authentication to webproxy fails using wpad and autodetection, but works fine if proxy is set in the browser

Hello,

some of the clients have trouble with internet access over the TMG. The IE is configured to use wpad, which is setup as an DHCP option. In the logs I can see, that the clients are not authenticated. If I enter the proxy parameters in the browser settings, everything works fine.

Has anybody an idea, what may be wrong?

Regards
Andreas

July 11th, 2013 8:33am

Hi,

does a client have any pop-up for credentials to type?

Free Windows Admin Tool Kit Click here and download it now
July 11th, 2013 2:24pm

Hello Vasily,

thanks for your response. There is no pop-up at the client, only an access denied page.

Regards
Andreas

July 12th, 2013 3:20am

Hello Andreas,

Could you post wpad here? The only thing comes to my mind the difference between wpad and setting proxy explicitly. WPAD could have some route exceptions for bypassing traffic... But it shouldn't be an issue...

What authentication method is selected on TMG?

Free Windows Admin Tool Kit Click here and download it now
July 16th, 2013 1:20pm

Hi,

Thank you for the post.

You may also refer to this guide to check the settings: http://technet.microsoft.com/en-us/library/cc302643.aspx

Regards,

July 16th, 2013 11:39pm

Hello,

I already read the information on http://technet.microsoft.com/en-us/library/cc302643.aspx but no success.

Authentication of the TMG is integrated. I've configured a DNS-Host-Entry proxy.internalfqd.de which points to one of the internal IPs. (I often had trouble with DNS-Aliases, because they pointed also to the IP I published OWA for internal use on.) Here ist my wpad.dat

