How To Let Proxy Users Specify Alternate Credentials with Forefront TMG 2010


You're using Forefront Threat Management Gateway 2010 (a.k.a. TMG 2010) as a proxy server and want users to be prompted for credentials in order to access the Internet, but discover the default behavior is to have the browser display a "Denied Access" message (Error 502). Is there a way to make this work? Of course, and Gregg O’Brien, a Microsoft Premier Field Engineer based in Canada, shows us how it's done in the following article that he's written. Enjoy.


Recently, I had the opportunity to work with a large customer who is currently in the process of moving from ISA Server 2000 to Forefront TMG 2010. They used ISA Server 2000 as a forward proxy for over 7,500 users across all of their corporate and retail locations. When they started migrating users to TMG 2010 however, they noticed a behavior change from ISA 2000 that was causing them some grief: they expected that users who were denied access to the Internet via the web proxy service would be prompted for credentials. Like this:

Prompted for credentials.

At first this seemed pretty strange to me. Why would anyone want this?  They explained: some users require access to the Internet for special reasons, but not all the time. So the prompt for credentials allowed them to request the help of a supervisor who could enter credentials that would grant the denied user temporary access to the Internet. Fair enough, but TMG didn’t do this by default. Instead, TMG returns an error 502 indicating that TMG has denied the request:
Denied Request To Access the Internet

I searched through the TMG GUI trying to find an option somewhere to configure TMG to behave in the manner that ISA Server 2000 would, however the setting doesn’t exist in the GUI. Then a colleague pointed me to this article on MSDN that’s part of the ISA Server SDK.

The article details the code in ISA Server 2004/2006 around the ReturnAuthRequiredIfAuthUserDenied property which also applies to TMG. I have to admit, I am terrible at reading stuff like this as I have the attention of a two year old boy who has eaten nothing but chocolate for breakfast, but I mustered up all of the attentiveness that I could manage and read through the document. Based on the title of the article, it’s hard to make the connection between the article and the problem this particular customer was facing. But as I read on I understood a few things:

  1. When TMG denies a user access via the web proxy service, it returns an error 502 to the browser indicating that the user has been denied access.
  2. Upon receiving this message, the request for the page ends.
  3. If the web proxy service had returned an error 407 (proxy authentication required), the user would be prompted for credentials, at which point they could enter valid credentials to access the Internet! This is exactly how ISA Server 2000 behaves!

According to the article, setting the ReturnAuthRequiredIfAuthUserDenied to “True” instead of “False” which is the default, TMG will return a 407 error instead of a 502 error and the client will be prompted to provide valid credentials. The article even supplies some code (subject to the MSDN terms of use) to manipulate the property of the ReturnAuthRequiredIfAuthUserDenied attribute:

 'Define the constants needed 
 Const fpcInternalNetwork = 4 
 
 Main(WScript.Arguments) 
 
 Sub Main(args) 
 
 Dim reqValue ' A string 
 Dim newValue ' A Boolean 
 
 If(1 <> args.Count) Then 
 Usage() 
 End If 
 
 reqValue = UCase(args(0)) 
 If (reqValue = "TRUE" Or reqValue = "FALSE") Then 
 If reqValue = "TRUE" Then 
 newValue = True 
 Else 
 newValue = False 
 End If 
 SetNetworkReturnAuthReq newValue 
 Else 
 Usage() 
 End If 
 End Sub 
 
 Sub SetNetworkReturnAuthReq(newValue) 
 
 ' Declare the objects needed. 
 Dim root ' The FPCLib.FPC root object 
 Dim isaArray ' An FPCArray object 
 Dim networks ' An FPCNetworks collection 
 Dim network ' An FPCNetwork object 
 Dim currentValue ' A Boolean 
 
 ' Create the root object. 
 Set root = CreateObject("FPC.Root") 
 
 ' Get references to the array object 
 ' and the networks collection. 
 Set isaArray = root.GetContainingArray() 
 Set networks = isaArray.NetworkConfiguration.Networks 
 
 ' Find the Internal network and set the property 
 ' for it. 
 For Each network In networks 
 If network.NetworkType = fpcInternalNetwork Then 
 currentValue = network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied 
 WScript.Echo "Current value: " & currentValue 
 If newValue <> currentValue Then 
 network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied = newValue 
 WScript.Echo "New value: " _ 
 & network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied 
 network.Save 
 WScript.Echo "Done!" 
 End If 
 End If 
 Next 
 End Sub 
 
 Sub Usage() 
 WScript.Echo "Usage:" & VbCrLf _ 
 & " " & WScript.ScriptName & " {True | False}" 
 WScript.Quit 
 End Sub

The steps to utilize this code are pretty simple:

1) Copy the code into Notepad (or any text editor) and save it as a .vbs file

2) Copy the file to the TMG server. If you are running this on an array, you only need to run this on one array member. The change will synchronize with the other array members.

3) Open a command line as an Administrator and run the .vbs file with the required switch. The syntax is: cscript<filename>.vbs True|False

Running the script.

4) Check to make sure the synchronization has completed:

Checking to make sure the synchronization has completed.

And that’s it! A quick test of the configuration and we no longer receive the error 502, but instead see the prompt for credentials:

Voila! Now prompted for credentials.

And with proper credentials we’re sent to our desired page on the Internet:

Accessing the Internet with Alternate Credentials

We now have Forefront Threat Management Gateway 2010 prompting denied proxy users for credentials instead of returning the 502 error page.  Hope this helps!