How To Let Proxy Users Specify Alternate Credentials with Forefront TMG 2010

You're using Forefront Threat Management Gateway 2010 (a.k.a. TMG 2010) as a proxy server and want users to be prompted for credentials in order to access the Internet, but discover the default behavior is to have the browser display a "Denied Access" message (Error 502).  Is there a way to make this work?  Of course, and Gregg O’Brien, a Microsoft Premier Field Engineer based in Canada, shows us how it's done in the following article that he's written. Enjoy.

Recently, I had the opportunity to work with a large customer who is currently in the process of moving from ISA Server 2000 to Forefront TMG 2010. They used ISA Server 2000 as a forward proxy for over 7,500 users across all of their corporate and retail locations. When they started migrating users to TMG 2010 however, they noticed a behavior change from ISA 2000 that was causing them some grief: they expected that users who were denied access to the Internet via the web proxy service would be prompted for credentials. Like this:

Prompted for credentials.

At first this seemed pretty strange to me. Why would anyone want this?  They explained: some users require access to the Internet for special reasons, but not all the time. So the prompt for credentials allowed them to request the help of a supervisor who could enter credentials that would grant the denied user temporary access to the Internet. Fair enough, but TMG didn’t do this by default. Instead, TMG returns an error 502 indicating that TMG has denied the request:
Denied Request To Access the Internet

I searched through the TMG GUI trying to find an option somewhere to configure TMG to behave in the manner that ISA Server 2000 would, however the setting doesn’t exist in the GUI. Then a colleague pointed me to this article on MSDN that’s part of the ISA Server SDK.

The article details the code in ISA Server 2004/2006 around the ReturnAuthRequiredIfAuthUserDenied property which also applies to TMG. I have to admit, I am terrible at reading stuff like this as I have the attention of a two year old boy who has eaten nothing but chocolate for breakfast, but I mustered up all of the attentiveness that I could manage and read through the document. Based on the title of the article, it’s hard to make the connection between the article and the problem this particular customer was facing. But as I read on I understood a few things:

  1. When TMG denies a user access via the web proxy service, it returns an error 502 to the browser indicating that the user has been denied access.
  2. Upon receiving this message, the request for the page ends.
  3. If the web proxy service had returned an error 407 (proxy authentication required), the user would be prompted for credentials, at which point they could enter valid credentials to access the Internet! This is exactly how ISA Server 2000 behaves!

According to the article, setting the ReturnAuthRequiredIfAuthUserDenied to “True” instead of “False” which is the default, TMG will return a 407 error instead of a 502 error and the client will be prompted to provide valid credentials. The article even supplies some code (subject to the MSDN terms of use) to manipulate the property of the ReturnAuthRequiredIfAuthUserDenied attribute:

'Define the constants needed 
Const fpcInternalNetwork = 4


Sub Main(args)

Dim reqValue ' A string
Dim newValue ' A Boolean

If(1 <> args.Count) Then
End If

reqValue = UCase(args(0))
If (reqValue = "TRUE" Or reqValue = "FALSE") Then
If reqValue = "TRUE" Then
newValue = True
newValue = False
End If
SetNetworkReturnAuthReq newValue
End If
End Sub

Sub SetNetworkReturnAuthReq(newValue)

' Declare the objects needed.
Dim root ' The FPCLib.FPC root object
Dim isaArray ' An FPCArray object
Dim networks ' An FPCNetworks collection
Dim network ' An FPCNetwork object
Dim currentValue ' A Boolean

' Create the root object.
Set root = CreateObject("FPC.Root")

' Get references to the array object
' and the networks collection.
Set isaArray = root.GetContainingArray()
Set networks = isaArray.NetworkConfiguration.Networks

' Find the Internal network and set the property
' for it.
For Each network In networks
If network.NetworkType = fpcInternalNetwork Then
currentValue = network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied
WScript.Echo "Current value: " & currentValue
If newValue <> currentValue Then
network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied = newValue
WScript.Echo "New value: " _
& network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied
WScript.Echo "Done!"
End If
End If
End Sub

Sub Usage()
WScript.Echo "Usage:" & VbCrLf _
& " " & WScript.ScriptName & " {True | False}"
End Sub

The steps to utilize this code are pretty simple:

1) Copy the code into Notepad (or any text editor) and save it as a .vbs file

2) Copy the file to the TMG server. If you are running this on an array, you only need to run this on one array member. The change will synchronize with the other array members.

3) Open a command line as an Administrator and run the .vbs file with the required switch. The syntax is: cscript<filename>.vbs True|False

Running the script.

4) Check to make sure the synchronization has completed:

Checking to make sure the synchronization has completed.

And that’s it! A quick test of the configuration and we no longer receive the error 502, but instead see the prompt for credentials:

Voila!  Now prompted for credentials.

And with proper credentials we’re sent to our desired page on the Internet:

Accessing the Internet with Alternate Credentials

We now have Forefront Threat Management Gateway 2010 prompting denied proxy users for credentials instead of returning the 502 error page.  Hope this helps!


Comments (1)

  1. Bernard Sinai says:

    Thanks. I recently upgraded from ISA 2000 to TMG 2010 SE and I've been having the same issue.  

Skip to main content