Incomplete HTML Pages and Random Authentication Messages Occur When ISA Server Is Chained to an Anonymous Upstream Web Proxy Server

Article translations Article translations
Article ID: 307457 - View products that this article applies to.
This article was previously published under Q307457
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

Incomplete Hypertext Markup Language (HTML) pages and random authentication messages may be displayed in the Web browser when you chain Internet Security and Acceleration (ISA) Server 2000 to an anonymous upstream Proxy 2.0 Web proxy server.

CAUSE

This problem can occur if you configure the downstream ISA Server computer to use the Integrated Windows authentication method, and if the upstream Proxy 2.0 Web proxy server does not require any access control (it allows Anonymous access).

Under certain circumstances, a Web browser may try to authenticate a connection with the downstream ISA Server computer that has already been authenticated by using the Integrated Windows authentication method. As a result, the downstream ISA Server computer passes those credentials to the upstream Proxy 2.0 Web proxy server. Because the credentials are for the downstream ISA Server computer and not for the upstream Proxy 2.0 Web proxy server, the Proxy 2.0 Web proxy server may return a "407 Proxy authentication required" Hypertext Transfer Protocol (HTTP) response. The downstream ISA Server computer passes this HTTP response back to the Web browser, and an authentication message is displayed on the client computer.

RESOLUTION

To resolve this issue implement the fix described in the following Microsoft Knowledge Base article:
317822 FIX: Problems with Web Browser If ISA Server 2000 Is Chained to an Upstream Web Proxy Server

WORKAROUND

To work around this problem, disable either Windows NT Challenge/Response (if you are running Internet Information Server [IIS] 4.0) or Integrated Windows authentication (if you are running Internet Information Services [IIS] 5.0) on the default Web site on the upstream anonymous Proxy 2.0 Web proxy server. To do so:
  1. Click the Directory Security tab in the default Web site properties
  2. Click to clear either the Windows NT Challenge/Response check box (in IIS 4.0) or the Integrated Windows authentication check-box (in IIS 5.0).
After you complete this procedure, the upstream Proxy 2.0 Web proxy server consumes the redundant Proxy-Authorization HTTP header that is sent by the browser. As a result, the server does not reply with a "407 Proxy authentication required" HTTP response.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
297080 Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy

Properties

Article ID: 307457 - Last Review: October 24, 2013 - Revision: 1.1
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Keywords: 
kbnosurvey kbarchive kbenv kbprb KB307457

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com