RE: Can't use download tools through ISA server.
- From: "ISA server" <ISAserver@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 8 Jan 2002 16:03:20 +1100
Another update on the problem.....I turned on ALL the authentication methods
(integrated, basic and digest) for the outgoing web request listener. The Reget
download still fails but the log makes for very interesting reading. As I read
it (below) Reget makes a request of the proxy, then the proxy replies with a
list of authentication methods its will accept (NTLM, basic, digest, kerberos).
Then reget uses the preferred method (NTLM) and sends its AUTHENTICATED
request. (NTLM)
ISA server REJECTS this request.
So....why would ISA server reject the NTLM request?
Checking the length of
Output 7 Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAjAAAAAwADACAAAABJVE1DR0dT
AND
Input 8 Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADAAAAAFgoGg6xjrTbsDG9kAAAAAAAAAAHYAdgA4AAAAQwBHAEcAUwACAAgAQwBHAEcAUwABAA4AQwBHAEcAUwBJAFMAQQAEAB4AYwBnAGcAcwAuAGEAYwB0AC4AZQBkAHUALgBhAHUAAwAuAGMAZwBnAHMAaQBzAGEALgBjAGcAZwBzAC4AYQBjAHQALgBlAGQAdQAuAGEAdQAAAAAA
there is a HUGE difference in the length of the NTLM authentication strings. Is
this significant? Are there different NTLM key lengths in use? Is it possible
that my ISA server only wants to accept requests of a certain length or am I
barking up the wrong tree?
Reget log:
ReGet Deluxe 2.1 (build 104)
Status 1 15:55:39 8/1/2002 Download state changed to
[Waiting]
Info 2 15:55:39 8/1/2002 One more section started
Info 3 15:55:39 8/1/2002 Connecting to cggsisa
(172.16.0.30:8080)
Output 4 15:55:39 8/1/2002 GET
http://download.microsoft.com/download/win2000pro/Update/8.1/NT5/EN-US/DX81NTeng.exe
HTTP/1.0
Output 4 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98)
Output 4 Cookie:
MC1=HASH=6165&GUID=5569307841AF46908AC80E6DD506C955&LV=200111&LCID=3081&V=3&LEVEL=3;
SITESERVER=ID=1041&GUID=1041BE5C59FA415DA2DCE09A5BD58605; msresearch=1;
MSPAuth=3AAAAAAAADbZBOH%2AGkpsGO08XQugy71MGci1KUPhSEaZVobDriBsRBhQ%24%24;
MSPProf=3AAAAAAAAF1vDA%21bcmHhaiSqkO%210q2v1JZmMQscHTFUCRrV2y8LJl9pVD3VUw%2183EoEBhReZdSRslcKi2N0jH5xTJpr4cDUe9%21f4aKhuXz3KlZ3nYowxH6m7HmG9mnUG1tdhB96qiJT4FXhezuxRgzvxkZ39XNua0HDs4kSxuPk3I%24
Output 4 Accept: */*
Output 4 Range: bytes=0-
Output 4 Referer:
http://www.microsoft.com/downloads/release.asp?releaseid=33687&area=top&ordinal=10
Output 4 Host: download.microsoft.com
Input 5 15:55:40 8/1/2002 HTTP/1.1 407 Proxy
Authentication Required ( The ISA Server requires authorization to fulfill the
request. Access to the Web Proxy service is denied. )
Input 5 Via:1.1 CGGSISA
Input 5 Proxy-Authenticate: NTLM
Input 5 Proxy-Authenticate: Basic
realm="cggsisa.cggs.act.edu.au"
Input 5 Proxy-Authenticate: Digest qop="auth",
realm="cggsisa.cggs.act.edu.au",
nonce="11c1229fe2c3e804565379100000dfcf67cb56a9fcbce565a62d8b656a0e"
Input 5 Proxy-Authenticate: Kerberos
Input 5 Proxy-Authenticate: Negotiate
Input 5 Pragma: no-cache
Input 5 Cache-Control: no-cache
Input 5 Content-Type: text/html
Input 5 Content-Length: 3865
Info 6 15:55:40 8/1/2002 Connecting to cggsisa
(172.16.0.30:8080)
Output 7 15:55:40 8/1/2002 GET
http://download.microsoft.com/download/win2000pro/Update/8.1/NT5/EN-US/DX81NTeng.exe
HTTP/1.0
Output 7 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98)
Output 7 Cookie:
MC1=HASH=6165&GUID=5569307841AF46908AC80E6DD506C955&LV=200111&LCID=3081&V=3&LEVEL=3;
SITESERVER=ID=1041&GUID=1041BE5C59FA415DA2DCE09A5BD58605; msresearch=1;
MSPAuth=3AAAAAAAADbZBOH%2AGkpsGO08XQugy71MGci1KUPhSEaZVobDriBsRBhQ%24%24;
MSPProf=3AAAAAAAAF1vDA%21bcmHhaiSqkO%210q2v1JZmMQscHTFUCRrV2y8LJl9pVD3VUw%2183EoEBhReZdSRslcKi2N0jH5xTJpr4cDUe9%21f4aKhuXz3KlZ3nYowxH6m7HmG9mnUG1tdhB96qiJT4FXhezuxRgzvxkZ39XNua0HDs4kSxuPk3I%24
Output 7 Accept: */*
Output 7 Range: bytes=0-
Output 7 Referer:
http://www.microsoft.com/downloads/release.asp?releaseid=33687&area=top&ordinal=10
Output 7 Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAjAAAAAwADACAAAABJVE1DR0dT
Output 7 Host: download.microsoft.com
Output 7 Proxy-Connection: Keep-Alive
Input 8 15:55:40 8/1/2002 HTTP/1.1 407 Proxy
Authentication Required ( Access is denied. )
Input 8 Via:1.1 CGGSISA
Input 8 Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADAAAAAFgoGg6xjrTbsDG9kAAAAAAAAAAHYAdgA4AAAAQwBHAEcAUwACAAgAQwBHAEcAUwABAA4AQwBHAEcAUwBJAFMAQQAEAB4AYwBnAGcAcwAuAGEAYwB0AC4AZQBkAHUALgBhAHUAAwAuAGMAZwBnAHMAaQBzAGEALgBjAGcAZwBzAC4AYQBjAHQALgBlAGQAdQAuAGEAdQAAAAAA
Input 8 Connection: Keep-Alive
Input 8 Proxy-Connection: Keep-Alive
Input 8 Pragma: no-cache
Input 8 Cache-Control: no-cache
Input 8 Content-Type: text/html
Input 8 Content-Length: 0
Error 9 15:55:40 8/1/2002 Error #80070005(Access is
denied.) in CRgHttpSession::RequestFile()
Info 10 15:55:40 8/1/2002 Pausing for 5 seconds
Status 11 15:55:43 8/1/2002 Download state changed to
[Paused]
-----Original Message-----
From: ISA server
Posted At: Tuesday, 8 January 2002 3:34 PM
Posted To: ISA server
Conversation: [isalist] Can't use download tools through ISA server.
Subject: [isalist] RE: Can't use download tools through ISA server.
http://www.ISAserver.org
Nice theory,
Unfortunately I just unchecked the 'Ask unauthenticated users for
identification' on outogin web request and restarted the web proxy service. It
made no difference. Web requests from auto tools still get rejected. Anything
else I have missed?
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Posted At: Tuesday, 8 January 2002 2:39 PM
Posted To: ISA server
Conversation: [isalist] Can't use download tools through ISA server.
Subject: [isalist] RE: Can't use download tools through ISA server.
http://www.ISAserver.org
Hi ISAserver,
Wow! Nice to meet the ISA Server on this list :-)
Turn off authentication for HTTP Requests or don't force authentication
at the Outgoing Web Requests listener. Your app isn't smart enough to
use the Web Proxy authentication feature.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: ISA server [mailto:ISAserver@xxxxxxxxxxxxxxx]
Sent: Monday, January 07, 2002 9:19 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Can't use download tools through ISA server.
http://www.ISAserver.org
I have ISA server setup to require authentication for the web proxy.
Everything works perfectly......as long as you are a real user sitting
in front of a browser. You can access pages and download using ftp and
htpp without problems. However we cannot get 'automated tools' to work
through ISA server - despite setting the tool up to use the same proxy
settings.
I have tested with Copernic2001 (search tool), Reget (automated download
tool) and Download manager. All get similar results. They try to connect
- then report 'error in gateway' or something similar.
