HTTP status 407: Proxy Authentication Required +ISA Server

Hi,

We're getting the follow exception thrown when calling our web service:

System.Net.WebException: The request failed with HTTP status 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ).

I've found this article, but the problem is we don't want to edit machine.config as a pre-req.

http://support.microsoft.com/ id=307220

So does anyone know how to replicate these attributes through code Thanks.

I don't want to do this:
NetworkCredential nwkCred = new NetworkCredential("username","password","domain"); myProxyClass.Proxy = new WebProxy("proxyaddress",false,null,nwkCred);

Thanks. NET v1.1

Answer this question

HTTP status 407: Proxy Authentication Required +ISA Server

Ben Fulton
Are the user accounts on a domain (in active directory) or are the user accounts local to the machine only
Rumen Yankov
Hi,

The problem with ISA is, there is an ISA Client that each workstation gets that handles the channel between the client and proxy i believe. We have this installed so we don't need enter a custom proxy into each application entering the web.

It would be the hardcoding of the password, because if the user was to change their password, they would have to remember everytime to update the client config file as well.
Robin Speed
I have thought about it and talked with some of my co-workers and we agreed that you should do the following as a standard practice. Note that I will mention some things that you probably already know and plan on doing, but I want to include them for others to be able to read.
1. Don't set a hard coded proxy unless you know the network configuration that you application will run on under all circumstances. In cases where you know the configuration settings for the network, it is better to use config than a hard coded proxy because proxy names could change and config will allow you to handle this case.
2. Rely on Internet explorer (IE) settings for proxy settings. Most of the time, the user will have IE configured correctly. The caveat to this is that IE may decide to automatically send default credentials to the proxy where HttpWebRequest will not without you enabling it to do so.
3. In V2.0 of the framework, we now support Automatic proxy detection (this is the same as the "Automatically detect settings" check box in IE.
4. Don't set credentials on the proxy until you receive a 407 for the first time. At that point, you can try sending default credentials. If default credentials don't work for the proxy, then you should prompt the user for the credentials. Note that you should give the user the ability to disable the automatic sending of default credentials because of possible security concerns. Note that in V2.0 of the framework, we added the ability for a user to specify when credentials should be sent to using the ICredentialPolicy interface.
5. In the case of the firewall client being installed and enabled, the recommended solution is to advise the user of your application to correct (remove) thier IE settings for the proxy server. If the user is unwilling to do this, then the user should disable the proxy for your application through a config file.
l

JFalcon

Jim Harrison IsaDewd wrote:
If your code receives a 407 response from a web request, then your making a proxy-based request, which the FWC will *not* interfere with.

It’ll help to see the ISA configuration, but offhand, it's clear that the ISA requires authentication for web requests.

The ISA configuration is best described using ISAInfo (http://isatools.org/isainfo/isainfo.zip)

We're running ISA2000, so that tool doesn't work.

Anyways, we have a Protocol Rule setup to allow Internet Access to Authenticated Users only, I've since made one to allow 'Any Request Over HTTP Protocol'. I'll see if that works.

Edmund Leung
Figured out anything yet Jon
Leopardfist
If your code receives a 407 response from a web request, then your making a proxy-based request, which the FWC will *not* interfere with.< xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

It’ll help to see the ISA configuration, but offhand, it's clear that the ISA requires authentication for web requests.

The ISA configuration is best described using ISAInfo (http://isatools.org/isainfo/isainfo.zip)

mike4temp

Jonathon Howey wrote:
Hi,

I don't want to do this:
NetworkCredential nwkCred = new NetworkCredential("username","password","domain"); myProxyClass.Proxy = new WebProxy("proxyaddress",false,null,nwkCred);

What specifically about this don't you like Is it the hard coding of the password or the hard coding of the proxy address If you can give me more details I can hopefully answer your question.

If you don't specify any proxy settings, then the proxy settings should be read from Internet Explorer.

clintsinger
Right now in testing, they're a domain. But our product will eventually be sold to smaller companies that will no doubt be running a workgroup setting and could have a proxy.

