JeffVandervoort -> Proxy authentication problem (8.Dec.2006 3:10:45 PM)
I'm a computer consultant; my notebook computer is a member of my company's domain, not my clients' domains. One client company has an ISA 2004 SP2 firewall, to which my notebook is a web proxy client. I have a Domain Admin account on their network. ISA computer is a WS2003SP1 domain member.
This worked fine until about a week ago, when I kept getting prompted for credentials by ISA when I'd try to browse a web page. It would not accept my credentials on the company's domain.
Here's where it gets really weird: If I use Control Panel/User Accounts to cache my credentials for this server, IE prompts me for credentials, and when I finally give up, I get this ISA error page "Error Code: 407 Proxy Authentication Required. The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)".
The Security log on the ISA 2004 computer shows this event:
Reason: Unknown user name or bad password
User Name: `‚|+ ‚p0‚l $0" *†H‚÷ *†H†÷
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER4A
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 3668
Transited Services: -
Source Network Address: -
Source Port: -
The user name, obviously, is not being passed correctly. Password is probably messed up, too, though there's no way to tell that. Account Lockout Tool does not show any bad passwords, but that would likely be because the username being furnished is gibberish so there's no account in AD to check the password against.
If I delete the credentials for that server from the Windows cache, IE7 doesn't even prompt me for credentials, and just times out. The Security log on the ISA computer show no logon/logoff events in this scenario.
I'm not aware of any changes to the ISA computer or my notebook coincident with the behavior change. I can connect to other network resources with the same credentials without problems. In fact, there's an ISA 2000 firewall on the same system that will soon be retired. It, too, requires authentication. If I make myself a Web Proxy client to the ISA 2000 firewall, I can browse the web.
I also find I can browse the ISA server via Explorer from other computers, but not from mine. When I try, I'm again prompted for credentials that are not accepted.
When I repeat these scenarios with another user account, I have the same result, so that at least rules out a problem with my user account.
So...we have a failure that can be reproduced on only ONE client computer and against only ONE server. Any idea where I look for the problem?