United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4423881 : RFE: Nt Authentication issue on MSProxy Server with Java Plug-In 1.3

Submit Date:
Updated Date:
Project Name:
Resolved Date:
Affected Versions:
Fixed Versions:

Related Reports

Sub Tasks


Name: boT120536			Date: 03/09/2001

java version "1.3.0_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_01)
Java HotSpot(TM) Client VM (build 1.3.0_01, mixed mode)

We have spent some time investigating this one. It seems as though Sun's
implementation of the Java Plugin for all browsers is unable to authenticate
with MSProxy Server (v2) and Novell's Proxy Server using NT Authentification.

This is a massive short fall in our opinion as this therefore make it extremely
difficult to use the rich features of Java 2 within a browser/web environment
(within the enterprise).

As you might have guessed the Microsoft VM can authenticate (but the VM is not a Java 2 compliant implementation).

- Exact steps to reproduce the problem.

Compile the following code
import java.io.*;
import java.awt.*;
import java.net.*;
import javax.swing.*;

public class Test extends JApplet{

	JLabel jLabel;
	ImageIcon imageIcon;
	JPanel jPanel = new JPanel();

	public void init() {

			imageIcon = new ImageIcon(new URL(this.getCodeBase ().toString() + "test.gif"));
		}catch(IOException ioe){

		jLabel = new JLabel(imageIcon);
		jPanel.add(jLabel, BorderLayout.CENTER);
		this.getContentPane().setLayout(new BorderLayout());
		this.getContentPane().add(jPanel, BorderLayout.CENTER);
		Image image = imageIcon.getImage();
		System.out.println("width: " + image.getHeight(null));
		System.out.println("height: " + image.getWidth(null));



place it on a webserver and create the associate HTML file. Convert the HTML
file using HTMLCOnverter for 1.3.

On the client side using Microsoft IE 4 setup the browser to use Microsoft
Proxy server configured as follows:

Software Running on Computer:
Windows Small Business Server 4.5
NT Build 4.00.1381

Microsoft Proxy 2.0
Build number 2.0.389

Proxy NAT..

The only bit of information I can get for you is this..

External IP Address is: 213.xx.xx.xx (public ip)
Internal IP Range recognised by proxy is: to

at the moment there are no dissallowed ports.

Authentication is via windows NT.

Then call the url for the html page mentioned early( making sure it is routing
through the proxy). The java consol reports that the GIF is -1 by -1 pixels
wide (i.e. does not exist).

Replicate all this not going through the proxy server, console reports that the
gif if x by y (none negative).

A similar problem occurs when using URLConnection and a
java.io.FileNotFoundException is thrown.

Additional Information
We have an Applet. It calls a servlet via http and the servlet returns a
serialized java object to the applet. The servlet is on the same domain (and
server) from which the applet it loaded from.

This works fine without a Proxy server. It also works fine though a number
of proxy servers. However it does not work through a proxy server that uses
NT Authentification. The JavaSoft Plug-in does not seem to be able to use
this scheme of authentification.

I have appended an extract below which describes a work around. However this
work around is not acceptable for us but it may help to explain the problem
some more.

Hope we can solve this one!

Andy Hedges

// Extract Starts

How to get MS Proxy Server 2.0 to work with non-Microsoft products

When MS Proxy Server is installed, it allows two authentication methods by

.       Anonymous access
.       NT challenge / response (aka CHAP)

A third method (Basic Authentication) is turned off.

Anonymous access allows any user to access internet content via the proxy
server, whereas CHAP requires that they authenticate themselves, and
therefore requires that the client they use supports CHAP. This may be
invisible to the user as their normal NT logon credentials are used.

Internet Explorer with the Microsoft JVM supports CHAP, but Netscape and IE
with the Sun Java plug-in do not. The Proxy Server picks whichever
authentication method will allow the user through when processing a request.

Unfortunately, the default configuration of anonymous access is broken,
causing the proxy server to force the use of CHAP. Anonymous access is
supposed to work by authenticating each anonymous request using a
non-privileged user which is created during installation. Unfortunately the
proxy server then sets up the wrong details for this user, causing
authentication to fail (and the NT Event Log to fill up rapidly).
To fix the problem:

.       Open IIS console
.       Open properties for "Default web site" (not "Web proxy")
.       Select the "Directory security" tab
.       Click on "Edit" in the "Anonymous Access and Authentication Control"section
.       Click on "Edit" next to "Allow anonymous access"
.       Change the username to include the domain (e.g. from IUSR_MYHOST toMYDOMAIN\IUSR_MYHOST)
.       Click OK, and ignore the warning about password replication not working
.       Click OK twice more
.       Open "User Manager"
.       Double-click on the name of the user (e.g. IUSR_MYHOST)
.       Click on the "Hours" button.
.       Select all the time, and click "Allow"
.       Click OK twice
.       Wait a few minutes for the user information to be replicated across the
// End extract
(Review ID: 118274) 



Name: boT120536			Date: 03/09/2001

Use the Microsoft Plugin and try to replicate the functionality of Sun's Java 2
plugin as best you can (for example using swing.jar as in the old days).

JPI currently doesn't support NT challenge. Change it to RFE.

stanley.ho@Eng 2001-03-14

For 1.4, we now support standard RFC2617 digest authentication.
We have no plans to support the Microsoft proprietary schemes.
However, Microsoft ISA server, which is the successor to Proxy server
does supports digest.

michael.mcmahon@ireland 2001-07-10

NTLM support will be built into the networking library. See #4626557. Mark it as duplicate.

Hardware and Software, Engineered to Work Together