If I look at my ISA server logs I can see the initial anonymous
connection from the tool:
172.16.2.102 anonymous Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98) N 2002-01-08 03:11:55 w3proxy CGGSISA
- download.microsoft.com - 80 - 741 4227
http TCP GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe - - 407 - - -
172.16.2.102 anonymous Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98) N 2002-01-08 03:11:55 w3proxy CGGSISA
- download.microsoft.com - 80 - 851 491
http TCP GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe - - 407 - - -
172.16.2.102 anonymous Mozilla/4.0 (compatible; MSIE 5.0;
Windows 98) N 2002-01-08 03:12:01 w3proxy CGGSISA
- download.microsoft.com - 80 - 851 491
http TCP GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe - - 407 - - -
....when this happens with a BROWSER connection, it is followed by a
validated connection using the user credentials and the download
proceeds. With the 'automated tool' this never happens - IE the second,
validated connection is not logged....
----------------------
However the automated tool has TRIED to make an authenticated connection
as shown by its own log (shown below).
As I have explained, variations on this problem occur with ALL automated
web access/download tools. It seems that the authenticated connection
from the tool is never received/accepted/validated. So what is going on?
I have been chasing this for a month now and getting nowhere.
-------------------------------------------------
ReGet Deluxe 2.1 (build 104)
Status 1 14:11:54 8/1/2002 Download state changed
to [Waiting]
Info 2 14:11:54 8/1/2002 One more section started
Info 3 14:11:55 8/1/2002 Connecting to cggsisa
(172.16.0.30:8080)
Output 4 14:11:55 8/1/2002 GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe HTTP/1.0
Output 4 User-Agent: Mozilla/4.0 (compatible;
MSIE 5.0; Windows 98)
Output 4 Cookie:
MC1=HASH=6165&GUID=5569307841AF46908AC80E6DD506C955&LV=200111&LCID=3081&
V=3&LEVEL=3; SITESERVER=ID=1041&GUID=1041BE5C59FA415DA2DCE09A5BD58605;
msresearch=1;
MSPAuth=3AAAAAAAADbZBOH%2AGkpsGO08XQugy71MGci1KUPhSEaZVobDriBsRBhQ%24%24
;
MSPProf=3AAAAAAAAF1vDA%21bcmHhaiSqkO%210q2v1JZmMQscHTFUCRrV2y8LJl9pVD3VU
w%2183EoEBhReZdSRslcKi2N0jH5xTJpr4cDUe9%21f4aKhuXz3KlZ3nYowxH6m7HmG9mnUG
1tdhB96qiJT4FXhezuxRgzvxkZ39XNua0HDs4kSxuPk3I%24
Output 4 Accept: */*
Output 4 Range: bytes=0-
Output 4 Referer:
http://www.microsoft.com/sharepoint/evaluation/trial/dleval_en.asp
Output 4 Host: download.microsoft.com
Input 5 14:11:55 8/1/2002 HTTP/1.1 407 Proxy
Authentication Required ( The ISA Server requires authorization to
fulfill the request. Access to the Web Proxy service is denied. )
Input 5 Via:1.1 CGGSISA
Input 5 Proxy-Authenticate: NTLM
Input 5 Proxy-Authenticate: Kerberos
Input 5 Proxy-Authenticate: Negotiate
Input 5 Pragma: no-cache
Input 5 Cache-Control: no-cache
Input 5 Content-Type: text/html
Input 5 Content-Length: 3875
Info 6 14:11:55 8/1/2002 Connecting to cggsisa
(172.16.0.30:8080)
Output 7 14:11:55 8/1/2002 GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe HTTP/1.0
Output 7 User-Agent: Mozilla/4.0 (compatible;
MSIE 5.0; Windows 98)
Output 7 Cookie:
MC1=HASH=6165&GUID=5569307841AF46908AC80E6DD506C955&LV=200111&LCID=3081&
