Users are repeatedly prompted for their credentials when they try to access the Internet after a firewall chain is configured between ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server

Article translations Article translations
Article ID: 883285 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you configure a firewall chain between two or more computers that are running Microsoft Internet Security and Acceleration (ISA) Server 2000, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008, users who try to access the Internet are repeatedly prompted for their credentials.

CAUSE

This issue may occur after you configure an upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer and a downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer to require authentication. Web browsers, such as Microsoft Internet Explorer, may not keep track of which proxy servers they have authenticated against. In this case, the browser authenticates the first ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer in the firewall chain. If the browser does not retain the proxy authentication information, the browser may have to authenticate with additional ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers in the firewall chain.

RESOLUTION

To resolve this issue, allow anonymous access on either the downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers or the upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers. Additionally, you can configure the last proxy server in the chain to use NTLM authentication, and then you can configure, in the relevant access rule, the downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers in the chain to pass credentials to the upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers. After you change this configuration, the upstream computers will see all requests as coming from the single user account that you configured in the access rule of the downstream computers. Only one computer that is running ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server in the firewall chain requires authentication.

STATUS

This behavior is by design.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
297080 Incomplete HTML pages and random authentication prompts if ISA Server is chained to upstream proxy
810561 RemoveAllProxyAuthorization not applied to SSL tunneling (CONNECT) requests

Properties

Article ID: 883285 - Last Review: September 7, 2004 - Revision: 1.2
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
  • Windows Essential Business Server 2008 Standard
Keywords: 
kbenv kbfirewall kbtshoot kbprb KB883285

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com