Symptom

Windows 7 Browser prompts with window for username/password every time when tried to access outside web page through ISA Server.
Does anyone have a hint about this issue ?

Background

Client is the Windows 7 Home, does not join the domain. The company’s proxy, ISA server 2006 was part of one domain. So, when I tried to connect to the ISA proxy it was not possible to be authenticated in it.
I disabled the windows integrated authentication in IE8 and ensure that input the correct credentials for the proxy, but it did not work, a message was shown telling that the proxy authentication failed.
I’ve try all the Windows 7 browsers, for example: IE version 8, FF version 16 and Chrome version 23.
The results of the testing is the same, a message proxy authentication failed.
FireFox V.17 on Windows 7 Prompt Authentication Required

Troubleshooting and Solution

  1. Try to check Date and Time, Timezone and recommend to use time server to synchronize your window time with it.
  2. Try to adjust and add parameters by choosing only 1 method
    1. Local Security Policy Editor
    2. Registry Editor
  3. Restart windows to take effect

Local Security Policy Editor

The Local Security Policy Editor will only be available in the Windows 7 Professional, Ultimate, and Enterpise editions.
You will not have the Local Security Policy Editor available in the Windows 7 Starter and Home Premium editions.
So if your OS is based on Windows 7 Starter or Home Premium editions, try next method below !
Local Security Settings Window (secpol.msc)

  1. Click Start, then Run (or press [windows button] + [R] on the keyboard)
  2. Then type “gpedit.msc” , Goto Local Computer Policy → Windows Settings → Security Settings
    or shortcut by type “secpol.msc” This should bring up the Security Policy system window.
  3. On the left, select Local Policies → Security Options.
  4. On the right, scroll down to and double-click on each parameters :
    1. Network Security: LAN Manager authentication level” change the setting to “Send LM & NTLM — Use NTLMv2 session security if negotiated”.
  5. Restart the computer
  6. If not work try to change more these parameters :
    1. “Network Security: Allow Local System to use computer identity for NTLM” change the setting to “Enabled”
    2. “Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients” to “No minimum”
    3. “Network security: Minimum session security for NTLM SSP based (including secure RPC) servers” to “No minimum”
  7. Restart the computer again

Registry Editor

Registry Editor Window ( LmCompatibilityLevel=2 )

  1. Click Start, then Run (or press [windows button] + [R] on the keyboard)
  2. Then type “regedit” or “regedt32” and OK, Registry Editor window bring up.
  3. On the left, Browse and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Find LmCompatibilityLevel then set the value to 2, If the key does not exist, create a DWORD value named LmCompatibilityLevel and set the value to 2 to use NTLM and NTLMv2 if is negotiated
  5. If you are System Administrator, you can check which mode is used during authentication.
  6. Restart Windows to make changes to this entry effective

LmCompatibilityLevel

Specifies the mode of authentication and session security to be used for network logons

Address and Data Type

Address : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Type : REG_DWORD
Possible Value : 0 – 5
Default Value : 0

Table Values

ValueMeaning
0Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
1lients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
2Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.
3Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
4Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.
5Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.
ISA Server Proxy Authentication issue with windows 7 Series