Users are repeatedly prompted for their credentials when they try to access the Internet after a firewall chain is configured between ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server

After you configure a firewall chain between two or more computers that are running Microsoft Internet Security and Acceleration (ISA) Server 2000, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008, users who try to access the Internet are repeatedly prompted for their credentials.

This issue may occur after you configure an upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer and a downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer to require authentication. Web browsers, such as Microsoft Internet Explorer, may not keep track of which proxy servers they have authenticated against. In this case, the browser authenticates the first ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computer in the firewall chain. If the browser does not retain the proxy authentication information, the browser may have to authenticate with additional ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers in the firewall chain.

To resolve this issue, allow anonymous access on either the downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers or the upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers. Additionally, you can configure the last proxy server in the chain to use NTLM authentication, and then you can configure, in the relevant access rule, the downstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers in the chain to pass credentials to the upstream ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server computers. After you change this configuration, the upstream computers will see all requests as coming from the single user account that you configured in the access rule of the downstream computers. Only one computer that is running ISA Server, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server in the firewall chain requires authentication.

This behavior is by design.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: