ISA 2004 Proxy Integrated Authentication fails

I have an ISA 2004 Standard Server (on Win2k3 SP2) used as proxy in a Windows 2003 Active Directory. Client is Win XP SP2, IE7

Today I suddenly had a problem with one single user, and it just started during the day. I am not aware of any changes on his machine or the proxy server. The user's password was reset by the helpdesk this morning. The user is in a remote site.

When he tries to open a web page thru the proxy, he gets a popup box asking for his credentials. In the proxy log I can see that it's not authenticating correctly, we only get "anonymous" as username. I confirmed that his password is correct. His client was rebooted. He has current Kerberos tickets (krbtgt, Service Tickets for the proxy server). Entering the correct username does not help.

Now when he tries to logon or enters his password, I get a 529 Logon Failure Audit in the event log in the proxy, however it looks like that (see code window). So instead of his using user name I get this strange string.

When we enter a different username and password in the popup box, it authenticates just fine, and we get to the Internet. This made me think it's only a problem when using Kerberos, so I disabled "Integrated Windows Authentication" in his Internet Explorer, restarted it, and now it works just fine.

Anybody seen this before?

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	`	F+ 	
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	MYPROXYSERVER
 	Caller User Name:	NETWORK SERVICE
 	Caller Domain:	NT AUTHORITY
 	Caller Logon ID:	(0x0,0x3E4)
 	Caller Process ID:	320
 	Transited Services:	-
 	Source Network Address:	-
 	Source Port:	-

Open in new window

LVL 14
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
My guess is with " The user's password was reset by the helpdesk"   That the workstation the user is logging into still has the old password.    Is the workstation in a Workgroup or part of the domain.    When the user attempt to hit ISA it passing the old password.    The password is not synced
Wonko_the_SaneAuthor Commented:
That's what I thought, too. But the user is in the domain, we rebooted his machine and logged in with his new password. I guess I will just try again next week to see if it was somehow related to old cached credentials or something, but it doesn't make a lot of sense.
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
I would check to ensure no saved password are on the XP box for this user:

Then reset the password again one last time...still a no go are they using the ISA 2004 proxy client?

If so I would uninstall and reinstall.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Wonko_the_SaneAuthor Commented:
There were no local user names or passwords stored. He does use the proxy client, however we disabled it for the test and had the same problem.

We had some other major issues this morning so I couldn't look back into this yet. Thanks for your input so far.
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Odd...I would still uninstall and reinstall the client.
Wonko_the_SaneAuthor Commented:
We uninstalled and reinstalled the proxy client - no difference :(

I had one the administrators on site login with her account on this machine. It works fine for her. So it's something related to his account/profile. As of now I just left integrated authentication disabled since I am not aware of any application he uses that actually needs this, however this is really strange.
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
And if that failed was going to be my next suggestion to rebuild the profile.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wonko_the_SaneAuthor Commented:
Yes, that's our plan in case he ever needs this. As of now we are not rebuilding it, since he has a lot of custom stuff and it's always a pain to redo those profiles. Anyway, thanks for your input.
Wonko_the_SaneAuthor Commented:
We never really resolved this, but I think the steps above were all valid troubleshooting steps so I gave the points here.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.