Incomplete HTML Pages and Random Authentication Messages Occur When ISA Server Is Chained to an Anonymous Upstream Web Proxy Server (307457)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q307457

SYMPTOMS

Incomplete Hypertext Markup Language (HTML) pages and random authentication messages may be displayed in the Web browser when you chain Internet Security and Acceleration (ISA) Server 2000 to an anonymous upstream Proxy 2.0 Web proxy server.

CAUSE

This problem can occur if you configure the downstream ISA Server computer to use the Integrated Windows authentication method, and if the upstream Proxy 2.0 Web proxy server does not require any access control (it allows Anonymous access).

Under certain circumstances, a Web browser may try to authenticate a connection with the downstream ISA Server computer that has already been authenticated by using the Integrated Windows authentication method. As a result, the downstream ISA Server computer passes those credentials to the upstream Proxy 2.0 Web proxy server. Because the credentials are for the downstream ISA Server computer and not for the upstream Proxy 2.0 Web proxy server, the Proxy 2.0 Web proxy server may return a "407 Proxy authentication required" Hypertext Transfer Protocol (HTTP) response. The downstream ISA Server computer passes this HTTP response back to the Web browser, and an authentication message is displayed on the client computer.

RESOLUTION

To resolve this issue implement the fix described in the following Microsoft Knowledge Base article:

317822 FIX: Problems with Web Browser If ISA Server 2000 Is Chained to an Upstream Web Proxy Server

WORKAROUND

To work around this problem, disable either Windows NT Challenge/Response (if you are running Internet Information Server [IIS] 4.0) or Integrated Windows authentication (if you are running Internet Information Services [IIS] 5.0) on the default Web site on the upstream anonymous Proxy 2.0 Web proxy server. To do so:
  1. Click the Directory Security tab in the default Web site properties
  2. Click to clear either the Windows NT Challenge/Response check box (in IIS 4.0) or the Integrated Windows authentication check-box (in IIS 5.0).
After you complete this procedure, the upstream Proxy 2.0 Web proxy server consumes the redundant Proxy-Authorization HTTP header that is sent by the browser. As a result, the server does not reply with a "407 Proxy authentication required" HTTP response.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

297080 Incomplete HTML Pages and Random Authentication Prompts If ISA Server Is Chained to Upstream Proxy

Modification Type:MajorLast Reviewed:3/28/2002
Keywords:kbenv kbprb KB307457
©2002 Microsoft Corporation. All rights reserved.