Welcome to ISAserver.org

media player authentication box

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> media player authentication box

Page: [1]

Message

<< Older Topic Newer Topic >>

media player authentication box - 27.Jun.2008 5:21:40 AM

richardnreid

Posts: 10
Joined: 17.Dec.2007
Status: offline

Hi guys

I am running ISA 2006 on 2003. It is configured with intergrated authentication on the local host and internal network objects. We use it purely as a web proxy so allow alll through the firewall. One thing we do implement in the only firewall rule is a user group based on a AD group for internet users

The problem is when, for example, browsing bbc and opening a media player link. I get a proxy authentication box appear. Why would this be? I thought by using integrated authentication this should not happen? It needs to be transparent to users!

Can anyone help?!

Many thanks

Richard

Post #: 1

Featured Links*

RE: media player authentication box - 27.Jun.2008 9:25:19 AM

paulo.oliveira

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi Richard,

when you put your user name and password, the traffic is allowed? I mean, can you open this link?

Regards,
Paulo Oliveira.

(in reply to richardnreid)

Post #: 2

RE: media player authentication box - 27.Jun.2008 10:29:39 AM

richardnreid

Posts: 10
Joined: 17.Dec.2007
Status: offline

Hi Paulo, thanks for the reply

Yes it does allow access when you enter a username/ password

Which shows the user is correctly authenticated. However, as intergrated authentication is set it should be completely transparent to the end user??

Many thanks

Richard

(in reply to paulo.oliveira)

Post #: 3

RE: media player authentication box - 27.Jun.2008 11:21:18 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Because of limitations and "in-capabilities" with Windows Media Player it will not be possible for it to be transparent to users if proxy authentication is required.

Earlier version of WMP didn't seem to have the problem, but I think when they hit version 9 they screwed up the part of it that interacts and authenticates with a CERN Compliant Web Proxy when authentication is required. There was supposed to be a patch that fixed it but when I tried it the problem still persisted. The problem continued with later versions of WMP but I do not know if it is still an issue with the latest WMP if fully patched.

The solution is to:
1. go into the Options of the Media Player
2. go to the Network Tab
3. Go down to the lower section "Streaming Proxy Settings"
4. If any of them are set to "browser" change them to "none".

This will cause:
1. With a single-nic web proxy the WMP will simply ignore the proxy and and follow the LAN's Routing path to the Internet which is going to be your NAT Firewall. This means the NAT Firewall will have to allow outbound access for those protocols which include HTTP. This means users can remove the proxy settings from their browsers and bypass the proxy. This is why single-nic caching servers are a waste of time an money and should be wiped from the face of the earth (in my opinion).

2. With a normal full featured properly installed and properly functioning multi-nic ISA this will cause the WMP to stop using the Web Proxy Service and will fall back to being a Firewall Client or SecureNAT Client. If the Firewall Client is not installed it will have to be a SecureNAT Client which means the access has to be anonymous for HTTP. This downside is a good example of why all ISA installations should be done so that ISA is used with all its features the way it was intended to be used and all the workstations,..at least those that run Windows, should have the Firewall Client installed.

Here's the WMP article that did not work for me, but explains the issue:

816089 - FIX: Windows Media Player 9 Series Prompts User for Credentials with NTLM
http://support.microsoft.com/default.aspx?scid=kb;en-us;816089

By the way,...you will likely have the same problem with Java Applets that use the JRE and run in the Browser. The Java JRE has the same issues with it that the WMP has had. You will have to go into the JRE (Java Icon in Control Panel) and tell it to not use a proxy. You will have the same resulting effects as with the WMP.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to richardnreid)

Post #: 4

RE: media player authentication box - 27.Jun.2008 12:21:13 PM

richardnreid

Posts: 10
Joined: 17.Dec.2007
Status: offline

Philip, thank you for the detailed reply!

Nice to know in a way that it is a bug in WMP. Can stop tearing my hair out now.

That gives me somethings to go on - such as defaulting users through real player which most machines have installed

Thanks again

Richard

(in reply to pwindell)

Post #: 5

RE: media player authentication box - 27.Jun.2008 12:33:14 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

...can't say for sure it won't happen with RP. Most products out there seem to have similar problemes authenticating with a CERN Compliant Web Proxy when authentication is required. It seems to linger around the order or sequence that things are presented and requested during the process. Tom Shinder could probably elaborate on that,..it is kind of beyond me. Remember that with most CERN Compliant Web Proxys out there, there is no authentication or even if capable doesn't seem to be commonly used. ISA Server is probably the most prevelant one out there in use and most developers are not very sharp when it comes to properly interacting with ISA server for some reason. I have no idea why there is such a blind spot there for them, but it seems to be common, appearantly even among some of MS's developers in the case of WMP.

Spyware and AV products trying to update their definitions are another big example of this. Adaware is one such example and has only gotten worse in more recent versions,..at least the older ones you could disable the proxy settings in it and it would work with the Firewall Client,..but now it doesn't seem to even do that correctly.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to richardnreid)

Post #: 6

RE: media player authentication box - 27.Jun.2008 2:36:44 PM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

This has been discussed in Toms blog.

You can either as said by pwindell to disable the proxy setting inside each of your clients WMP, or as seens in Toms blog, this can be done also by using Registry or even Group Policy for easier management.

Check it all here : http://blogs.isaserver.org/shinder/2007/11/22/fixing-windows-media-player-authentication-prompts/

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to richardnreid)

Post #: 7

RE: media player authentication box - 27.Jun.2008 3:19:25 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Ah! Yes. I should have mentioned GPO. That's what I have done here in fact. I guess I forgot,...I'm getting old,..or I'm tired,...or it's raining outside,..or something.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to elmajdal)

Post #: 8

RE: media player authentication box - 29.Jun.2008 4:59:16 AM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Wish it was raining here

The temp here is 130 F !! and my head is on fire

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to pwindell)

Post #: 9