An ISA server or Forefront Threat Management Gateway server requests credentials when client computers in the same domain use Internet Explorer to access Web sites that contain Java programs

Article translations Article translations
Article ID: 925881 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You have a client computer that uses a Microsoft Internet Security and Acceleration (ISA) Server server or a Microsoft Forefront Threat Management Gateway, Medium Business Edition server as a proxy server.
  • You configure Windows Internet Explorer on the client computer to use a proxy server.
  • You have a Java Virtual Machine (JVM) that is running on the client computer.
In this scenario, when the client computer uses Internet Explorer to access a Web site that contains Java programs, the ISA Server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server may request that the client computer provides credentials. This issue occurs even if the client computer is located in the same domain as the ISA server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server.

CAUSE

This issue occurs if the following conditions are true:
  • The ISA server or the Microsoft Forefront Threat Management Gateway, Medium Business Edition server is using either basic authentication or integrated authentication or is using both basic authentication and integrated authentication.
  • The Require all users to authenticate check box is selected for these authentication methods, or an HTTP outgoing access rule is configured to apply to requests from a domain user or from a domain user group.
The ISA or the Microsoft Forefront Threat Management Gateway, Medium Business Edition proxy client computer is requested for credentials because the JVM cannot authenticate itself to the proxy server.

WORKAROUND

To work around this issue, use one of the following methods, as appropriate for your situation.

Method 1

Clear the Require all users to authenticate check box, and then create an anonymous access rule for all outgoing traffic. Additionally, add the site that contains Java programs to the Access Rules destinations. To do this, follow these steps.

For Microsoft Forefront Threat Management Gateway, Medium Business Edition

  1. Click Start, point to All Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.
  2. Expand Server_Name, where Server_Name is the server that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition, and then click Firewall Policy.
  3. Click Networking, right-click Internal network on the Networks tab, and then click Properties.
  4. Click the Web Proxy tab, and then click Authentication.
  5. Make sure that the Require all users to authenticate check box is cleared, and then click OK two times.
  6. Right-click Firewall Policy, click New, and then click Access Rule.
  7. In the Access rule name box, type a name for the rule, and then click Next.
  8. On the Rule Action page, click Allow, and then click Next.
  9. On the Protocols page, click Selected Protocols in the In this rule applies to list. Click Add, add HTTP protocol and HTTPS protocol, and then click Next.
  10. On the Malware inspection page, choose the appropriate radio button, depending on whether you want to enable malware inspection.
  11. On the Access Rule Sources page, click Add.
  12. In the Add Network Entities dialog box, expand Networks, click Internal, click Add, and then click Close. Click Next.
  13. On the Access Rule Destinations page, click Add.
  14. In the Add Network Entities dialog box, click New, and then click URL Sets/Domain Name sets.

    Note URL sets are for HTTP traffic whereas Domain Name Sets are for HTTPS traffic.
  15. In the New URL Set Rule Element/New Domain Name Set Policy Element dialog box, type an appropriate name.
  16. Click Add, type the URL or the domain of the sites that contain Java programs, and then press ENTER.

    Note If you want to enter more than one URL in the URL set or in the Domain Name set, repeat step 16.
  17. Click OK.
  18. In the Add Network Entities dialog box, expand URL Sets/Domain Name Set, click the URL set that you created in steps 16 to 17, click Add, and then click Close. Click Next.
  19. Make sure that the This rule applies to requests from the following user sets list contains the All Users entry, click Next, and then click Finish.
  20. Click Apply to save the changes and to update the firewall policy.
  21. Click OK.

For ISA Server 2004 and ISA Server 2006

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.

    Notes
    • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition and ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server VersionNumber, expand Arrays, expand Array Name, and then expand Configuration.
    .
  3. Click Networks, right-click Internal on the Networks tab, and then click Properties.
  4. Click the Web Proxy tab, and then click Authentication.
  5. Make sure that the Require all users to authenticate check box is cleared, and then click OK.
  6. Click OK to close the Internal Properties window.
  7. Right-click Firewall Policy, click New, and then click Access Rule.
  8. In the Access rule name box, type a name for the rule, and then click Next.
  9. Click Allow, and then click Next.
  10. Click All outbound traffic in the In this rule applies to list, and then click Next.
  11. On the Access Rule Sources page, click Add.
  12. In the Add Network Entities dialog box, expand Networks, click Internal, click Add, and then click Close.
  13. Click Next.
  14. On the Access Rule Destinations page, click Add.
  15. In the Add Network Entities dialog box, click New, and then click URL Set.
  16. In the New URL Set Rule Element dialog box, type an appropriate name.
  17. Click New, type the URL of the sites that contain Java programs, and then press ENTER.

    Note If you want to enter more than one URL in the URL set, repeat step 17.
  18. Click OK.
  19. In the Add Network Entities dialog box, expand URL Sets, click the URL set that you created in step 17, click Add, and then click Close.
  20. Click Next.
  21. Make sure that the This rule applies to requests from the following user sets: list contains the All Users entry, click Next, and then click Finish.
  22. Click Apply to save the changes and to update the firewall policy.
  23. Click OK.

For ISA Server 2000

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Right-click the server or the Array Name, and then click Properties.
  3. Click the Outgoing Web Requests tab, and then make sure that the Ask unauthenticated users for identification check box is not selected.
  4. Click Apply.
  5. Click Save the changes and restart the service(s), and then click OK two times.
  6. Create a site and a content rule for the site that contains the Java programs, and then configure the rule to apply to any request. To do this, follow these steps:
    1. In ISA Server Management MMC snap-in, expand Enterprise, expand Policies, and then expand Enterprise Policy.

      Note For the array policy, expand Servers and Arrays, expand ServerName, and then expand Access Policy.
    2. Right-click Site and Content Rules, and then click New.
    3. Type a name for the new rule in the Site and content rule name box, and then click Next.
    4. Click Allow, and then click Next.
    5. Click Allow access based on destination, and then click Next.
    6. Click Specified destination set in the Apply this to list, and then click Add.
    7. Click the site name that contains Java programs in the Name list, and then click Next.

      Note If the destination set that you want to specify is not listed, click New to create it, and then select it in the list.
    8. To configure the rule to apply to any request, double-click the rule, and then click the Applies to tab.
    9. Under This rule applies to, make sure that the Any request option is selected, and then click OK.
    10. Right-click Protocol Rules, point to New, and then click Rule.
    11. Type a name in the Site and content rule name box.
    12. Click Allow, and then click Next.
    13. In the Apply this rule to list, click Selected protocols.
    14. Under Protocols, select the HTTP check box, and then click Next.
    15. Make sure that Always is selected in the Use this schedule list, and then click Next.
    16. Click Any request, click Next, and then click Finish.

Method 2

Change the default Use browser settings configuration in the JVM. To do this, follow these steps:
  1. Click Start, point to Settings, click Control Panel, and then double-click Java.
  2. Click the General tab, and then click Network Settings.
  3. Click Direct connection, and then click OK two times.

Properties

Article ID: 925881 - Last Review: December 4, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
  • Windows Essential Business Server 2008 Standard
Keywords: 
kbtshoot kbprb KB925881

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com