[isalist] WMP auth prompts

From: Jim Harrison <Jim@xxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>, "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
Date: Sat, 3 Nov 2007 12:24:52 -0700
http://www.ISAserver.org
-------------------------------------------------------

(Hi, Dan)

Problem:
WMP sometimes displays auth prompts even though the logged-on user account is 
resolvable by ISA and has permissions to access the content through ISA 
policies.


Scenario:
ISA web proxy is configured for Windows Integrated authentication
ISA enforces authentication for HTTP traffic
WinMedia Player is configured to use a proxy (includes "autodiscover" or 
"browser") for HTTP protocol


Discussion:
When WMP is acting as a web (CERN) proxy client, and the proxy requires Windows 
Integrated authentication, WMP will not auto-authenticate to the proxy if the 
proxy is specified as either FQDN or IP address.  If the proxy is specified as 
NetBIOS (unqualified) name, WMP will auto-authenticate using the interactive 
account credentials.  If the proxy requires Basic or Digest auth, an auth 
prompt is expected, regardless of how the proxy is specified.  This behavior is 
the same if the proxy is obtained via an autoconfiguration (wpad) script.

By default, ISA 2004+ lists the proxies using their IP addresses in the wpad 
script.  This default was chosen to prevent name resolution errors from 
impeding normal client-to-web proxy communications.  While this works well 
enough for browsers, WMP "has issues" (yeh; we'll go with that) when the proxy 
is specified using anything other than NetBIOS name.


Solution (two-part):
1. Disable the proxy settings for HTTP (pick one).
    - Using WMP; Tools, Options, Network, Protocols, HTTP, set to "None"
    - Using Regedit:
      Key: HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
      Name: ProxyStyle
      Type: DWORD
      Value: 0
    - Using GPO; under "User Configuration\Administrative Templates\Windows 
Components\Windows Media Player\Networking", set the "Configure HTTP Proxy" 
option to "Disabled"

2. Install the FWC from MS downloads 
http://www.microsoft.com/downloads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89


After making this change, the FWC will handle all HTTP requests from WMP and 
ISA authentication will now be satisfied through the FWC control channel 
instead of the HTTP protocol mechanisms.  This will stop the random auth 
prompts from WMP.

Enjoy,
JimmyJoeBob Alooba
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
[isalist] WMP auth prompts

Other related posts:
