Article ID: 938465 - View products that this article applies to.
Consider the following scenario:
Error Code: 502 Proxy Error. Logon Failure: Unknown user name or bad password. (1326)
This problem occurs because proxy-to-proxy authentication fails. The downstream server expects the upstream server to return "Negotiate" as a supported authentication scheme for Windows Integrated authentication. However, after you enable hotfix 927265, the upstream server is configured to return only "NTLM" as an authentication scheme for Windows Integrated authentication. Therefore, the downstream server and the upstream server cannot authenticate one another.
A hotfix package is available to resolve this problem. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/938466/ )Description of the Internet Security and Acceleration Server 2004 hotfix package: June 5, 2007
(http://support.microsoft.com/kb/954258/ )How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The authentication process between the downstream server and the upstream server uses a special URL request. After you apply hotfix 938466, the upstream ISA Server computer will return "Kerberos" and "Negotiate" as supported authentication schemes if there is a special ISA-to-ISA authentication URL request.
Article ID: 938465 - Last Review: October 24, 2008 - Revision: 2.1