Clients That Use an Automatic Configuration Script May Not Work Because of Proxy Authentication

Browser clients that are configured to use the default "Automatic Configuration Script" in ISA Server or "Automatically Detect Settings", may be unable to obtain access to Web sites through the Web Proxy service in ISA Server if it is configured to require proxy authentication.

The clients do not work only if proxy authentication is enforced on the ISA Server by selecting Ask unauthenticated users for identification under the Outgoing Web Requests tab. Also, the client must be requesting the automatic configuration script or the Wpad.dat file (from Automatically Detect Settings) from the TCP port that is specified on the Outgoing Web Requests tab.

If proxy authentication is instead enforced by site and content rules or protocol rules, the clients can obtain access to Web sites without any issues. Similarly, if the browser clients request the automatic configuration script or the Wpad.dat file from the auto discovery TCP port instead of the TCP port that is specified on the Outgoing Web Requests tab, access to Web Sites works correctly.

This problem can occur because when the browser client requests the default automatic configuration script or the Wpad.dat file on the TCP port that is specified on the Outgoing Web Requests tab, ISA Server incorrectly prompts the client for proxy authentication instead of the correct WWW authentication. Because an automatic configuration script or a Wpad.dat request is not a Web proxy request, but is instead a request for a local resource that is located on the ISA Server computer, the browser client fails when prompted for proxy authentication.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. Before you apply this hotfix, the browser will stop responding. After you apply this hotfix, the browser may prompt you for authentication information. To resolve this issue, click to clear the Ask Unauthenticated Users for Identification check box, and then create Access Policy rules that only allow User groups to get access to all sites. This might be the Everyone group if you do not want to restrict outbound access.

Microsoft has confirmed that this is a problem in Internet Security and Acceleration Server 2000. This problem was first corrected in Internet Security and Acceleration Server 2000 Service Pack 1.

The request does not work only if the browser client is configured to use the default automatic configuration script. If the browser client instead is configured to use a custom automatic configuration script that is located on a different server than the ISA Server computer, there is no need to install this hotfix.