• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

media player authentication box

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> media player authentication box Page: [1]
Login
Message << Older Topic   Newer Topic >>
media player authentication box - 27.Jun.2008 5:21:40 AM   
richardnreid

 

Posts: 10
Joined: 17.Dec.2007
Status: offline
Hi guys

I am running ISA 2006 on 2003.  It is configured with intergrated authentication on the local host and internal network objects.  We use it purely as a web proxy so allow alll through the firewall.  One thing we do implement in the only firewall rule is a user group based on a AD group for internet users

The problem is when, for example, browsing bbc and opening a media player link.  I get a proxy authentication box appear.  Why would this be? I thought by using integrated authentication this should not happen?  It needs to be transparent to users!

Can anyone help?!

Many thanks

Richard
Post #: 1
RE: media player authentication box - 27.Jun.2008 9:25:19 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Richard,

when you put your user name and password, the traffic is allowed? I mean, can you open this link?

Regards,
Paulo Oliveira.

(in reply to richardnreid)
Post #: 2
RE: media player authentication box - 27.Jun.2008 10:29:39 AM   
richardnreid

 

Posts: 10
Joined: 17.Dec.2007
Status: offline
Hi Paulo, thanks for the reply

Yes it does allow access when you enter a username/ password

Which shows the user is correctly authenticated.  However, as intergrated authentication is set it should be completely transparent to the end user??

Many thanks

Richard

(in reply to paulo.oliveira)
Post #: 3
RE: media player authentication box - 27.Jun.2008 11:21:18 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Because of limitations and "in-capabilities" with Windows Media Player it will not be possible for it to be transparent to users if proxy authentication is required.

Earlier version of WMP didn't seem to have the problem, but I think when they hit version 9 they screwed up the part of it that interacts and authenticates with a CERN Compliant Web Proxy when authentication is required.  There was supposed to be a patch that fixed it but when I tried it the problem still persisted.  The problem continued with later versions of WMP but I do not know if it is still an issue with the latest WMP if fully patched.

The solution is to:
1. go into the Options of the Media Player
2. go to the Network Tab
3. Go down to the lower section "Streaming Proxy Settings"
4. If any of them are set to "browser" change them to "none".

This will cause:
1. With a single-nic web proxy the WMP will simply ignore the proxy and and follow the LAN's Routing path to the Internet which is going to be your NAT Firewall.  This means the NAT Firewall will have to allow outbound access for those protocols which include HTTP.  This means users can remove the proxy settings from their browsers and bypass the proxy.  This is why single-nic caching servers are a waste of time an money and should be wiped from the face of the earth (in my opinion).

2. With a normal full featured properly installed and properly functioning multi-nic ISA this will cause the WMP to stop using the Web Proxy Service and will fall back to being a Firewall Client or SecureNAT Client.  If the Firewall Client is not installed it will have to be a SecureNAT Client which means the access has to be anonymous for HTTP.   This downside is a good example of why all ISA installations should be done so that ISA is used with all its features the way it was intended to be used and all the workstations,..at least those that run Windows, should have the Firewall Client installed.

Here's the WMP article that did not work for me, but explains the issue:

816089 - FIX: Windows Media Player 9 Series Prompts User for Credentials with NTLM
http://support.microsoft.com/default.aspx?scid=kb;en-us;816089

By the way,...you will likely have the same problem with Java Applets that use the JRE and run in the Browser.  The Java JRE has the same issues with it that the WMP has had. You will have to go into the JRE (Java Icon in Control Panel) and tell it to not use a proxy.  You will have the same resulting effects as with the WMP.

_____________________________

Phillip Windell

(in reply to richardnreid)
Post #: 4
RE: media player authentication box - 27.Jun.2008 12:21:13 PM   
richardnreid

 

Posts: 10
Joined: 17.Dec.2007
Status: offline
Philip, thank you for the detailed reply!

Nice to know in a way that it is a bug in WMP.  Can stop tearing my hair out now.

That gives me somethings to go on - such as defaulting users through real player which most machines have installed

Thanks again

Richard





(in reply to pwindell)
Post #: 5
RE: media player authentication box - 27.Jun.2008 12:33:14 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
...can't say for sure it won't happen with RP.  Most products out there seem to have similar problemes authenticating with a CERN Compliant Web Proxy when authentication is required.  It seems to linger around the order or sequence that things are presented and requested during the process.   Tom Shinder could probably elaborate on that,..it is kind of beyond me.  Remember that with most CERN Compliant Web Proxys out there, there is no authentication or even if capable doesn't seem to be commonly used.  ISA Server is probably the most prevelant one out there in use and most developers are not very sharp when it comes to properly interacting with ISA server for some reason. I have no idea why there is such a blind spot there for them, but it seems to be common, appearantly even among some of MS's developers in the case of WMP.

Spyware and AV products trying to update their definitions are another big example of this.  Adaware is one such example and has only gotten worse in more recent versions,..at least the older ones you could disable the proxy settings in it and it would work with the Firewall Client,..but now it doesn't seem to even do that correctly.

_____________________________

Phillip Windell

(in reply to richardnreid)
Post #: 6
RE: media player authentication box - 27.Jun.2008 2:36:44 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
This has been discussed in Toms blog.

You can either as said by pwindell to disable the proxy setting inside each of your clients WMP, or as seens in Toms blog, this can be done also by using Registry or even Group Policy for easier management.

Check it all here : http://blogs.isaserver.org/shinder/2007/11/22/fixing-windows-media-player-authentication-prompts/

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to richardnreid)
Post #: 7
RE: media player authentication box - 27.Jun.2008 3:19:25 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Ah! Yes. I should have mentioned GPO. That's what I have done here in fact.  I guess I forgot,...I'm getting old,..or I'm tired,...or it's raining outside,..or something.


_____________________________

Phillip Windell

(in reply to elmajdal)
Post #: 8
RE: media player authentication box - 29.Jun.2008 4:59:16 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Wish it was raining here

The temp here is 130 F !! and my head is on fire

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to pwindell)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> media player authentication box Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts