Microsoft KB Archive/925881

= An ISA server requests credentials when client computers in the same domain use Internet Explorer to access Web sites that contain Java programs =

Article ID: 925881

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition

-



SYMPTOMS
Consider the following scenario:
 * You have a client computer that uses a Microsoft Internet Security and Acceleration (ISA) Server as a proxy server.
 * You configure Windows Internet Explorer on the client computer to use a proxy server.
 * You have a Java Virtual Machine (JVM) that is running on the client computer.

In this scenario, when the client computer uses Internet Explorer to access a Web site that contains Java programs, the ISA Server may request that the client computer provides credentials. This issue occurs even if the client computer is located in the same domain as the ISA server.



CAUSE
This issue occurs if the following conditions are true:
 * The ISA server is using either basic authentication or integrated authentication or is using both basic authentication and integrated authentication.
 * The Require all users to authenticate check box is selected for these authentication methods, or an HTTP outgoing access rule is configured to apply to requests from a domain user or from a domain user group.

The ISA proxy client computer is requested for credentials because the JVM cannot authenticate itself to the proxy server.



WORKAROUND
To work around this issue, use one of the following methods, as appropriate for your situation.

Method 1
Clear the Require all users to authenticate check box, and then create an anonymous access rule for all outgoing traffic. Additionally, add the site that contains Java programs to the Access Rules destinations. To do this, follow these steps.

For ISA Server 2004 and ISA Server 2006
 Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management. Expand Microsoft Internet Security and Acceleration Server 2006, expand, and then click Firewall Policy.

Notes  For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand, and then click Firewall Policy. For ISA Server 2006 Enterprise Edition and ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server , expand Arrays, expand , and then expand Configuration.

. Click Networks, right-click Internal on the Networks tab, and then click Properties. Click the Web Proxy tab, and then click Authentication.</li> Make sure that the Require all users to authenticate check box is cleared, and then click OK.</li> Click OK to close the Internal Properties window.</li> Right-click Firewall Policy, click New, and then click Access Rule.</li> In the Access rule name box, type a name for the rule, and then click Next.</li> Click Allow, and then click Next.</li> Click All outbound traffic in the In this rule applies to list, and then click Next.</li> On the Access Rule Sources page, click Add.</li> In the Add Network Entities dialog box, expand Networks, click Internal, click Add, and then click Close.</li> Click Next.</li> On the Access Rule Destinations page, click Add.</li> In the Add Network Entities dialog box, click New, and then click URL Set.</li> In the New URL Set Rule Element dialog box, type an appropriate name.</li> Click New, type the URL of the sites that contain Java programs, and then press ENTER.

Note If you want to enter more than one URL in the URL set, repeat step 17.</li> Click OK.</li> In the Add Network Entities dialog box, expand URL Sets, click the URL set that you created in step 17, click Add, and then click Close.</li> <li>Click Next.</li> <li>Make sure that the This rule applies to requests from the following user sets: list contains the All Users entry, click Next, and then click Finish.</li> <li>Click Apply to save the changes and to update the firewall policy.</li> <li>Click OK.</li></ol>

For ISA Server 2000
<ol> <li>Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.</li> <li>Right-click the  or the , and then click Properties.</li> <li>Click the Outgoing Web Requests tab, and then make sure that the Ask unauthenticated users for identification check box is not selected.</li> <li>Click Apply.</li> <li>Click Save the changes and restart the service(s), and then click OK two times.</li> <li>Create a site and a content rule for the site that contains the Java programs, and then configure the rule to apply to any request. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In ISA Server Management MMC snap-in, expand Enterprise, expand Policies, and then expand Enterprise Policy.

Note For the array policy, expand Servers and Arrays, expand, and then expand Access Policy.</li> <li>Right-click Site and Content Rules, and then click New.</li> <li>Type a name for the new rule in the Site and content rule name box, and then click Next.</li> <li>Click Allow, and then click Next.</li> <li>Click Allow access based on destination, and then click Next.</li> <li>Click Specified destination set in the Apply this to list, and then click Add.</li> <li>Click the site name that contains Java programs in the Name list, and then click Next.

Note If the destination set that you want to specify is not listed, click New to create it, and then select it in the list.</li> <li>To configure the rule to apply to any request, double-click the rule, and then click the Applies to tab.</li> <li>Under This rule applies to, make sure that the Any request option is selected, and then click OK.</li> <li>Right-click Protocol Rules, point to New, and then click Rule.</li> <li>Type a name in the Site and content rule name box.</li> <li>Click Allow, and then click Next.</li> <li>In the Apply this rule to list, click Selected protocols.</li> <li>Under Protocols, select the HTTP check box, and then click Next.</li> <li>Make sure that Always is selected in the Use this schedule list, and then click Next.</li> <li>Click Any request, click Next, and then click Finish.</li></ol> </li></ol>

Method 2
Change the default Use browser settings configuration in the JVM. To do this, follow these steps:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Java.
 * 2) Click the General tab, and then click Network Settings.
 * 3) Click Direct connection, and then click OK two times.

Keywords: kbtshoot kbprb KB925881

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.