Silvertongue

JonCole wrote:
Try Setting "GlobalProxySelection.Select = new WebProxy();" in code. This will make it so that if the user has proxy settings in IE HttpWebRequest will not use them.

It may be that you are picking up the user's proxy settings from IE and this is causing firewall client to be skipped.

True, but what about if the client does require this info (App will be deployed in many different environments - from XP home boxes to corporate lockdown'd boxes).

As well, going back to your original question about storing username/password/config.. whats the best way to manage keeping the password updated if i was to implement that just because i may need to for future clients

kojot
We're now gettign this error, only on clients that connect through a proxy. Any ideas :

[12/19/2005 12:47:16 PM]    System.Xml.XmlException: ' ', hexadecimal value 0x1C, is an invalid character. Line 3, position 280.
   at System.Xml.XmlScanner.ScanHexEntity()
   at System.Xml.XmlTextReader.ParseBeginTagExpandCharEntities()
   at System.Xml.XmlTextReader.Read()
   at System.Xml.XmlValidatingReader.ReadNoCollectTextToken()
   at System.Xml.XmlValidatingReader.Read()
   at System.Xml.XmlLoader.LoadChildren(XmlNode parent)
   at System.Xml.XmlLoader.LoadElementNode()
   at System.Xml.XmlLoader.LoadCurrentNode()
   at System.Xml.XmlLoader.LoadChildren(XmlNode parent)
   at System.Xml.XmlLoader.LoadElementNode()
   at System.Xml.XmlLoader.LoadCurrentNode()
   at System.Xml.XmlLoader.LoadChildren(XmlNode parent)
   at System.Xml.XmlLoader.LoadElementNode()
   at System.Xml.XmlLoader.LoadCurrentNode()
   at System.Xml.XmlLoader.LoadChildren(XmlNode parent)
   at System.Xml.XmlLoader.LoadElementNode()
   at System.Xml.XmlLoader.LoadCurrentNode()
   at System.Xml.XmlLoader.LoadChildren(XmlNode parent)
   at System.Xml.XmlLoader.LoadElementNode()
   at System.Xml.XmlLoader.LoadCurrentNode()
   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
   at System.Xml.XmlLoader.Load(XmlDocument doc, XmlReader reader, Boolean preserveWhitespace)
   at System.Xml.XmlDocument.Load(XmlReader reader)
   at Microsoft.Web.Services2.Security.MessageSignature.PreProcessElementInput(XmlElement elem)
   at Microsoft.Web.Services2.Security.SignatureReference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList)
   at Microsoft.Web.Services2.Security.MessageSignature.BuildDigestedReferences()
   at Microsoft.Web.Services2.Security.MessageSignature.ComputeKeyedHashSignature(SymmetricKeyAlgorithm key)
   at Microsoft.Web.Services2.Security.MessageSignature.ComputeSignature()
   at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
   at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
   at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
   at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope)
   at Microsoft.Web.Services2.OutputStream.Close()
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
Brendan Comerford
My suggestion for setting GlobalProxySelection.Select = new WebProxy() is really just for debugging purposes at this point. If the problem goes away, then we know the root cause.

As to best practices, let me think about it a bit and I will get back with you.
evalese
I am moving this thread to the Networking and Communication web forum where you should be able to get better assistance.

Daniel Roth
Anonymous
Try Setting "GlobalProxySelection.Select = new WebProxy();" in code. This will make it so that if the user has proxy settings in IE HttpWebRequest will not use them.

It may be that you are picking up the user's proxy settings from IE and this is causing firewall client to be skipped.
fleshi
Alright thanks Jon, I'll take the weekend to figure out how to integrate all this and will get back to you if i have anymore trouble.

The problem i foresee with your #4 for myself, is that this is a Palm Conduit, and it should work without user interaction, so i will have to add a line in my app.config for alternate proxy credential fields and whether it should use it.

Thanks again. From your use of "we", i assume you're on the .NET Framework team
HTTP status 407: Proxy Authentication Required +ISA Server

Answer this question