I want to share the following information provided by Jim Harrison about the random authentication prompts from Windows Media Player (WMP).
WMP sometimes displays authentication prompts even though the logged-on user account is resolvable by the ISA server and has permissions to access the content through the ISA server policies.
The ISA web proxy is configured for Windows Integrated authentication. The ISA server policies enforces authentication for HTTP traffic. WMP is configured to use the ISA server as a web proxy server for the HTTP protocol (this includes “autodetect” or “browser”).
When WMP is acting as a web proxy client (CERN) and the web proxy server requires Windows Integrated authentication, WMP will not auto-authenticate to the web proxy server if the web proxy server is specified as either an FQDN or an IP address. If the web proxy server is specified as a NetBIOS (unqualified) name, WMP will auto-authenticate using the interactive account credentials. If the web proxy server requires Basic or Digest authentication, an authentication prompt is expected, regardless of how the web proxy server is specified. This behavior is the same if the web proxy server is obtained via an automatic configuration (WPAD) script.
By default, ISA 2004 and higher lists the web proxy servers using their IP addresses in the WPAD script. This default was chosen to prevent name resolution errors from impeding normal client-to-web proxy communications. While this works well enough for browsers, WMP has issues when the web proxy server is specified using anything other than the NetBIOS name.
1. Disable the proxy server settings for HTTP (pick one).
- Using WMP:
under Tools, Options, Network, Protocols, HTTP, set to None
- Using Regedit:
- Using GPO:
under User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking, set the Configure HTTP Proxy option to Disabled.
2. Install the Firewall client from Microsoft downloads http://www.microsoft.com/downloads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89
After making this two changes, the Firewall client will handle all HTTP requests from WMP and ISA server authentication will now be satisfied through the Firewall client control channel instead of the HTTP protocol mechanisms. This will stop the random authentication prompts from WMP.