//Copyright (c) 1997-2006 Microsoft Corporation
BackupRoute="DIRECT";
UseDirectForLocal=true;
ConvertUrlToLowerCase=false;
function MakeIPs(){
this[0]= new IpSubnet("127.0.0.0", "255.0.0.0", "127.0.0.0/8");
this[1]= new IpSubnet("10.184.6.86", "255.255.255.255", "10.184.6.86/32");
this[2]= new IpSubnet("192.168.60.0", "255.255.255.0", "192.168.60.0/24");
this[3]= new IpSubnet("192.168.60.0", "255.255.255.0", "192.168.60.0/24");
}
DirectIPs=new MakeIPs();
cDirectIPs=4;
function MakeCARPExceptions(){
this[0]="*.windowsupdate.com";
this[1]="windowsupdate.microsoft.com";
this[2]="*.windowsupdate.microsoft.com";
this[3]="*.update.microsoft.com";
this[4]="download.windowsupdate.com";
this[5]="download.microsoft.com";
this[6]="*.download.windowsupdate.com";
this[7]="wustat.windows.com";
this[8]="ntservicepack.microsoft.com";
this[9]="forefrontdl.microsoft.com";
}
CARPExceptions=new MakeCARPExceptions();
cCARPExceptions=10;
function MakeNames(){
this[0]="*.internalfqdn.de";
this[1]="*.special.co.jp";
this[2]="*.cpm.local";
this[3]="owa.special.de";
this[4]="*.internalfqdn.de";
}
DirectNames=new MakeNames();
cDirectNames=5;
HttpPort="8080";
cNodes=1;
function MakeProxies(){
this[0]=new Node("192.168.60.1",283689650,1.000000);
}
Proxies = new MakeProxies();
function Node(name, hash, load){
 this.name = name;
 this.hash = hash;
 this.load = load;
 this.score = 0;
 return this;
}
function IpSubnet(ip, mask, prefix){
 this.ip = ip;
 this.mask = mask;
 this.prefix = prefix;
 var isIpV4Addr = /^(\d+.){3}\d+$/;
 this.isIpv6 = !isIpV4Addr.test(ip);
 return this;
}
var pfDnsResolve, pfMyIpAddress, pfIsInNet;
function DnsResolve(name){
 return dnsResolve(name);
}
function DnsResolveEx(name){
 return dnsResolveEx(name);
}
function IsInNet(ip, subnet){
 var isIpV4Addr = /^(\d+.){3}\d+$/;
 if(subnet.isIpv6 || !isIpV4Addr.test(ip)){
  return false;
 }
 return isInNet(ip, subnet.ip, subnet.mask);
}
function IsInNetEx(ip, subnet) {
 var isIpV4Addr = /^(\d+.){3}\d+$/;
 if(subnet.isIpv6 || !isIpV4Addr.test(ip)){
  return false;
 }
 return isInNetEx(ip, subnet.prefix);
}
function MyIpAddress(){
 return myIpAddress();
}
function MyIpAddressEx(){
 return myIpAddressEx();
}
function ExpMatch(str, exp){
 if (ConvertUrlToLowerCase)
 {
  str = str.toLowerCase();
 }
 return shExpMatch(str, exp);
}
function FindProxyForURL(url, host){
 pfDnsResolve = DnsResolve;
 pfMyIpAddress = MyIpAddress;
 pfIsInNet = IsInNet;
 return ImplementFindProxyForURL(url, host);
}
function FindProxyForURLEx(url, host){
 pfDnsResolve = DnsResolveEx;
 pfMyIpAddress = MyIpAddressEx;
 pfIsInNet = IsInNetEx;
 return ImplementFindProxyForURL(url, host);
}
function ImplementFindProxyForURL(url, host){
 var hash=0, urllower, i, fIp=false, ip, iparray, nocarp=false, skiphost=false;
 var list="", pl, j, score, ibest, bestscore;
 urllower = url.toLowerCase();
 if((urllower.substring(0,5)=="rtsp:") ||
   (urllower.substring(0,6)=="rtspt:") ||
   (urllower.substring(0,6)=="rtspu:") ||
   (urllower.substring(0,4)=="mms:") ||
   (urllower.substring(0,5)=="mmst:") ||
   (urllower.substring(0,5)=="mmsu:"))
  return "DIRECT";
 if(UseDirectForLocal){
  if(isPlainHostName(host))
   fIp = true;}
 for(i=0; i<cDirectNames; i++){
  if(ExpMatch(host, DirectNames[i])){
   fIp = true;
   break;}
  if(ExpMatch(url, DirectNames[i]))
   return "DIRECT";
 }
 if(cDirectIPs == 0){
  if(fIp)
   return "DIRECT";}
 else{
  ip = host;
  if(fIp)
   ip = pfDnsResolve(host);
  iparray = ip.split(";");
  for(j=0; j<iparray.length; j++){
   if(IsIPv6Addr(iparray[j]))
    return "DIRECT";
   for(i=0; i<cDirectIPs; i++){
    if(pfIsInNet(iparray[j], DirectIPs[i]))
     return "DIRECT";}}
  if(isPlainHostName(host))
   return "DIRECT";
 }
 if(cCARPExceptions > 0){
  for(i = 0; i < cCARPExceptions; i++){
   if(ExpMatch(host, CARPExceptions[i])){
    nocarp = true;}
   if(ExpMatch(url, CARPExceptions[i])){
    nocarp = true;
    skiphost = true;
    break;
 }}}
 if(!skiphost)
  hash = HashString(host,hash);
 if(nocarp)
  hash = HashString(pfMyIpAddress(), hash);
 pl = new Array();
 for(i = 0; i<cNodes; i++){
  Proxies[i].score = Proxies[i].load * Scramble(hash ^ Proxies[i].hash);
  pl[i] = i;
 }
 for(j = 0; j < cNodes; j++){
  bestscore = -1;
  for(i = 0; i < cNodes-j; i++){
   score = Proxies[pl[i]].score;
   if(score > bestscore){
    bestscore = score;
    ibest = i;
  }}
  list = list + "PROXY " + Proxies[pl[ibest]].name + ":" + HttpPort + "; ";
  pl[ibest] = pl[cNodes-j-1];
 }
 list = list + BackupRoute;
 return list;
}
var h_tbl = new Array(0,0x10D01913,0x21A03226,0x31702B35,0x4340644C,0x53907D5F,0x62E0566A,0x72304F79,0x8680C898,0x9650D18B,0xA720FABE,0xB7F0E3AD,0xC5C0ACD4,0xD510B5C7,0xE4609EF2,0xF4B087E1);
function HashString(str, h){
  for(var i=0; i<str.length; i++){
   var c = str.charAt(i);
   if(c ==':' || c == '/') break;
   c = CharToAscii(c.toLowerCase());
   h = (h >>> 4) ^ h_tbl[(h ^ c) & 15];
   h = (h >>> 4) ^ h_tbl[(h ^ (c>>>4)) & 15];
   h = MakeInt(h);
 }
 return h;
}
function Scramble(h){
 h += ((h & 0xffff) * 0x1965) + ((((h >> 16) & 0xffff) * 0x1965) << 16) + (((h & 0xffff) * 0x6253) << 16);
 h = MakeInt(h);
 h += (((h & 0x7ff) << 21) | ((h >> 11) & 0x1fffff));
 return MakeInt(h);
}
function CharToAscii(c){
 return c.charCodeAt(0);
}
function MakeInt(x){
 x %= 4294967296;
 if(x < 0)
  x += 4294967296;
 return x;
}
function IsIPv6Addr(ip){
 return (ip.indexOf(":") > -1);
}

Regards
Andreas

Free Windows Admin Tool Kit Click here and download it now
July 19th, 2013 2:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics