Problem Description: Is there a way to allow windows automatic updates go through an ISA proxy that requires NTLM authentication?
I do not have admin access or any access at all to the proxy and cannot avoid going through it, I read online about recommendations to allow direct access to microsoft.com, but as I explained, I cannot access the proxy settings.
What can I do to make Automatic Updates work?
Operating System: Windows XP
Automatic updates are using WinHTTP library to route TCP connections. In order to WU (wuauserv) service to connect through your proxy, make sure you configure WinHTTP library to go through that proxy. To configure your WinHTTP library to use a custom proxy, follow the procedure below:
These settings will make WU service to go through the specified proxy under the user account which has been used to run command prompt window, this is your user account by default. To ensure Windows Update goes through that proxy when run under different accounts, such as Network Service or Local Service used by Windows Update, make sure you run NetSh at the command prompt which runs under these specific system accounts. To ease the process, download Sysinternas Suite and use the PSExec tool from there.
To interactively start command prompt window with LocalSystem privileges type at the command prompt: PsExec.exe /s /i cmd Execute NetSh commands from there to apply connection changes for LocalSystem account.
To interactively start command prompt window with Network Service privileges type PsExec.exe /i /u "NT AUTHORITYNETWORKSERVICE" "cmd" Execute NetSh commands from there to apply connection changes for Network Service account.
To interactively start command prompt window with Local Service privileges type PsExec.exe /i /u "NT AUTHORITYLOCALSERVICE" "cmd" Execute NetSh commands from there to apply connection changes for Local Service account.
To interactively start command prompt window with privileges of your Microsoft account press WindowsKey and type cmd. Right-click the command prompt icon and choose Open file location from the bar. In the opened Windows Explorer window right-click command prompt shortcut when holding Shift key pressed and choose Run as different user. In the Windows Security dialog choose Microsoft account. Specify your Microsoft account credentials.
Use the whoami command to check what account is used to run the command prompt at which you start the Network Shell tool.
If you want to use the same connection settings as you use for WinInet library, which are used by Internet Explorer and most of the desktop apps (Modern UI apps use WinHTTP library), use netsh winhttp import proxy source=ie to import WinInet library s settings to WinHTTP library.
Also, make sure BITS service is routed via local proxy. At the elevated command prompt run: C:WindowsSysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService" to make sure Background Intelligent Transfer service, which is used by Windows Update to download updates, runs via your specified proxy when run with LocalService priviliges.
Do the same checks for other accounts: C:WindowsSysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem" C:WindowsSysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"
If it shows that BITS goes directly, without using proxy, do the following: C:WindowsSysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 10.0.14.212:3128 NULL
Repeat the same for other system accounts C:WindowsSysWOW64>bitsadmin.exe /Util /SetIEProxy "LocalSystem" MANUAL_PROXY 10.0.14.212:3128 NULL C:WindowsSysWOW64>bitsadmin.exe /Util /SetIEProxy "NetworkService" MANUAL_PROXY 10.0.14.212:3128 NULL
In the %systemroot%WindowsUpdate.log look for the similar looking line: 012-09-14 22:50:09:933 624 17f4 WS WARNING: Proxy List used: proxy.domain.com:port , Bypass List used: (null) , Last Proxy used: proxy.domain.com:port , Last auth Schemes used: None .
Use CNTLM to upstream to your corporate proxy if Windows Update fails to authenticate on your corporate proxy returning 407.
Hope this helps a bit.
There is a tool called cntlm It does allow to get through ISA proxy but it won t be easy to integrate it in any application.
I installed this instant messenger program called IM+ that keeps your accounts online even when you exit the application (you know... touch: only one app at a time) it accepts push deliveries to ...
I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn t correct a div box will show saying its wrong, if its correct it will show its ...
Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the ...
The infrastructure team wants to update the authentication protocol to NTLMv2 and Kerberos. Will this affect CRM 4.0 on-premise installation. What would need to be changed in order to use the ...
I m developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting ...
If I have a type like: public class Context { public Context() { } public IQueryable<Record> Records { get { if (user == someone) //psuedocode ...
We recently attempted to add ip address validation to our website s login security. So in addition to having a cookie with valid credentials, we checked that your ip address on page request matched ...
While looking into forms authorizing/authentication, I found that it is possible to do role based authorizing by adding an array of roles to a FormsAuthenticationTicket. That way I can write User....
