You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery

Symptoms

If the Microsoft Internet Security and Acceleration (ISA) Server 2004 Firewall Client program is configured for auto-discovery, you may experience the following symptoms:

If Microsoft Internet Explorer is not configured to use a proxy or to detect a proxy, you cannot access a Web pages when you use Internet Explorer. Additionally, you receive the following error message:

Cannot find server or DNS Error
A red "X" appears over the Firewall Client icon. You can find the Firewall Client icon in the notification area at the far right of the taskbar. If you pause the mouse pointer on the Firewall Client icon, you receive the following error message:

Disabled: Cannot authenticate to ISA Server server_name

If you try to configure the ISA Server 2004 Firewall Client program for auto-discovery, you may experience the following symptoms:

If you try to configure the Firewall Client program to use auto-discovery by clicking Detect Now under Automatically detect ISA Server on the General tab, you receive the following error message:

Failed to detect ISA Server
A red "X" appears over the Firewall Client icon. You can find the Firewall Client icon in the notification area at the far right of the taskbar. If you pause the mouse pointer on the Firewall Client icon, you receive the following error message:

Disabled: ISA Server could not be detected

Cause

This issue occurs if the IFPCEEWebProxy.SkipAuthenticationForRoutingInformation property is set to FALSE in ISA Server 2004. This problem occurs when the following conditions are true:

The Firewall Client program is configured to use auto-discovery.
The Require all users to authenticate Web Proxy setting is configured for the internal network object on the ISA Server 2004 computer.

Note The Require all users to authenticate setting is available when you click Authentication on the Web Proxy tab when you view the properties of the internal network object.

These conditions cause this problem because the Firewall Client program cannot perform HTTP authentication. When the Require all users to authenticate setting is enabled for the internal network object, the request to the Winsock Proxy Autodetect (WSPAD) port must be authenticated also. However, the Firewall Client program does not handle the "401 Authentication Required" response. Therefore, when the Firewall Client program tries to retrieve the Wspad.dat file from the Web Proxy Automatic Discovery (WPAD) server during the auto-discovery process, the auto-discovery process fails.

Resolution

To resolve this issue, set the IFPCEEWebProxy.SkipAuthenticationForRoutingInformation property to TRUE. To do this, follow the instructions in this section.

ISA Server 2004, Standard Edition

Service pack information

To resolve this problem, obtain the latest service pack for ISA Server 2004. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

891024 How to obtain the latest ISA Server 2004 service pack

Installation information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

You must have ISA Server 2004 Service Pack 1 or a later ISA Server 2004 service pack installed to resolve this issue. After you install the latest ISA Server 2004 service pack, set the value of the SkipAuthenticationForRoutingInformation registry entry to a value of 1 or to a higher value to skip authentication for routing information. Set this value even if the Internal network object is configured to require all users to authenticate. To configure this registry entry, follow these steps.

Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentContolSet\Services\W3Proxy\Parameters
If the Parameters key does not exist, follow these steps:
1. Right-click W3Proxy, point to New, and then click Key.
2. Type Parameters as the key name, and then press ENTER.
If the Parameters key does exist, right-click Parameters, point to New, and then click DWORD Value.
Type SkipAuthenticationForRoutingInformation as the entry name, and then press ENTER.
Right-click SkipAuthenticationForRoutingInformation, and then click Modify.

In the Value data box, type a value of 1 to enable the registry setting, and then click OK.

Note To enable or to disable the registry setting, use the following guidelines.

Value set to 0, or the registry entry does not exist	Require authentication for routing information if the internal network object is configured to require all users to authenticate.
Value set to 1 or to a higher value	Skip authentication for routing information, even if the internal network object is configured to require all users to authenticate.

Exit Registry Editor.
Restart the Microsoft Firewall service. To do this, follow these steps:
1. Click Start, click Run, type services.msc, and then click OK.
2. Right-click Microsoft Firewall, and then click Restart.

ISA Server 2004, Enterprise Edition

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Copy the following Microsoft Visual Basic Scripting Edition (VBScript) code to a text editor such as Notepad.exe, and then use a .vbs extension to save the file.
set ar = WScript.CreateObject( "FPC.Root" ).GetContainingArray set wp = ar.ArrayPolicy.WebProxy wp.SkipAuthenticationForRoutingInformation = True wp.Save
Double-click the .vbs file to run the script.
Restart the Microsoft Firewall service. To do this:
1. Click Start, click Run, type services.msc, and then click OK.
2. Right-click Microsoft Firewall, and then click Restart.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in ISA Server 2004 Service Pack 1.

More Information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889035 Users are prompted for authentication credentials when Internet Explorer is configured for automatic discovery in ISA Server 2004