Microsoft KB Archive/297080

= Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy =

Article ID: 297080

Article Last Modified on 10/26/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q297080



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
If Internet Security and Acceleration (ISA) Server 2000 is chained to an upstream Web proxy server, you may receive incomplete HTML pages and random authentication prompts in the Web browser.

These symptoms may occur if the downstream ISA Server computer is configured to require integrated authentication and if the upstream Web proxy server is also configured to require proxy authentication. In addition, the Routing rule on the downstream ISA Server computer is configured to provide Basic Authentication credentials to the upstream Web proxy server.

This behavior does not occur if the downstream ISA Server computer is not configured to provide any credentials or if it is configured to provide Integrated Authentication credentials to the upstream Web proxy server.



CAUSE
Under certain circumstances, Web browsers may try to authenticate a connection with the downstream ISA Server computer that has already been authenticated by using integrated authentication. This may cause the downstream ISA Server computer to pass those credentials to the upstream Web proxy server. Because the credentials are for the downstream ISA Server computer and not for the upstream Web proxy server, the server returns a &quot;407 Proxy authentication required&quot; HTTP response. The downstream ISA Server computer then passes this HTTP response back to the Web browser, causing the authentication prompt on the client computer. Because the client is unable to authenticate this request, it may cause incomplete HTML pages on the Web browser client.



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this fix should have the following file attributes or later:   Date      Time     Version      Size     File name 5/6/2001 02:03PM  3.0.1200.64  373,520  W3proxy.exe



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To implement the functionality in this fix, create the following registry value:  Stop the Web Proxy service. Start Registry Editor. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters

 Create a new DWORD value named RemoveRedundantProxyAuthorization. Give this new value a data value of 1.</li> Start the Web Proxy service.</li></ol>

To revert to the original configuration, either remove the RemoveRedundantProxyAuthorization registry value, or change its data value to 0 (zero). After making either change, restart the Web Proxy service.

If you see the same symptoms when the upstream Web Proxy Server is running without any Access Control (it is using Anonymous access), then instead of installing this fix, implement the fix described in the following Microsoft Knowledge Base article:

317822 FIX: Problems with Web Browser if ISA Server 2000 Is Chained to an Upstream Web Proxy Server

Additional query words: credential NTLM challenge response HF 64 HF64 ISAHF64.exe

Keywords: kbproductlink kbqfe kbhotfixserver kbenv kbprb KB297080

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.