V=3&LEVEL=3; SITESERVER=ID=1041&GUID=1041BE5C59FA415DA2DCE09A5BD58605;
msresearch=1;
MSPAuth=3AAAAAAAADbZBOH%2AGkpsGO08XQugy71MGci1KUPhSEaZVobDriBsRBhQ%24%24
;
MSPProf=3AAAAAAAAF1vDA%21bcmHhaiSqkO%210q2v1JZmMQscHTFUCRrV2y8LJl9pVD3VU
w%2183EoEBhReZdSRslcKi2N0jH5xTJpr4cDUe9%21f4aKhuXz3KlZ3nYowxH6m7HmG9mnUG
1tdhB96qiJT4FXhezuxRgzvxkZ39XNua0HDs4kSxuPk3I%24
Output 7 Accept: */*
Output 7 Range: bytes=0-
Output 7 Referer:
http://www.microsoft.com/sharepoint/evaluation/trial/dleval_en.asp
Output 7 Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAjAAAAAwADACAAAABJVE1DR0dT
Output 7 Host: download.microsoft.com
Output 7 Proxy-Connection: Keep-Alive
Input 8 14:11:56 8/1/2002 HTTP/1.1 407 Proxy
Authentication Required ( Access is denied. )
Input 8 Via:1.1 CGGSISA
Input 8 Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADAAAAAFgoGgdUGLppsxQr0AAAAAAAAAAHYAdgA4AAAAQwBHAEcA
UwACAAgAQwBHAEcAUwABAA4AQwBHAEcAUwBJAFMAQQAEAB4AYwBnAGcAcwAuAGEAYwB0AC4A
ZQBkAHUALgBhAHUAAwAuAGMAZwBnAHMAaQBzAGEALgBjAGcAZwBzAC4AYQBjAHQALgBlAGQA
dQAuAGEAdQAAAAAA
Input 8 Connection: Keep-Alive
Input 8 Proxy-Connection: Keep-Alive
Input 8 Pragma: no-cache
Input 8 Cache-Control: no-cache
Input 8 Content-Type: text/html
Input 8 Content-Length: 0
Error 9 14:11:56 8/1/2002 Error #80070005(Access
is denied.) in CRgHttpSession::RequestFile()
Info 10 14:11:56 8/1/2002 Pausing for 5 seconds
Info 11 14:12:01 8/1/2002 Connecting to cggsisa
(172.16.0.30:8080)
Output 12 14:12:01 8/1/2002 GET
http://download.microsoft.com/download/SharePointPortalServer/Install/1/
NT5/EN-US/SPSFull1.exe HTTP/1.0
Output 12 User-Agent: Mozilla/4.0 (compatible;
MSIE 5.0; Windows 98)
Output 12 Cookie:
MC1=HASH=6165&GUID=5569307841AF46908AC80E6DD506C955&LV=200111&LCID=3081&
V=3&LEVEL=3; SITESERVER=ID=1041&GUID=1041BE5C59FA415DA2DCE09A5BD58605;
msresearch=1;
MSPAuth=3AAAAAAAADbZBOH%2AGkpsGO08XQugy71MGci1KUPhSEaZVobDriBsRBhQ%24%24
;
MSPProf=3AAAAAAAAF1vDA%21bcmHhaiSqkO%210q2v1JZmMQscHTFUCRrV2y8LJl9pVD3VU
w%2183EoEBhReZdSRslcKi2N0jH5xTJpr4cDUe9%21f4aKhuXz3KlZ3nYowxH6m7HmG9mnUG
1tdhB96qiJT4FXhezuxRgzvxkZ39XNua0HDs4kSxuPk3I%24
Output 12 Accept: */*
Output 12 Range: bytes=0-
Output 12 Referer:
http://www.microsoft.com/sharepoint/evaluation/trial/dleval_en.asp
Output 12 Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAjAAAAAwADACAAAABJVE1DR0dT
Output 12 Host: download.microsoft.com
Output 12 Proxy-Connection: Keep-Alive
Input 13 14:12:01 8/1/2002 HTTP/1.1 407 Proxy
Authentication Required ( Access is denied. )
Input 13 Via:1.1 CGGSISA
Input 13 Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADAAAAAFgoGgNWZxx9h7+a0AAAAAAAAAAHYAdgA4AAAAQwBHAEcA
UwACAAgAQwBHAEcAUwABAA4AQwBHAEcAUwBJAFMAQQAEAB4AYwBnAGcAcwAuAGEAYwB0AC4A
ZQBkAHUALgBhAHUAAwAuAGMAZwBnAHMAaQBzAGEALgBjAGcAZwBzAC4AYQBjAHQALgBlAGQA
dQAuAGEAdQAAAAAA
Input 13 Connection: Keep-Alive
Input 13 Proxy-Connection: Keep-Alive
Input 13 Pragma: no-cache
Input 13 Cache-Control: no-cache
Input 13 Content-Type: text/html
Input 13 Content-Length: 0
Error 14 14:12:01 8/1/2002 Error #80070005(Access
is denied.) in CRgHttpSession::RequestFile()
Info 15 14:12:01 8/1/2002 Pausing for 5 seconds
Status 16 14:12:02 8/1/2002 Download state changed
to [Paused]
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
