Web Proxy authentication errors on W2K clients (Full Version)

All Forums >> [ISA Server 2004 Cache] >> Web Proxy client


tsternbach -> Web Proxy authentication errors on W2K clients (8.Feb.2005 11:16:00 PM)

I just installed an ISA2004 firewall to replace one running ISA2000. I use an Active Directory group to restrict which users have web access, and this was working fine on my old firewall. With my ISA2004 server, all web access initiated from Windows 2000 Pro computers are generating an "Enter Network Password" request, followed by a Proxy Authentication error. (the browser isn't passing the authentication credentials properly, and it fails even if a valid username/password are entered at the prompt). I'm having no such trouble with XP Pro web proxy clients.

The workstations are running W2K SP4 with IE6 SP1 and all worked properly with ISA2000. It doesn't matter whether I choose integrated or basic authentication in my Internal network properties.

The ISA2004 logs show an http protocol denied connection, referencing my Internet access rule, followed by a couple of "Unidentified IP Traffic" entries on port 8080.

I applied a security template to the ISA2004 server, as suggested in one of the MS documents on hardening the Windows Infrastructure on the ISA2004 computer, but I haven't found any obvious settings that might have broken the authentication from the Windows 2000 clients.

Does anyone have any ideas why the W2K machines aren't working properly with the Web Proxy?



leonhughes -> RE: Web Proxy authentication errors on W2K clients (9.Feb.2005 2:13:00 AM)

Hi Todd,

So you have an internet access rule that allows the group that your users are members? Also I presume your clients are configured as web proxy clents through the browser and not just secure NAT clients?

It is quite normal to see denied events in the logs when using web proxy clients that require authentication as the client will try to connect without authenticating first. When the client makes the request it will match the rule that allows access, but because it requires authentication the rule denies the request even though you want to allow it. The client should then try again but this time passing the credentials (in the case of integrated authentication). What happens if you don't require authentication? Does it work? W2K client should have no problems althenticating. I assume these machines are part of the domain?


[ February 09, 2005, 02:19 AM: Message edited by: leonhughes ]

tsternbach -> RE: Web Proxy authentication errors on W2K clients (9.Feb.2005 5:06:00 AM)

Hi Leon,

All clients are configured as web proxy clients, and the machines all belong to my Windows 2000 domain. Yes, I have an internet access rule that limits web access only to users who are members of a designated group. This is the same setup I've been using on ISA2000 for the last couple of years.

I understand that it's normal to see the denied connection events in the log - I had thought the "Unidentified IP Traffic" might have been noteworthy, but after looking more closely, I realize that I see those even from my XP clients that authenticate successfully.

I have the problem whether I explicitly require authentication or not, but if I modify my access rule to specify all users instead of my allowed internet users group, the W2K clients can connect OK (since they don't need to authenticate in that case). I'm at a loss to come up with an explanation why the W2K clients aren't able to authenticate properly. I figure it's got to be something in my ISA2004 or Windows Server 2003 setup.

I captured some packets in Network Monitor to try and compare the chatter between the clients and ISA server from a successful and unsuccessful authentication. At first glance I wasn't able to identify any useful differences, but I guess I'll have to examine it more closely.


slohcine -> RE: Web Proxy authentication errors on W2K clients (19.Mar.2005 2:30:00 AM)

Hi Todd,

I was wondering if you resolved this problem. I have the exact same symptoms as you note. In my case, I've stripped out any firewall rules (since we only use the proxy feature) and allow all traffic from/to any network. I do want to require clients to authenticate and when I enable the setting, my Win2K client occassinally get prompts to login to the upstream proxy. So far, no XP clients have this issue.

I have found that, almost without exception, the item being retreived is some kind of image file i.e. .gif, .png, .jpg, etc. When the page finishes rendering (after many prompts), I can usually right click on the missing item and select Show Picture and have the image appear. Ironically, ISAServer.org gives me lots of problems with this due to all the images used in the message board piece.

I've seen many other posts in this section that are asking about this same issue although no concrete answers yet. I was going to run a sniffer as well to compare an XP and Win2K client sessions. Just curious if you found anything further. This sounds like a Win2K client specific issue when negotiating authentication.


slohcine -> RE: Web Proxy authentication errors on W2K clients (20.Mar.2005 9:47:00 PM)

I found the following MS knowledgebase article that describes the problem we're discussing:


This is specific to ISA 2000 and any client OS. I couldn't find a similar article for ISA 2004 but the symptoms exactly match the problem I have that I figure it's got to be related.

I've not had a chance to try the registry fix yet. Hope this helps.


slohcine -> RE: Web Proxy authentication errors on W2K clients (25.Mar.2005 12:03:00 AM)

Refer to the following KB article. I had the same issue as Todd and the Internet Explorer registry change recommended in the article resolved the issue.



adam_nerell -> RE: Web Proxy authentication errors on W2K clients (4.Apr.2005 6:22:00 PM)

I've experienced some of the problems you describe.

Try unchecking the "Use http 1.1 over proxy" setting in advanced settings in IE.

This kb article describes a part of the problem regarding ntlm, however, not the bug it self.


Good luck!

thejun -> RE: Web Proxy authentication errors on W2K clients (18.Apr.2005 4:28:00 AM)

I have the same problem I responded to in another post. the w2k clients prompt for user and pass, and come up anonymous in ISA, therefore denied.
I just migrated 500 desktops from isa 2000 to 2004, and everything went fine except for the 100 windows 2k pro and servers. the http proxy and registry fix doesn't do anything. Im only using it for web clients, so no secureNAT or firewall clients, and my WPAD is a DNS entry.
I'm going to need this fixed fast.

thejun -> RE: Web Proxy authentication errors on W2K clients (18.Apr.2005 4:49:00 AM)

my workaround is to uncheck the box to require authentication. I'm not quite sure how the rules work with this, as they come in as anonymous. Maybe Shinder can shine some light. The versions of internet explorer are the same in 2k and XP, so maybe a difference in how the auth. in AD..

philcoo -> RE: Web Proxy authentication errors on W2K clients (20.Sep.2005 6:02:00 AM)

I too am experiencing problems getting W2K machines to use pass through authentication with web proxy.
I'm using ISA 2004 - we've never used ISA 2000 so this isn't an upgrade. All XP machines seem to work fine but all W2K machines are prompted for authentication when accessing the web. It doesn't matter what credentials you use the prompt just reoccurs. Having done some investigating this only occurs once IE is upgraded to V6 - a bare W2K build comes with IE5 and this works fine. Can anyone help?? This is pretty urgent now. We haven't tried any other IE versions but it must be related to something that the IE6 install changes.
Just too clarify the internet access rule is using a Domain Security Group for access and all PC's are members of the domain.

Thanks in advance,

philcoo -> RE: Web Proxy authentication errors on W2K clients (14.Oct.2005 7:14:00 AM)

Well I've had an answer from Microsoft and it's to do with the AD policy applied to my ISA box.
Computer Configuration, Windows Settings. Security Settings, Local Policies, Security Options. Change the key, Network Security: LAN Manager authentication level to Send NTLM response only. Also remove the Require NTLMv2 session security tick box from Minimum Session Security for NTLM SSP... two options very similar, apply the setting to both.
Hope this makes sense and helps some people.


Page: [1]