1 2 Previous Next 23 Replies Latest reply on Nov 16, 2012 10:43 AM by 970407

    NTLMv2 authentication on proxy server (MS ISA 2006)


      We experience the following problem in our environment:
      If someone opens a website with a java applet on a Windows 7 client (64 bit), a window appears with an authentication request against the proxy server.
      The authentication with the correct credentials fails.
      On a Windows XP client, the applet loads/starts without any problems.

      We currently use Java 6 with Update 23 (32 bit). We also tried the most recent Java 6 Update and Java 7, but this didn't change the behaviour.
      Our proxy server is Microsoft ISA 2006. The following authentication methods are configured: Negotiate and NTLM
      Our clients use standard settings for authentication.

      We tried several things and come to the following conclusion:
      Win7 tries to authenticate with NTLMv2, which fails. If we change the authentication method to NTLM (v1), Java can authenticate (with the logged on user) and the problem disappears.
      A network trace with NTLMv2 shows the following process:
           Java tries to load a web site -> proxy denies and says he needs authentication -> Java sends an NTLM Negotiate -> proxy replies with challenge
           But then Java again tries to load a web site without authentication!
      The network trace with NTLM (v1) shows the following:
           website loading without auth -> proxy denies -> Java sends NTLM Negotiate -> proxy replies with challenge -> Java authenticates

      If you want to know more about NTLM authentication go to: http://technet.microsoft.com/es-es/magazine/2006.08.securitywatch%28en-us%29.aspx

      Does anyone experience this behaviour in a similar environment?
      Does anyone know a solution to this problem, other than changing to NTLM(v1)?
      I appreciate your replies.


      Edited by: 929361 on 11.06.2012 22:31

      Edited by: 929361 on 11.06.2012 22:46
        • 1. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
          We are experiencing the same issue you described.
          This has only started since testing the Java 7 version.
          Windows 7 32 and 64 bit
          Proxy is currently Windows ISA 2006
          Current user credentials fail and can lock out the account.
          I have seen that canceling the open request has actually allowed content to load however.

          Edited by: 941619 on Jun 19, 2012 8:10 AM
          • 2. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
            Same symptoms here, if a user open a page where a java applet want to run, he get a JRE popup what ask authentication. Choosing cancel will run the applet without problem.

            - Windows XP SP3
            - Internet Explorer 8 and Firefox 13 both
            - Java 7u5
            - MS ISA 2006
            - with or without the ISA client software

            Strange thing, with some webpages\applets i get the popup every time when i load the applet (for example when i want to log into an internet banking system what generate an encryption), but with other applets i get the popup only first time (even if i clear browser cache is don't come anymore on that pages).
            • 3. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
              Yes same issue in our environment.
              - Windows XP SP3 desktops
              - Windows 7 SP1 x64 Desktop
              - Internet Explorer 8
              - Proxy is WebMarshal v6.5.6.7349
              - NTLM is the only authentication method allowed over port 8080, although I'm not sure which version(s) are allowed.

              It seems as though the proxy authentication isn't actually required, because you can just click 'Cancel' when prompted for authentication and the java loads anyway. Weird.
              It's certainly preventing us from going to Java 7.

              Edited by: 945916 on 11/07/2012 21:08
              • 4. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                Still no update on this issue?
                • 5. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                  This issue could be the same as:

                  7184444: Java 7 does not properly handle integrated authenticating proxy servers [1]

                  The fix is in 7u8-b02, and we just release 7u8 Developer Preview on java.net[2]. Could you please give it a try and see if issue persist?

                  [1] http://bugs.sun.com/view_bug.do?bug_id=7184444
                  [2] http://jdk7.java.net/archive/7u8-b02.html

                  • 6. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                    I performed a single test, but it appears the proxy authentication issue is resolved with the 1.7_8
                    • 7. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                      We have the same issue.

                      We are using Internet Explorer 7 on Windows XP through a Microsoft ISA Server 2006 firewall to a IIS 6 website using Windows Integrated security.

                      We tested the lastest version, Java 1.7.0_08 (as downloaded from the link) and at first we thought it would work but we got the authentication pop up window and my colleague and i had their Active Directory account locked (even if we clicked on Cancel) after giving a try.
                      • 8. Re: NTLMv2 authentication on proxy server (MS ISA 2006)

                        Following on from this thread. This bug has not been fixed as yet in 7u9. (tested today - 24/October/2012 on Windows 7 x64 SP1 with ISA 2006, both using Firefox and Internet Explorer)

                        I tried to click on both the URL's provided by rogery in this thread which detail the bug, but both the links are dead: 404 error. Dead links:

                        [1] http://bugs.sun.com/view_bug.do?bug_id=7184444
                        [2] http://jdk7.java.net/archive/7u8-b02.html

                        I also found another thread about this BUG on the Microsoft technet forums: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/38117764-8576-4503-ad3d-767a3d274726

                        Oracle changed 7u8-b02 to 7u10: http://www.oracle.com/technetwork/java/java-update-release-numbers-change-1836624.html


                        1. Ju10b12 is a developer preview release, but I can't find any release notes for it.
                        2. Current live link to the same bug ID (7184444) is here: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7184444
                        3. The status of this bug is: Resolved. - Quote "Fixed Versions: 8" as of 26/09/2012
                        4. Version 8 is not available for general release yet.

                        There is also a WORKAROUND in the bug ID: "At the java authentication dialog (e.g. the attached negotiate_auth.png), select the "Save this password in your password list" so the the dialog won't popup again after the first time." - Pardon. Save your password!!!

                        * This is not a very good idea when it is highly likely that this will lock out accounts for companies that force passwords to be reset on a periodic basis!


                        Can someone from Oracle please clear up this mess and confusion, it would be very much appreciated.

                        1. Is this fixed in 7u10x?
                        2. Is this fixed in 8x?
                        3. Or is this fixed in both?


                        Edited by: 967404 on 24-Oct-2012 06:51

                        Edited by: 967404 on 24-Oct-2012 06:55
                        • 9. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                          I have test with Java 7 Update 9 and the login dialog still appears.

                          When this bug will be fixed by Oracle?
                          • 10. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                            For us, this issue is not TOTALY fixed with
                            Indeed, in our company, :
                            - fixes the issues we had with Intranet applications (they don't ask the authentication anymore)... which is a good progress because at least our employees can work !
                            - BUT doesn't fixes the issues with Internet sites (such as the java.com page that detects if java is correctly installed).

                            I've just tried with the preview 13 (jre-7u10-ea-bin-b13-windows-i586-24_oct_2012.exe) ... but it doesn't fix the issue neither.

                            Edited by: 968679 on 31 oct. 2012 07:13
                            • 11. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                              Simon Jablonski
                              We're experieicning the same issue with Proxy authentication.... can we get an answer on the ETA?
                              • 12. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                                For information, I've just tried with lastest preview version "jre-7u10-ea-bin-b14-windows-i586-31_oct_2012.exe" ... and the issue is still present.
                                • 13. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                                  This is happening with TMG 2010 as well. I cannot use a Beta release as a fix because some web based financial applications list specific Java versions for their application and if the Java version is outside of this list the application will not work.

                                  Come on Oracle, please fix this Java problem in a production release of Java
                                  • 14. Re: NTLMv2 authentication on proxy server (MS ISA 2006)
                                    We are also experiencing this issue.
                                    Windows 7 Enterprise SP1 x64
                                    Internet Explorer 8 (32bit)
                                    Java Version 7 Update 7 originally. Tried Java 7 Update 10 Build 14 and still experience the issue.

                                    Can confirm that Cancel does allow it to run. However we cannot have this dialog appear as it confuses users and results in many help desk calls.

                                    We will have to remain on Java 6 Update 37 (or other soon to be insecure versions) until Oracle completely fixes this issue in a production release.

                                    1 2 Previous Next