Technology Tips and News
hi
i have tmg forefront on windows server 2008 r2 and domain users have full access to web via web proxy.
i have a big problem.some times (yes some times) my authenticated clients cannot access the web and the username & password windows appears .
when i saw the tmg query the above message and 407 http error was shown .
i change my proxy port to 80 instead of 8080 but the problem is still alive.
help me about my problem.
thanks
Hi,
you should check your authentication settings and the if the connection from Forefront TMG to the Domain Controller for authentication is reliable. Your TMG Server is a member of the domain or are you using RADIUS for outgoing authentication? The following article might help you?: http://technet.microsoft.com/en-us/library/cc302664.aspx
how many users do you have? this problem is usually related to the secure channel performance problems with NTLM authentication passing through the proxy to its single DC domain controller.
You may need to enable it to use Kerberos protocol for the client authentication. This requires certain conditions to be met and also some configuration steps to be done:
a) only IE 7 and newer can use Kerberos for proxy authentication
b) in IE, you need to have the Enable Windows Authentication setting turned ON (it appears on the Advanced settings tab)
c) how do you configure the client computers? Are they configured statically or by GPO to use a specific proxy name? Or are you using the autoconfiguration script or autoconfiguration with WPAD?
if you are configuring the clients with a certain proxy name, then ensure, you type the TMG's domain computer name only (not IP address, not any alias). This means, if the proxy computer account is TMGSRV, then you should configure clients
with either TMGSRV or TMGSRV.yourdomain.suffix.
if you use the autoproxy, then I can direct you further.
ondrej.
how many users do you have? this problem is usually related to the secure channel performance problems with NTLM authentication passing through the proxy to its single DC domain controller.
You may need to enable it to use Kerberos protocol for the client authentication. This requires certain conditions to be met and also some configuration steps to be done:
a) only IE 7 and newer can use Kerberos for proxy authentication
b) in IE, you need to have the Enable Windows Authentication setting turned ON (it appears on the Advanced settings tab)
c) how do you configure the client computers? Are they configured statically or by GPO to use a specific proxy name? Or are you using the autoconfiguration script or autoconfiguration with WPAD?
if you are configuring the clients with a certain proxy name, then ensure, you type the TMG's domain computer name only (not IP address, not any alias). This means, if the proxy computer account is TMGSRV, then you should configure clients
with either TMGSRV or TMGSRV.yourdomain.suffix.
if you use the autoproxy, then I can direct you further.
ondrej.
yes that's right
if you are configuring the clients with a certain proxy name, then ensure, you type the TMG's domain computer name only (not IP address, not any alias). This means, if the proxy computer account is TMGSRV, then you should configure clients with either TMGSRV or TMGSRV.yourdomain.suffix.
but another problem . my client cannot download via download managers like IDM or Orbit. i know how to set proxy in IDM but it don't woks and above error appears.
thanks
do you specify a user name and password for the proxy in the download managers? common case is that these third party tools do not use the built-in single-sign-on functionality and require you to specify the user/password for the proxy.
anyway, if you still have problems, you would need to install Network Monitor on the client computer (or on TMG) and sniff some network trace to better understand the traffic internals. without a trace you cannot say usually anything better than it just dos not work.
ondrej.
this is network monitor logs for this request :do you specify a user name and password for the proxy in the download managers? common case is that these third party tools do not use the built-in single-sign-on functionality and require you to specify the user/password for the proxy.
anyway, if you still have problems, you would need to install Network Monitor on the client computer (or on TMG) and sniff some network trace to better understand the traffic internals. without a trace you cannot say usually anything better than it just dos not work.
ondrej.
so you can see there is "Proxy Authentication Required", this shows that the client IS using the proxy actually (OK), and the proxy is asking for authentication. This is correct. Then the client sends TCP RESET (the R flag set) packet to the proxy - the client is not willing to proceed with the authentication probably.
If you looked into the "Proxy Authentication Required" packet, there would be WWW-Authenticate header telling you what authentication protocols the proxy is offering to the client for authentication. There would be something like Negotiate (that means Kerberos and NTLM), NTLM and may be Basic. If there is not any method that the client would be able to use, the client cannot authenticate.
In you case, I suspect, your client can use only BASIC authentication, while your proxy is not offering it at all. So just go into the proxy settings and enable Basic authentication as well. This setting will not disrupt your normal windows clients because they prefer the Negotiate if available so your SSO will not be broken.
ondrej.
so you can see there is "Proxy Authentication Required", this shows that the client IS using the proxy actually (OK), and the proxy is asking for authentication. This is correct. Then the client sends TCP RESET (the R flag set) packet to the proxy - the client is not willing to proceed with the authentication probably.
If you looked into the "Proxy Authentication Required" packet, there would be WWW-Authenticate header telling you what authentication protocols the proxy is offering to the client for authentication. There would be something like Negotiate (that means Kerberos and NTLM), NTLM and may be Basic. If there is not any method that the client would be able to use, the client cannot authenticate.
