Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004 or ISA Server 2006: "502 Proxy Error"

Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004 or ISA Server 2006: "502 Proxy Error"

View products that this article applies to.

Symptoms

Consider the following scenario:
  • A downstream server is chained to an upstream server that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 or Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • A client computer is configured to use the downstream server as the proxy server.
  • On the upstream server, you have enabled the hotfix that is described in the following Microsoft Knowledge Base article:
    927265 Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication
However, when a user on the client computer tries to access Web sites through the downstream server, the user receives the following error message:
Error Code: 502 Proxy Error. Logon Failure: Unknown user name or bad password. (1326)

↑ Back to the top

Cause

This problem occurs because proxy-to-proxy authentication fails. The downstream server expects the upstream server to return "Negotiate" as a supported authentication scheme for Windows Integrated authentication. However, after you enable hotfix 927265, the upstream server is configured to return only "NTLM" as an authentication scheme for Windows Integrated authentication. Therefore, the downstream server and the upstream server cannot authenticate one another.

↑ Back to the top

Resolution

A hotfix package is available to resolve this problem. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
938466 Description of the Internet Security and Acceleration Server 2004 hotfix package: June 5, 2007
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

The authentication process between the downstream server and the upstream server uses a special URL request. After you apply hotfix 938466, the upstream ISA Server computer will return "Kerberos" and "Negotiate" as supported authentication schemes if there is a special ISA-to-ISA authentication URL request.

↑ Back to the top

Keywords: KB938465, kbprb, kbexpertiseinter, kbtshoot, kberrmsg

↑ Back to the top

Article Info
Article ID : 938465
Revision : 3
Created on : 10/24/2008
Published on : 10/24/2008
Exists online : False
Views : 361