Re: Error: HTTP/1.1 407 Proxy Authentication Required

We are using a monitoring tool from indicative software (www.indicative.com)
called Service director. It has some built in http tests that supports NTLM
for monitoring URL's. Some of their monitoring tests can monitor http status
code, availability of web server, response time etc. When you configure the
http tests you can specify the the following NTLM properties for
authentication purposes i.e

NTLM user
NTLM user domain
NTLM host
NTLM host domain.

I am trying to run the http tests for internal as well as external URL
monitoring. For internal URL's which uses integrated Windows authentication,
I am not using any proxy but specify the NTLM parameters. When i do that I
get this error message-

Aug 28 18:47:28 msas-nyk27p.global.gam.com TestNow: [Debug]
(Tests:Http_4-0:p__113b0ab8627:176889) Start NTLM Authentication at
1188341248015
Aug 28 18:47:28 msas-nyk27p.global.gam.com TestNow: [Debug]
(Tests:Http_4-0:p__113b0ab8627:176889) NTLM handshake 1 server response null
Aug 28 18:47:28 msas-nyk27p.global.gam.com TestNow: [Debug]
(Tests:Http_4-0:p__113b0ab8627:176889) INITIAL RESPONSE :
HTTP/1.1 401 Unauthorized
Content-Length: 1656

I also notice that the domain user account I am using for NTLM
authentication gets locked each time I run the test.

For the external URL's like www.google.com I keep getting a different error
message-

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is
denied. )

Now I know Indicative does not support NTLM V2 for http tests. I checked the
NTLM compatability level is set to 4 in the registry on the web server as
well as on te proxy. I tried changing that to value 2 but still got the same
error message.

Any ideas?

Thanks

Ripul

"Jim Harrison (ISA SE)" wrote:

Sorry, Phil; that's incorrect.
The authentication method is not changed by modifying the user credentials.

Exactly what monitoring tool is this?
As Phil correctly stated, it's entirely possible that your tool doesn't
support NTLM (or Integrated) proxy authentication.
You can add Basic auth to the network object Web proxy authentication
options and see if it understands that.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:OSklywZ6HHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
If your Tool isn't capable of comprehending NTLM authentication (such as
only using Basic Auth) you will have to prefix the credentials prompt with
the domain name:

User: domain\user
Pass: *******

If you ran the Firewall Client and made sure the Tool is set to not use a
proxy (if it has such settings) then you would never have the prompt to
start with.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


"Ripul" <Ripul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D4E4C57-C64D-40AC-92ED-464CB9DF9235@xxxxxxxxxxxxxxxx
I am trying to run an http test from a monitoring tool to check the http
status code of external URL like www.google.com. And I am getting this
error
message-

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is
denied. )

The ISA server requires NTLM authentication. I have tried putting the NTLM
credentials but no luck so far. I keep getting this error message. Any
help
would be highly appreciated.

Thanks



.

Relevant Pages

  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: HttpWebRequest over Https Via Proxy Fails using NTLM
    ... The proxy authentication header returns Basic, NTLM, and Negotiate. ... A network trace shows that the https request handshake is as follows: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Event log shows NTLM not Kerberos
    ... it needs those SIDs, which is what authentication gives. ... Authentication Package: NTLM ... Authentication Package NTLM not Kerberos? ...
    (microsoft.public.security)
  • Re: Outlook 2000 issue with EXCH 2003
    ... It is related to DNS, the GC utilize DNS to find NTLM ... we have tested outlook 2k3 with NTLM only ... the LAN MAN authentication set to ...
    (microsoft.public.exchange.admin)
Loading