort)
Post #: 39
RE: Proxy authentication problem - 29.Sep.2009 9:27:11 AM   
ISAadmin11

 

Posts: 3
Joined: 31.Aug.2009
Status: offline
FYI - I'm able to reproduce this issue with ISA 2004 and ISA 2006 in our environment.

(in reply to ISAadmin11)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> RE: Proxy authentication problem Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts