Microsoft KB Archive/170666

= Multiple Password Prompts, Access Denied Using Web Proxy and SSL =

Article ID: 170666

Article Last Modified on 9/22/2005

-

APPLIES TO


 * Microsoft Proxy Server 1.0 Standard Edition
 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q170666



SYMPTOMS
If you try to connect to a secure SSL site through Web Proxy (using https://), you may be prompted for a password three times and receive an Access Denied error message.

NOTE: This should only occur when you use Microsoft Internet Explorer version 2.x and later in conjunction with Microsoft Windows NT Challenge/Response authentication on the Proxy Server.



RESOLUTION
To resolve this problem, upgrade to Internet Explorer version 4.0. If you are unable to do so, use the information in the WORKAROUND section.



WORKAROUND
Use any of the following methods to avoid the problem.

NOTE: You should try them in the order listed. The fourth method may disable some or all authentication.

Upgrade Clients to Version 3.01 or Later
Make sure all clients are using Internet Explorer version 3.01 or later. Install Windows NT 4.0 Service Pack 3 or later on the Proxy Server computer. Install the Winsock Proxy client program on the client computers. In the Internet Explorer Proxy settings (View, Options, Connection), type the name of the Proxy Server computer for all protocols except {Secure}. This will force the browser to use the Winsock Proxy service instead of the Web Proxy service when the user attempts to connect to an SSL (secure) page. All other browser requests will use the Web Proxy service and still take advantage of caching. This scenario will allow use of Windows NT Challenge for all protocols because the Winsock Proxy has its own Windows NT Challenge authentication built-in.

Enable Basic Authentication
Disable Windows NT Challenge/Response and enable Basic Authentication instead. These settings can be found in the WWW service properties.

Install Winsock Proxy Client
Install the Winsock Proxy Client and disable the Proxy connection settings on the Internet Explorer Clients. All clients will use the Winsock Proxy service only.

Important: The following method will disable some or all of the authentication on the Proxy Server computer.

Disable Access Control
Disable Access Control for the Web proxy service. Doing this will allow all users anonymous access to the web proxy service. They will no longer be prompted for authentication when using the Web proxy service. The Web proxy log file will no longer show usernames; they will be replaced with anonymous.



STATUS
Microsoft has confirmed this to be a problem in Internet Explorer versions 2.0, 2.01, 2.1, 3.0, 3.01, and 3.02. This problem is fixed in Microsoft Internet Explorer version 4.0. A supported fix is available only for version 3.02.

A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Additional query words: https ntlm nt challenge response secure

Keywords: kbfix kbqfe kbother kbprb kbhotfixserver KB170666

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.