ISA 2004 Proxy Integrated Authentication fails

Posted on 2009-07-10
Last Modified: 2012-05-07
I have an ISA 2004 Standard Server (on Win2k3 SP2) used as proxy in a Windows 2003 Active Directory. Client is Win XP SP2, IE7

Today I suddenly had a problem with one single user, and it just started during the day. I am not aware of any changes on his machine or the proxy server. The user's password was reset by the helpdesk this morning. The user is in a remote site.

When he tries to open a web page thru the proxy, he gets a popup box asking for his credentials. In the proxy log I can see that it's not authenticating correctly, we only get "anonymous" as username. I confirmed that his password is correct. His client was rebooted. He has current Kerberos tickets (krbtgt, Service Tickets for the proxy server). Entering the correct username does not help.

Now when he tries to logon or enters his password, I get a 529 Logon Failure Audit in the event log in the proxy, however it looks like that (see code window). So instead of his using user name I get this strange string.

When we enter a different username and password in the popup box, it authenticates just fine, and we get to the Internet. This made me think it's only a problem when using Kerberos, so I disabled "Integrated Windows Authentication" in his Internet Explorer, restarted it, and now it works just fine.

Anybody seen this before?

Logon Failure:

 	Reason:		Unknown user name or bad password

 	User Name:	`	F+ 	


 	Logon Type:	3

 	Logon Process:	Advapi  

 	Authentication Package:	Negotiate

 	Workstation Name:	MYPROXYSERVER

 	Caller User Name:	NETWORK SERVICE

 	Caller Domain:	NT AUTHORITY

 	Caller Logon ID:	(0x0,0x3E4)

 	Caller Process ID:	320

 	Transited Services:	-

 	Source Network Address:	-

 	Source Port:	-

Open in new window

Question by:Wonko_the_Sane
  • 5
  • 4
LVL 20

Expert Comment

ID: 24830627
My guess is with " The user's password was reset by the helpdesk"   That the workstation the user is logging into still has the old password.    Is the workstation in a Workgroup or part of the domain.    When the user attempt to hit ISA it passing the old password.    The password is not synced
LVL 14

Author Comment

ID: 24831106
That's what I thought, too. But the user is in the domain, we rebooted his machine and logged in with his new password. I guess I will just try again next week to see if it was somehow related to old cached credentials or something, but it doesn't make a lot of sense.
LVL 20

Expert Comment

ID: 24831201
I would check to ensure no saved password are on the XP box for this user:

Then reset the password again one last time...still a no go are they using the ISA 2004 proxy client?

If so I would uninstall and reinstall.
LVL 14

Author Comment

ID: 24841613
There were no local user names or passwords stored. He does use the proxy client, however we disabled it for the test and had the same problem.

We had some other major issues this morning so I couldn't look back into this yet. Thanks for your input so far.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 20

Expert Comment

ID: 24841680
Odd...I would still uninstall and reinstall the client.
LVL 14

Author Comment

ID: 24862511
We uninstalled and reinstalled the proxy client - no difference :(

I had one the administrators on site login with her account on this machine. It works fine for her. So it's something related to his account/profile. As of now I just left integrated authentication disabled since I am not aware of any application he uses that actually needs this, however this is really strange.
LVL 20

Accepted Solution

EndureKona earned 500 total points
ID: 24865500
And if that failed was going to be my next suggestion to rebuild the profile.
LVL 14

Author Comment

ID: 24868590
Yes, that's our plan in case he ever needs this. As of now we are not rebuilding it, since he has a lot of custom stuff and it's always a pain to redo those profiles. Anyway, thanks for your input.
LVL 14

Author Comment

ID: 25191422
We never really resolved this, but I think the steps above were all valid troubleshooting steps so I gave the points here.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 70
Terminal Server Temp Profile issue ? 12 53
Power shell script 6 58
Identify disabled AD users with PowerShell 6 34
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now