Microsoft KB Archive/816959

= Web Proxy Clients Cannot View External Sites When You Enable Digest Authentication for Outgoing Web Requests =

Article ID: 816959

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



SYMPTOMS
When you configure Microsoft Internet Security and Acceleration (ISA) Server 2000 to require Digest authentication for outgoing Web requests, Web proxy clients are no longer permitted to view external Web sites.

The Web proxy client is prompted for its credentials three times, and then the following Web page is displayed:

The page cannot be displayed

There is a problem with the page you are trying to reach and it

cannot be displayed

Please try the following:
 * Click the Refresh button, or try again later.
 * Open the  home page, and then look for links to the information you want.
 * If you typed the page address in the Address bar, make sure that it is spelled correctly.
 * Verify that the Internet access policy on your network allows you to view this page.
 * If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the  home page.

HTTP 407 Proxy Authentication Required - ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)

Internet Security and Acceleration Server.



CAUSE
This issue occurs if all of the following conditions are true:
 * You install ISA Server 2000 on a Windows Server 2003-based computer.

-and-
 * You configure the outgoing Web requests listener to use only Digest authentication.

-and
 * You click to select the Ask unauthenticated users for identification check box on the Outgoing Web Requests tab of the ISA server properties dialog box.

The issue occurs because the Iissuba.dll subauthentication component is not registered on the Windows Server 2003 domain controller. Because of additional security introduced with Windows Server 2003, this file is not registered by default.



RESOLUTION
To resolve this issue, register the Iissuba.dll subauthentication component on the Windows Server 2003 domain controller. To do this, follow these steps:  Log on to the Windows Server 2003 domain controller. Click Start, click Run, type cmd in the Open box, and then click OK. Type the following command, and then press ENTER:

rundll32 %windir%\system32\iissuba.dll,RegisterIISSUBA

Note The &quot;RegisterIISSUBA&quot; portion of this command is case-sensitive. Make sure that you type it as shown here.

You are not notified that the command has completed successfully. Close the command prompt.



WORKAROUND
To work around this issue, use another form of client authentication in addition to, or other than Digest authentication. For example, use Integrated authentication in addition to Digest authentication on the ISA server.

Keywords: kberrmsg kbprb KB816959

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.