Multiple Password Prompts, Access Denied Using Web Proxy and SSL

ID: Q170666

The information in this article applies to:

Microsoft Proxy Server versions 1.0, 2.0
Microsoft Internet Explorer versions 2.0, 2.01, 2.1, 3.0, 3.01, 3.02

SYMPTOMS

If you try to connect to a secure SSL site through Web Proxy (using https://), you may be prompted for a password three times and receive an Access Denied error message.

NOTE: This should only occur when you use Microsoft Internet Explorer version 2.x and later in conjunction with Microsoft Windows NT Challenge/Response authentication on the Proxy Server.

RESOLUTION

To resolve this problem, upgrade to Internet Explorer version 4.0. If you are unable to do so, use the information in the WORKAROUND section.

WORKAROUND

Use any of the following methods to avoid the problem.

NOTE: You should try them in the order listed. The fourth method may disable some or all authentication.

Upgrade Clients to Version 3.01 or Later

Make sure all clients are using Internet Explorer version 3.01 or later. Install Windows NT 4.0 Service Pack 3 or later on the Proxy Server computer. Install the Winsock Proxy client program on the client computers. In the Internet Explorer Proxy settings (View, Options, Connection), type the name of the Proxy Server computer for all protocols except {Secure}. This will force the browser to use the Winsock Proxy service instead of the Web Proxy service when the user attempts to connect to an SSL (secure) page. All other browser requests will use the Web Proxy service and still take advantage of caching. This scenario will allow use of Windows NT Challenge for all protocols because the Winsock Proxy has its own Windows NT Challenge authentication built-in.

Enable Basic Authentication

Disable Windows NT Challenge/Response and enable Basic Authentication instead. These settings can be found in the WWW service properties.

Install Winsock Proxy Client

Install the Winsock Proxy Client and disable the Proxy connection settings on the Internet Explorer Clients. All clients will use the Winsock Proxy service only.

Important: The following method will disable some or all of the authentication on the Proxy Server computer.

Disable Access Control

Disable Access Control for the Web proxy service. Doing this will allow all users anonymous access to the web proxy service. They will no longer be prompted for authentication when using the Web proxy service. The Web proxy log file will no longer show usernames; they will be replaced with anonymous.

STATUS

Microsoft has confirmed this to be a problem in Internet Explorer versions 2.0, 2.01, 2.1, 3.0, 3.01, and 3.02. This problem is fixed in Microsoft Internet Explorer version 4.0. A supported fix is available only for version 3.02.

A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Additional query words: https ntlm nt challenge response secure


Keywords          : kbother pxsperm 
Version           : winnt:1.0,2.0
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: August 9, 1999