Web Proxy Clients Cannot View External Sites When You Enable Digest Authentication for Outgoing Web Requests (816959)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Windows Small Business Server 2003, Premium Edition

SYMPTOMS

When you configure Microsoft Internet Security and Acceleration (ISA) Server 2000 to require Digest authentication for outgoing Web requests, Web proxy clients are no longer permitted to view external Web sites.

The Web proxy client is prompted for its credentials three times, and then the following Web page is displayed: The page cannot be displayed

There is a problem with the page you are trying to reach and it
cannot be displayed

Please try the following:
  • Click the Refresh button, or try again later.
  • Open the www.websitename.com home page, and then look for links to the information you want.
  • If you typed the page address in the Address bar, make sure that it is spelled correctly.
  • Verify that the Internet access policy on your network allows you to view this page.
  • If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the www.websitename.com home page.
HTTP 407 Proxy Authentication Required - ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209)
Internet Security and Acceleration Server.

CAUSE

This issue occurs if all of the following conditions are true:
  • You install ISA Server 2000 on a Windows Server 2003-based computer.

    -and-
  • You configure the outgoing Web requests listener to use only Digest authentication.

    -and
  • You click to select the Ask unauthenticated users for identification check box on the Outgoing Web Requests tab of the ISA server properties dialog box.
The issue occurs because the Iissuba.dll subauthentication component is not registered on the Windows Server 2003 domain controller. Because of additional security introduced with Windows Server 2003, this file is not registered by default.

RESOLUTION

To resolve this issue, register the Iissuba.dll subauthentication component on the Windows Server 2003 domain controller. To do this, follow these steps:
  1. Log on to the Windows Server 2003 domain controller.
  2. Click Start, click Run, type cmd in the Open box, and then click OK.
  3. Type the following command, and then press ENTER:

    rundll32 %windir%\system32\iissuba.dll,RegisterIISSUBA

    Note The "RegisterIISSUBA" portion of this command is case-sensitive. Make sure that you type it as shown here.

    You are not notified that the command has completed successfully.
  4. Close the command prompt.

WORKAROUND

To work around this issue, use another form of client authentication in addition to, or other than Digest authentication. For example, use Integrated authentication in addition to Digest authentication on the ISA server.
Modification Type:MajorLast Reviewed:10/9/2003
Keywords:kberrmsg kbprb KB816959 kbAudITPRO
©2003 Microsoft Corporation. All rights reserved.