I ran into an issue today where I was trying to figure out why firewall clients were not working. The logs showed all packets being blocked as coming from a non-authenticated source. I finally figured out though that if I disabled the "Automatically detect ISA server" setting on the client everything worked fine. Logs then showed traffic going through with authentication taking place. Do I possibly have a misconfiguration somewhere that might cause the FW client not to work when it is set to automatically detect the ISA server? I can't seem to puzzle out why that might make a difference and keep the FW from authenticating. Thanks in advance.
The most likely cause is a DNS problem. Its easy to figure out. Just run your packet sniffer on the client and look for the domain suffix the client is appending to the wpad. host name. 9 out of 10 times you'll find the problem right there.
If you don't have the DNS alias setup correctly try the name of the server, if you suspect a name resolution issue, try the IP address of the proxy server instead of the name.
In my case wpad was fine, but wspad gave authorization requied and I guess this is why the firewall client couldn't configure itself.
Looking at the server properties, the Outgoing Web Requests had 'ask un-authenticated users for authentication' checked. Unchecking this allowed me to view the wspad.dat file in notepad and the firewall client to be automaticaly configured.
Its interesting that you bring up that article. I was driving myself nuts because I thought that SP1 would fix the random authentication prompts problem when I enable the "ask unauthenticated users for authentication" option. But it did not. I also used the Registry fix that's supposed to fix the multiple authentication prompts problem as well. But that made no difference either.
What fixed the problem? I can't domain policy so that all machines use autodicovery *only* to configure the browsers. Why should that work when manually configuring the autoconfiguration script doesn't work? Beats me. I've done packet traces up and ying-yang and studies them, and no hints are appearent.