In you case, I suspect, your client can use only BASIC authentication, while your proxy is not offering it at all. So just go into the proxy settings and enable Basic authentication as well. This setting will not disrupt your normal windows clients because they prefer the Negotiate if available so your SSO will not be broken.
ondrej.
hi
i enabled the basic mode but yet the problem not solved.
this is new logs:
276 12:40:03 PM 12/14/2010 20.3663172 192.168.168.13 DC DNS DNS:QueryId = 0x895, QUERY (Standard query), Query for tmg.internets.local of type Host Addr on class Internet {DNS:25, UDP:24, IPv4:54}
279 12:40:03 PM 12/14/2010 20.3676844 DC 192.168.168.13 DNS DNS:QueryId = 0x895, QUERY (Standard query), Response - Success, 192.168.168.2 {DNS:25, UDP:24, IPv4:54}
282 12:40:03 PM 12/14/2010 20.3692664 192.168.168.13 TMG TCP TCP:Flags=......S., SrcPort=50055, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2755958144, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:26, IPv4:51}
285 12:40:03 PM 12/14/2010 20.3703524 TMG 192.168.168.13 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=0, Seq=3376093137, Ack=2755958145, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:26, IPv4:51}
286 12:40:03 PM 12/14/2010 20.3710560 192.168.168.13 TMG TCP TCP:Flags=...A...., SrcPort=50055, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2755958145, Ack=3376093138, Win=16425 (scale factor 0x2) = 65700 {TCP:26, IPv4:51}
287 12:40:03 PM 12/14/2010 20.3726077 192.168.168.13 TMG HTTP HTTP:Request, GET http://dl.softgozar.com/Files/Software/USB_Disk_Security_5.4.0.12_Softgozar.com.exe , Using NTLM Authorization {HTTP:27, TCP:26, IPv4:51}
288 12:40:03 PM 12/14/2010 20.3747042 TMG 192.168.168.13 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://dl.softgozar.com/Files/Software/USB_Disk_Security_5.4.0.12_Softgozar.com.exe {HTTP:27, TCP:26, IPv4:51}
289 12:40:03 PM 12/14/2010 20.3772573 192.168.168.13 TMG HTTP HTTP:Request, GET http://dl.softgozar.com/Files/Software/USB_Disk_Security_5.4.0.12_Softgozar.com.exe , Using NTLM Authorization {HTTP:27, TCP:26, IPv4:51}
290 12:40:03 PM 12/14/2010 20.5793391 TMG 192.168.168.13 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=0, Seq=3376093706, Ack=2755960129, Win=251 (scale factor 0x8) = 64256 {TCP:26, IPv4:51}
373 12:40:18 PM 12/14/2010 35.3781629 TMG 192.168.168.13 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://dl.softgozar.com/Files/Software/USB_Disk_Security_5.4.0.12_Softgozar.com.exe Using Multiple Authetication Methods, see frame details {HTTP:27, TCP:26, IPv4:51}
374 12:40:18 PM 12/14/2010 35.3782336 TMG 192.168.168.13 TCP TCP:[Continuation to #373]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=1460, Seq=3376095166 - 3376096626, Ack=2755960129, Win=251 (scale factor 0x8) = 64256 {TCP:26, IPv4:51}
375 12:40:18 PM 12/14/2010 35.3784149 192.168.168.13 TMG TCP TCP:Flags=...A...., SrcPort=50055, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2755960129, Ack=3376096626, Win=16425 (scale factor 0x2) = 65700 {TCP:26, IPv4:51}
376 12:40:18 PM 12/14/2010 35.3789414 TMG 192.168.168.13 TCP TCP:[Continuation to #373]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=1460, Seq=3376096626 - 3376098086, Ack=2755960129, Win=251 (scale factor 0x8) = 64256 {TCP:26, IPv4:51}
377 12:40:18 PM 12/14/2010 35.3789414 TMG 192.168.168.13 TCP TCP:[Continuation to #373]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=137, Seq=3376098086 - 3376098223, Ack=2755960129, Win=251 (scale factor 0x8) = 64256 {TCP:26, IPv4:51}
378 12:40:18 PM 12/14/2010 35.3800827 192.168.168.13 TMG TCP TCP:Flags=...A...., SrcPort=50055, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2755960129, Ack=3376098223, Win=16425 (scale factor 0x2) = 65700 {TCP:26, IPv4:51}
379 12:40:18 PM 12/14/2010 35.3838662 192.168.168.13 TMG TCP TCP:Flags=...A.R.., SrcPort=50055, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2755960129, Ack=3376098223, Win=0 (scale factor 0x2) = 0 {TCP:26, IPv4:51}
380 12:40:18 PM 12/14/2010 35.4229856 TMG 192.168.168.13 TCP TCP:Flags=...A...F, SrcPort=HTTP Alternate(8080), DstPort=50055, PayloadLen=0, Seq=3376098223, Ack=2755960129, Win=251 {TCP:28, IPv4:51}
check the packets internals, I cannot say from this breif overview only. sorry.
ondrej.
Hi,
I always used aliases but suddenly began asking credentials. Is this due to a patch that was applied? What could have been?
I'm testing with CNAME and it works
Thanks
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier