locked
Windows 8 RTM still has problems with "metro" apps going through proxy servers RRS feed

  • Question

  • Despite being reported back in February on these very forums, it seems Microsoft are incapable of sorting out metro apps to allow them to work through various types of proxy servers, essentially rendering the interface formerly known as metro useless for anybody with such a proxy server.

    At my place of work we use a proxy service called "Desktop Web Proxy" from a company called "Webroot". This is a small client that sits on each computer, listening on 127.0.0.1:3128. Internet Explorer and other browsers are then pointed at this client, which routes the web traffic out to Webroot's cloud based web filtering solution. This lets us filter the web traffic of our employees whether they are on or off the corporate LAN.

    Unfortunately it seems this does not work with Metro, though works perfectly fine in the classic desktop interface.

    To try to fix this I have set the proxy using netsh winhttp set proxy, as well as using gpedit.msc to set the "Internet Proxy Servers for Metro Style Apps" setting to 127.0.0.1:3128.  Apps like the store and Metro IE continue to behave as if there is no internet connection.

    Now the product has reached RTM (as we are testing using build 9200 from Technet right now) this really should have been fixed by now, unless you really are serious about alienating your corporate customers.

    Please offer some assistance to resolve this issue, and alter your Metro app platform so that it accesses the internet the same way as the desktop does.

    Thursday, August 16, 2012 6:59 PM

All replies

  • I have the same issue.
    Friday, August 17, 2012 2:11 PM
  • Hello,

    i have tested this with a small test-lab Setup with MS TMG, a W2K8R2 Domaincontroller and a Win8 Pro RTM Client.

    The Clients in the Domain have only Access to the Internet through the Proxy. DNS Requests are only resolved from the Proxy. The internal Clients could only  resolve internal Addresses via DNS.

    The Result is, that Win8 thinks it has not Internet connectivity.

    Desktop IE and Metro IE could connect to the Internet via the Proxy. Other Metro Apps claimed that they have no Internet Access.

    So, i reconfigured my DNS Server to resolve DNS Addresses other than local to a forwarder, so the Client could resolve any Address on his own.

    And voila, Win8 detected Internet Access and all Metro APPS now working.

    Maybe this helps

    olaf

    • Proposed as answer by Olaf Koehler Friday, August 17, 2012 4:59 PM
    • Unproposed as answer by Ryster092 Friday, August 17, 2012 5:26 PM
    Friday, August 17, 2012 4:04 PM
  • Our clients are configured to use DNS on internal domain controller servers which are already configured to forward queries for non-local domains to external DNS servers provided by our ISP. That is not the problem here.

    • Edited by Ryster092 Friday, August 17, 2012 5:34 PM
    Friday, August 17, 2012 5:29 PM
  • but its definitely an Problem with the NLA and not the Proxy. Win8 must be able to detect internet access. So, if your network Profile say, no internet access, the metro

    apps will not connect.

    The NLA Process will try to resolve www.msftncsi.com, if this succeeds then it tries to connect via http to this address. If this fails, then nla thinks you have no access to the internet.

    I could replicate this behaviour in my lab everytime. If i block access to this site, nla fails.

    If this succeeds

    38 21:13:31 17.08.2012 3.0393186 svchost.exe 10.0.0.101 ncsi.glbdns.microsoft.com HTTP HTTP:Request, GET /ncsi.txt  {HTTP:24, TCP:23, IPv4:22}
    43 21:13:32 17.08.2012 3.4421733 svchost.exe ncsi.glbdns.microsoft.com 10.0.0.101 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: /ncsi.txt  {HTTP:24, TCP:23, IPv4:22}

    my network Profile switch to Internet Access..

    http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx


    Friday, August 17, 2012 7:13 PM
  • With respect Olaf, you have no idea that my issue is "definitely an Problem with the NLA and not the Proxy". Do you use Webroot's Desktop Web Proxy application, or indeed any cloud based proxying service at all?

    Windows 8 can detect internet access just fine as the network icon in the system tray says "Internet Access". It's just Metro apps that are unable to access the internet.

    Saturday, August 18, 2012 12:29 PM

  • Hi,

    Please also try configuring the proxy settings referring to the "To configure the proxy addresses for the intranet and Internet" section of the following guide:

    Isolating Metro Style Apps on Your Network
    http://technet.microsoft.com/en-us/library/hh831418.aspx

    Hope this helps.

    Thanks.


    Nicholas Li

    TechNet Community Support

    Monday, August 20, 2012 1:11 PM
  • Hi Nicholas.

    We have already tried this without any luck I'm afraid.

    Using that guide we have set the "Private network ranges for apps" to 172.0.0.1/24, marked it as authoritative, and also set the "Internet proxy server for apps" to 127.0.0.1:3128  (because the proxy client operates on the local machine on port 3128) and again set it as authoritative, but it doesn't work. Apps still say there is not internet access.

    Can you confirm that 127.0.0.1:3128 should work and you are able to specify a port number in this policy setting?

    Wednesday, August 22, 2012 5:43 PM
  • Please input the valid proxy server and see if it works.

    Thanks.


    Nicholas Li

    TechNet Community Support

    Thursday, August 23, 2012 3:47 AM
  • Hi Nicholas

    As I indicated above, I  "set the "Internet proxy server for apps" to 127.0.0.1:3128  (because the proxy client operates on the local machine on port 3128) and again set it as authoritative", but it still doesn't work. Metro apps continue to say no internet access :-(

    (p.s. "Ryster" at the top of the thread is my home address)
    Thursday, August 23, 2012 8:25 AM
  • I have just had the following quote from Webroot support confirming this is a MS issue....

    "

    Webroot Support (Aug 22, 2012 22:27)

    RE:DWP and Windows 8 Apps

    Hello, 
    After extensive testing I have not been able to find any configuration that works due to required authentication via our proxy. Online you will find MANY forums, blogs and threads that are full of users encountering this very same issue. I do know that with the RTM release you are limited to some configuration options. I have the Win8 Pro version which has local group policy options that were supposed to work but not with authentication requirements. 
    With all do luck MS will be able to resolve this before the release of Win8. (fingers crossed) 

    You may also be able to get further information from MS if you call, which I have not had time to do just yet. 

    Thanks again for pointing this out, I will continue my search for a resolution. 
    Shawn T 
    Webroot Enterprise Support


    Thursday, August 23, 2012 9:15 AM
  • I had these problems as well. Metro apps kept reporting there was no internet connection. Disabling NCSI probing solved my problem. It stops Windows for checking if there is an internet connection. Further explanation (for Windows 7) can be found there: http://blog.superuser.com/2011/05/16/windows-7-network-awareness/

    To disable NCSI probing, set the following key to zero

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActiveProbing

    With thanks to Brent Landry from this thread http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/49b36903-747c-41ba-9b89-09893df81ba2/

    Of course this is more of a workaround, since the real problem is Windows 8 not able to detect an internet connection properly.
    • Edited by Lars Truijens Sunday, August 26, 2012 6:53 PM
    • Proposed as answer by Nicholas Li Tuesday, September 4, 2012 8:29 AM
    • Unproposed as answer by Ryster092 Tuesday, September 4, 2012 8:46 AM
    Sunday, August 26, 2012 6:50 PM
  • Thanks Lars. Unfortunately I had already tried that in my case after reading it another thread. Disabling this has no effect on my Metro apps, they continue to say no internet access. Even the company that operates the cloud proxy we use (Webroot) have been unable to get Metro apps working with their proxy, so we're in the hands of Microsoft on this one I think.

    One thing's for sure, we will not be deploying any Windows 8 machines to our 10,000 worldwide employee organisation until this is resolved.

    Sunday, August 26, 2012 7:24 PM
  • Thanks Lars. Unfortunately I had already tried that in my case after reading it another thread. Disabling this has no effect on my Metro apps, they continue to say no internet access. Even the company that operates the cloud proxy we use (Webroot) have been unable to get Metro apps working with their proxy, so we're in the hands of Microsoft on this one I think.

    One thing's for sure, we will not be deploying any Windows 8 machines to our 10,000 worldwide employee organisation until this is resolved.

    It took a while after changing the registry before the setting had effect for me. Even after a reboot it took a while.
    Monday, August 27, 2012 6:55 AM
  • This has confirmed to be an issue in Windows 8 by the vendor of our proxy solution, Webroot. They have duplicated the issue themselves and confirmed there is no workaround yet.

    Therefore unless you find a solution specific to our configuration, I'd appreciate you not marking things as answers unless I confirm they have indeed resolved it. So far nothing mentioned in this thread has.

    Thanks.

    Tuesday, September 4, 2012 9:14 AM
  • I had same kind of problems and used this thread since Long time for getting configuration ideas.

    Starting from today all my Metro apps seem to work.

    I have a bit unusual configuration, so I will just describe my configuration that seem to work:

    - my Company uses Proxy with NTLM authentication

    - my machine is not the part of the Domain, so in order to Forward my authentication Information to the company's proxy I'm using local CNTLM Proxy sevice. http://cntlm.sourceforge.net/. It means that I'm running Proxy Server on the localhost (127.0.0.1). It is important!

    - I configured the Network Isolation through the gpedit.msc and set both Internet and Intranet Proxy adresses to 127.0.0.1:3128

    - Vital step for getting things work was to enable socalled "Loopback Exemption". It is very important for those, who is running Proxy on the localhost, because otherwise Windows 8 doesn't allow Connections to localhost from Metro apps: http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

    - after that Metro-IE10 started to work. All other apps are working only now - after 2 days and many reboots! So, for some apps it can take really Long for getting those Settings.

     
    Thursday, September 6, 2012 1:57 PM
  • One thing I've noticed with our apps, and also with desktop IE10, is that Win8/IE appears to ignore the proxy settings, if they were not made through the IE UI (EVEN though they APPEAR correct in the IE UI).

    If you manually launch IE, and make some change to the proxy settings, and save, then the proxy is no longer ignored, and the apps and IE10 start working properly (you can change the proxy setting back afterwards if necessary - it seems to just be the act of saving them that makes them active).


    Scott D Binette

    Friday, September 7, 2012 10:01 PM
  • Hi,

    I am using Windows 8 behind my campus proxy which requires authentication. Some observations seem strange.

    Here is what I have tried:

      • Set proxy address, port in Internet Options: IE metro was working but no other app was. I was not able to activate my Windows 8.
      • I ran a local squid server which forwards to the university proxy. Thus, the local proxy does not require authentication. Apps still do not work. Only IE metro works. With this, I was able to activate my Windows.
      • I tried the procedures suggested above involving changing group policies 'Internet proxy servers for apps'. But after this, even IE stopped working. Only Desktop IE worked. I tried setting both actual proxy and the local proxy (my squid proxy server) but none worked.
      • Then I tried the 'automatic configuration script' option in Internet Options. (My university provides an address for '*.pac' for automatic proxy configuration). Now, many applications started using the proxy. These include 'News', 'Travel', 'Sports', 'Finance', 'Games'. All of these ask for proxy authentication which is normal and good. But the part of signing into Microsoft account doesn't work. In 'SkyDrive', it asks for Microsoft Account login but never asks for proxy authentication. In 'Music', it asks for authentication and displays all music market content (popular songs stuff) but when I try to sign in, it doesn't. Messenger, Mail show the added Microsoft Account but do not work. They don't even ask for proxy authentication.
        Then I tried 'Store'. It just said 'Your network proxy doesn't work with Windows Store. Contact your system administrator ....'.

    Also, every time, I tried to switch to my Microsoft Account from PC Settings->Users section. It had detected the proxy as it asked for authentication. It was also able to get my Microsoft Account basic details. But when I click Finish, I got an error saying 'Sorry, we couldn't connect to Microsoft services right now. ......'

    I think Store does not support authenticated proxies.
    If it is possible to generate an automatic configuration script for my local proxy server, Store might just start working.

    Any suggestions on how this can be achieved?

    Or any explanation for these behaviors?

    Thanks,

    Manas Chaudhari

    P.S. I try the method suggested by Skunz and see if it works.

    Friday, September 14, 2012 4:57 PM
  • Hi,

    I tried the method suggested by Skunz and it has worked partially.

    All my apps are able to access internet through the localhost proxy. However, even though I am able to browse apps in the store, I am not able to install any.
    I get an error saying 'Your purchase could not be completed...'.

    What could be causing this problem?

    Thanks,
    Manas Chaudhari

    Sunday, September 16, 2012 4:28 PM
  • Hi,

    Finally, everything is working. So, in short, it boiled down to following steps:

      • Install any proxy server(e.g. CCProxy) and configure it to use your proxy as a cascading proxy.
        Also, configure the server so that it gets started automatically. [CCProxy can be configured to run as a service]
      • Change proxy setting in Internet Options to your IP and appropriate port(depending on your proxy server).
      • Start a command prompt as administrator and run the following command:
        netsh winhttp import proxy source=ie
      • Install the 'Enable Loopback' utility as suggested by Skunz which can be downloaded here:
        http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx
        After installing run it and exempt necessary applications.
      • Restart your computer.

    Done. Now your apps should work through proxy. In case you are able to browse the store but not able to install applications, try switching to Microsoft account from PCSettings-> Users

    • Proposed as answer by Mr.Nuron Saturday, October 13, 2012 10:40 PM
    Monday, September 17, 2012 1:02 PM
  • Same thing with my setup. I see Windows Store keep using our corporate proxy, which requires NTLM authentication. The Windows Store, however, accesses the proxy without authentication, which renders it impossible to install apps from Windows Store.

    I installed local cntlm proxy and chained it with our corporate proxy. Then I configured Network Isolation for Apps. I enabled Internet proxy servers for apps and Intranet proxy servers for apps, and configured both to use my local cntlm proxy that listens for incoming connections on <tt>127/8</tt> subnet. Then I enabled Network Isolation Exemption for Windows Store by checking Store in the Appcontainer Loopback Exemption Utility by Eric Law.

    Which apps I should exempt to make Windows Store able to install apps?

    Still no luck... Installing apps does not work. Any clue?

    The PC is in Windows Server 2003 domain/forest being the client of Windows Server 2008 RODC. Domain account I am using to run Windows apps is a member of local Administrators group and is connected with my Microsoft account (formerly known as WLID). UAC is enabled.

    Thank you.


    Well this is the world we live in And these are the hands we're given...



    Thursday, September 20, 2012 11:51 AM
  • Here is an excerpt from WindowsUpdate.log file regarding installation of apps from Windows Store on a domain client:

    2012-09-20      16:17:37:821     516    f40     AU      #############
    2012-09-20      16:17:37:821     516    f40     AU      ## START ##  AU: Download updates
    2012-09-20      16:17:37:821     516    f40     AU      #########
    2012-09-20      16:17:37:821     516    f40     AU        # Approved updates = 7
    2012-09-20      16:17:37:821     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {E2746F19-6C01-463C-B3CB-39E1E7BDF91D}.2, callId = {73023C51-3AAE-43E4-B910-4EA3A6812CD0}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {F5EC931D-3C9E-47D2-A119-298CDB103701}.2, callId = {12CC313C-74C8-4E90-94A5-B2419AB7BAB1}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {187FDD2E-1E76-4E78-8659-0B64D8F9A41B}.5, callId = {BF17DF80-DB89-4670-A9EB-49902C734B7D}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {293F1A32-7808-4DAF-875F-3B48D068F4D7}.2, callId = {8593C2C6-DB8A-43A4-BB69-BFCBBDE2C08E}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {96345CDC-0C59-4563-B1D5-C85C498BCCB1}.3, callId = {CD06ED4F-5630-4336-B293-3D492ECA902E}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {A1109AEE-0852-4EC1-BF97-C71E69B78C0E}.3, callId = {96EB47D2-7F33-4B14-A7D7-C2548EB6C417}
    2012-09-20      16:17:37:836     516    f40     AU      WARNING: Failed to get Wu Exemption info from NLM, assuming not exempt, error = 0x80070490
    2012-09-20      16:17:37:836     516    f40     AU      AU initiated download, updateId = {9FAA93F3-5300-4948-BEBA-3DB70BFD0AC9}.5, callId = {80AD1D0B-FB13-46DC-B2A2-3411F7D5E114}
    2012-09-20      16:17:37:836     516    f40     AU        # Pending download calls = 7
    2012-09-20      16:17:37:836     516    f40     AU      <<## SUBMITTED ## AU: Download updates
    2012-09-20      16:18:52:094     516    df0     EP      FATAL: SLS: Call to GetEndpointToken failed, error = 0x8024401C
    2012-09-20      16:18:52:094     516    df0     EP      FATAL: Failed to obtain service 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 plugin SecuredClient/Server auth token of type 0x00000001, error = 0x8024401C
    2012-09-20      16:18:52:094     516    df0     DnldMgr FATAL: DM:CDynamicDownloadDataFetcher::ProcessChunks: GetEndpointToken failed with 0x8024401c.
    2012-09-20      16:18:52:094     516    df0     DnldMgr FATAL: DM:CDynamicDownloadDataFetcher::FetchAndStoreDynamicData: ProcessChunks failed with 0x8024401c.
    2012-09-20      16:18:52:094     516    df0     DnldMgr WARNING: CDynamicDownloadDataFetcher::FetchAndStoreDynamicData failed: 0x8024401c
    2012-09-20      16:18:52:094     516    df0     DnldMgr   * DynamicDownloadDataFetcher Refresh complete. 0x00000000
    2012-09-20      16:18:52:094     516    df0     DnldMgr ***********  DnldMgr: New download job [UpdateId = {EE4D92A9-ED42-44D1-BD4A-BDF0F56FE090}.1]  ***********
    2012-09-20      16:18:52:094     516    df0     DnldMgr WARNING: Got error (hr = 8024401c) starting update 0 in call 8. Notifying call.
    2012-09-20      16:18:52:094     516    df0     DnldMgr Error 0x8024401c occurred while downloading update; notifying dependent calls.
    2012-09-20      16:18:52:141     516    df0     DnldMgr ***********  DnldMgr: DynamicDownloadDataFetcher Refresh [Svc: {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}]  ***********
    2012-09-20      16:18:52:141     516    df0     DnldMgr   * DynamicDownloadDataFetcher Refresh complete. 0x8024000c
    2012-09-20      16:18:52:219     516    df0     DnldMgr ***********  DnldMgr: Begin Downloading Updates [CallerId = WSUpdate]  ***********
    2012-09-20      16:18:52:219     516    df0     DnldMgr   * Call ID = {9C2E092A-D2FC-48DC-8B01-7F7BF479A10A}
    2012-09-20      16:18:52:219     516    df0     DnldMgr   * Priority = 3, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 0, Explicit proxy = 1, Proxy session id = -1, ServiceId = {117CAB2D-82B1-4
    B5A-A08C-4D62DBEE7782}

    What could be the problem?

    I have exempted all my apps and connected them via my local cntlm proxy that is changed with corporate proxy. Both Windows Internet Explorer Desktop and Internet Explorer Metro style now connect via proxy chain: localhost -> cntlm -> corporate proxy

    However, I see that Windows Update when installing Windows apps keeps accessing corporate proxy without first connecting to my local proxy:

    2012-09-19      01:39:33:425     564    b2c     DnldMgr ***********  DnldMgr: New download job [UpdateId = {779CB07F-C6A7-4CDB-B0B2-5C43B65B5D87}.1]  ***********
    2012-09-19      01:39:33:425     564    b2c     DnldMgr   * Update is not allowed to download due to service regulation or download size limitation.
    2012-09-19      01:39:33:425     564    1c54    AU      AU checked download status and it changed: Downloading is paused
    2012-09-19      01:47:33:430     564    b2c     EP      Got 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 redir Client/Server URL: "https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx"
    2012-09-19      01:47:33:430     564    b2c     PT      WARNING: Cached cookie has expired or new PID is available
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: Nws Failure: errorCode=0x803d0006
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: There was an error communicating with the endpoint at 'https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx'.
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: The operation timed out after 60000 (0xEA60) milliseconds.
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: The operation could not be completed because the channel has been aborted.
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: Web service call failed with hr = 8024401c.
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: Current service auth scheme='None'.
    2012-09-19      01:47:33:461     564    b2c     WS      WARNING: Proxy List used: 'proxy.company.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.company.com:port', Last auth Schemes used: 'None'.
    2012-09-19      01:47:33:461     564    b2c     WS      FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
    2012-09-19      01:47:33:461     564    b2c     PT      WARNING: PTError: 0x8024401c
    2012-09-19      01:47:33:461     564    b2c     PT      WARNING: GetCookie_WithRecovery failed : 0x8024401c
    2012-09-19      01:47:33:461     564    b2c     PT      WARNING: RefreshCookie failed: 0x8024401c
    2012-09-19      01:47:33:461     564    b2c     PT      WARNING: RefreshPTState failed: 0x8024401c
    2012-09-19      01:47:33:461     564    b2c     PT      WARNING: PTError: 0x8024401c
    2012-09-19      01:47:33:461     564    b2c     EP      Got 117CAB2D-82B1-4B5A-A08C-4D62DBEE7782 redir Reporting URL: "http://statsfe1.ws.microsoft.com/ReportingWebService/ReportingWebService.asmx"
    2012-09-19      01:47:37:408     564    b2c     Report  Uploading 1 events using cached cookie, reporting URL = http://statsfe1.ws.microsoft.com/ReportingWebService/ReportingWebService.asmx
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: Nws Failure: errorCode=0x803d001a
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: There was an error communicating with the endpoint at 'http://statsfe1.ws.microsoft.com/ReportingWebService/ReportingWebService.asmx'.
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: Web service call failed with hr = 8024401b.
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: Current service auth scheme='None'.
    2012-09-19      01:47:37:424     564    b2c     WS      WARNING: Proxy List used: 'proxy.company.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.company.com:port', Last auth Schemes used: 'None'.
    2012-09-19      01:47:37:424     564    b2c     WS      FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401b
    2012-09-19      01:47:37:424     564    b2c     Report  WARNING: Failed to upload events to the server with hr = 8024401b.
    2012-09-19      01:47:37:424     564    b2c     Report  WARNING: Reporter failed to upload events with hr = 8024401b.
    2012-09-19      01:49:34:457     564    1d54    AU      ###########  AU: Uninitializing Automatic Updates  ###########
    2012-09-19      01:49:34:519     564    1d54    WuTask  Uninit WU Task Manager
    2012-09-19      01:49:36:017     564    1d54    Service *********
    2012-09-19      01:49:36:017     564    1d54    Service **  END  **  Service: Service exit [Exit code = 0x240001]
    2012-09-19      01:49:36:017     564    1d54    Service *************
    2012-09-19      03:03:14:317     564     54     Misc    ===========  Logging initialized (build: 7.8.9200.16384, tz: +0400)  ===========
    2012-09-19      03:03:14:317     564     54     Misc      = Process: C:\Windows\system32\svchost.exe
    2012-09-19      03:03:14:317     564     54     Misc      = Module: c:\windows\system32\wuaueng.dll
    2012-09-19      03:03:14:317     564     54     Service *************
    2012-09-19      03:03:14:317     564     54     Service ** START **  Service: Service startup
    2012-09-19      03:03:14:317     564     54     Service *********
    2012-09-19      03:03:14:317     564     54     Agent     * WU client version 7.8.9200.16384
    2012-09-19      03:03:14:317     564     54     Agent     * Base directory: C:\Windows\SoftwareDistribution
    2012-09-19      03:03:14:317     564     54     Agent     * Access type: No proxy

    Why it first connects to corporate proxy without connecting to local proxy and then it says it connects without proxy?

    Network Shell shows that local proxy is specified:

    C:\Windows\System32>netsh winhttp show proxy
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)
    
    
    C:\Windows\System32>cd ..\SysWOW64
    
    C:\Windows\SysWOW64>netsh winhttp show proxy
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)

    BITSADMIN confirms that manually specified proxy is used:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy LocalSystem
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalSystem:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>


    Well this is the world we live in And these are the hands we're given...

    Thursday, September 20, 2012 12:58 PM
  • Figured it out. Restarting system helped. For some reason, gpupdate/force did not work.

    By the way, why does unchecking manual proxy in Desktop Internet Explorer change proxy on Metro style Internet Explorer when proxy for Metro UI is specified by group policy?

    I checked with geoiptool.com, and it showed that once I uncheck manual proxy setting in desktop version of IE to make it connect directly (our corporate proxy is residing in other Active Directory site, and connection to that proxy is very slow), the Metro style IE starts to connect directly as well. Why it is so?

    Thank you everybody for your help.


    Well this is the world we live in And these are the hands we're given...

    Thursday, September 20, 2012 1:02 PM
  • More to add. Once you've set local proxy for Desktop Internet Explorer and imported it using

    C:\Windows\System32>netsh winhttp import proxy=ie
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)
    
    
    C:\Windows\System32>cd ..\SysWOW64
    
    C:\Windows\SysWOW64>netsh winhttp show proxy=ie
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)

    you don't need it any longer. You may uncheck the Use a proxy server for your LAN... check box in the Local Area Network (LAN) Settings to browse internet directly, without using proxy. Your Windows Store purchases will continue to use your local proxy.

    Also, make sure BITS service is routed via local proxy:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalService:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>
    
    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalSystem:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>
    
    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account NetworkService:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>

    If for some service account you get a return that shows direct connection is used, like in this example for Local:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalService:
    (connection = default)
    
    Proxy usage:  NO_PROXY

    make sure you specify MANUAL_PROXY for this account:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 12
    7.0.0.1:3128 NULL
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Internet proxy settings for account LocalService were set.
    (connection = default)
    
    Proxy usage set to       MANUAL_PROXY
    Proxy list set to        127.0.0.1:3128
    Proxy bypass list set to <empty>
    Make sure to restart Windows, seems like it is necessary (possibly, settings are applied to machine account?).

    Well this is the world we live in And these are the hands we're given...

    Thursday, September 20, 2012 1:16 PM
  • I searched for a solution all around internet and I finally find a way how to do it:

    Open command prompt as admin and write:

    netsh
    winhttp
    import proxy source=ie

    Hope it helps, unfortunately I do not remember the source of this script.



    • Edited by AnindyaMaiti Saturday, September 22, 2012 4:52 AM
    Saturday, September 22, 2012 4:52 AM
  • More to add. Once you've set local proxy for Desktop Internet Explorer and imported it using

    C:\Windows\System32>netsh winhttp import proxy=ie
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)
    
    
    C:\Windows\System32>cd ..\SysWOW64
    
    C:\Windows\SysWOW64>netsh winhttp show proxy=ie
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)

    you don't need it any longer. You may uncheck the Use a proxy server for your LAN... check box in the Local Area Network (LAN) Settings to browse internet directly, without using proxy. Your Windows Store purchases will continue to use your local proxy.

    Also, make sure BITS service is routed via local proxy:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalService:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>
    
    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalSystem:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>
    
    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account NetworkService:
    (connection = default)
    
    Proxy usage:  MANUAL_PROXY
    Proxy list:   127.0.0.1:3128
    Proxy bypass: <empty>

    If for some service account you get a return that shows direct connection is used, like in this example for Local:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Current Internet proxy settings for account LocalService:
    (connection = default)
    
    Proxy usage:  NO_PROXY

    make sure you specify MANUAL_PROXY for this account:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 12
    7.0.0.1:3128 NULL
    
    BITSADMIN version 3.0 [ 7.6.9200 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.
    
    BITSAdmin is deprecated and is not guaranteed to be available in future versions
     of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cm
    dlets.
    
    Internet proxy settings for account LocalService were set.
    (connection = default)
    
    Proxy usage set to       MANUAL_PROXY
    Proxy list set to        127.0.0.1:3128
    Proxy bypass list set to <empty>
    Make sure to restart Windows, seems like it is necessary (possibly, settings are applied to machine account?).

    Well this is the world we live in And these are the hands we're given...


    I used the same way....netsh winhttp import proxy source=ie

    Thiago Cardoso Luiz
    W: www.thiagocardoso.org
    T: www.twitter.com/t_cardoso
    Microsoft Student Partner - Brazil/SP
    MCT MCITP MCSE MCSA MCTS ITIL MSP MCC

    Caso seja util vote e coloque como resposta!

    Tuesday, October 9, 2012 4:31 PM
  • Hi Thiago!

    Could you please confirm that what you did was:

    • Manually specified corporate proxy (the one assigned by TMG/ISA client) in Internet Explorer (that is you have configured proxy settings for WinInet library).
    • Imported proxy settings from WinInet library to WinHTTP library (this one is used by Windows Update; the latter is utilized to obtain apps from Windows store) by running the following command from an elevated prompt (for both flavors, x86 and x64, of NetShell tool):

    netsh winhttp import proxy=ie

    And that's it, correct? So you did NOT use any local ntlm-capable proxy server like I used to do, right?

    Thank you.


    Well this is the world we live in And these are the hands we're given...

    Wednesday, October 10, 2012 6:07 PM
  • Gentlemen, whilst it not yet solved and, yikes!,  we still have no comments on this issue from MSFT, I will recap my post with the workaround to this problem from Windows Store and Windows Update Fail With Error 0x8024401c On a PC Under Corporate Proxy With Direct Access (Proxy Disabled) thread.

    Note! The procedure below is a workaround and has its issues. While it definitely will allow you to install apps from Windows Store by tricking your apps make them think they are going out through a transparent proxy, the mess with implementation of WinHTTP library support in different apps causes completely different behavior of apps.

    Cause When processing asynchronous requests, WinHTTP does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions.

    In other words, currently available apps, including Windows Store app, do not properly use WinHTTP library.

    Issues Some apps will always connect through your proxy, so won't no matter exempted or not. If your proxy server is located in another area, this will render it impossible for some apps to correctly determine your location. In other words, some apps, mostly weather apps, will always show you the forecast for the location of your corporate proxy server and not the location of your PC, examples include but are not limited to:

    • WindGuru
    • WeatherFlow
    • Frost

    Apps that correctly handle location

    • Microsoft Weather
    • Accuweather
    • WeatherBug

    Gentlemen, it looks like I've found a possible solution to the problem with Modern apps not working in a corporate environment with a NTLM proxy.

    I've written complete step-by-step procedure that will guide you through issues with purchasing and installing Modern apps from Windows Store when working on a Windows 8 computer in a domain environment with corporate NTLM-enabled proxy server.

    Symptoms

    When working with Modern apps, you cannot make the apps to connect to a remote location. For example, your radio apps return connection errors, your Mail app returns Offline in a top-right corner of the app display when you sync messages for the selected mailbox, or you cannot purchase apps from Windows Store, and looking into the WindowsUpdate.log (the log file that journals Windows Update and Windows Store activity) shows the log contains records like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Cause

    Unlike desktop applications such as Windows Internet Explorer, which uses WinInet library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa383630(v=vs.85).aspx) to establish

    connections, Modern apps establish connections using WinHTTP library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925(v=vs.85).aspx).

    You may find comparison table for these to communication libraries available at http://msdn.microsoft.com/en-us/library/windows/desktop/hh227297(v=vs.85).aspx but the main difference, I guess, is here:

    Credential Prompting

    Provides an API
        that allows the calling code to prompt the user for credentials.

    yes

    no


    In other words, when WinInet library supports requesting connection credentials, the WinHTTP library does not. I am not a developer in either way, and I don't know if my assumptions are true, and I definitely can't understand why impersonation from threads, supported by WinHTTP library, does not work here but my guess is that WinHTTP library impersonates under some service account such as LocalSystem or WinHttpGetIEProxyConfigForCurrentUser function is NOT user in currently available Modern apps.


    That being said, I believe that the root of the problem lies in the current WinHTTP limitation (mentioned here http://msdn.microsoft.com/en-us/library/windows/desktop/aa384086(v=vs.85).aspx):

    When processing asynchronous requests, WinHTTP does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions.

    In other words, currently available apps, including Windows Store app, do not properly use WinHTTP library.

    Solution

    Part I

    To make your Modern apps properly authenticate on a corporate NTLM-enabled proxy server using current user credentials (that is your credentials you provided when logging into Windows 8 on the logon screen), you have to use third-party application that would authenticate connections outgoing from apps on the proxy server.

    This third-party application would be a NTLM-capable proxy server such as cntlm (cntlm.sf.net) (you may use any other proxy that can ask you for NTLM credentials required by your corporate proxy and is capable of working in a chain of proxy).

    Once installed on your local Windows 8 computer, cntlm proxy will accept outgoing anonymous connections established by Modern apps and redirect them to a parent proxy server (that is, chain to upstream proxy), that is to your corporate proxy server. This way, your Modern apps that are not capable of authenticating via NTLM protocol authenticate on a corporate proxy server without even knowing that this corporate proxy server requires explicit authentication  --- cntlm will do this trick for the apps.

    Briefly, connection chain will now look as:

    Modern app (localhost) -> cntlm (localhost) -> corporate proxy (domain network) -> web service (remote end-point).

    To install local cntlm proxy, do the following:

    1. Download the cntlm proxy setup package from cntlm.sf.net (direct link to the latest version: http://sourceforge.net/projects/cntlm/files/latest/download?source=files) or any other NTLM-capable proxy server; install the setup package.

    2. Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and stop the Cntlm Authentication Proxy service;

    Alternatively, to stop the service type at the elevated command prompt

    sc stop cntlm

    3. Open cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly) and open cntlm.ini configuration file in the notepad.

    3.1 Specify the user account name used to authenticate on your corporate proxy server such as:

    Username Jon

    3.2 Specify authority to which your user account name is belonging, this is typically your domain name, for example:

    Domain corporation.com

    ATTENTION: If you do not know your domain/authority name used to authenticate your account name, type the following at the command prompt:

    systeminfo | findstr /B /C:Domain

    This will return a string like:

    Domain:                    corporation.com

    3.1 Comment out the Password option by preceding it with the sharp sign:

    #Password password

    because you don't want to specify your domain password in a plain text.

    3.3 Determine what version of NTLM challenge is supported by corporate proxy server.

    To do that, open the command prompt and change working directory to cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly), or simply navigate to cntlm program folder in Windows Explorer and choose File|Open command prompt.

    At the command prompt type:

    cntlm.exe -M http://google.com

    Type your domain user account password when prompted.

    This will return the most secure NTLM authentication response hash supported by your corporate proxy server.

    ATTENTION: If you want to use other types of response hashes to authenticate on a corporate proxy server (such as LM or NT, which is not recommended for security reasons if the corporate proxy server supports NTLMv2 responses), type the following:

    cntlm.exe -M

    Type your domain user account password when prompted.

    This will return the all the three NTLM authentication response hash supported by cntlm proxy server.

    3.4 Copy hash string (a 16-byte [32-character] alpha-numeric string) that looks like:

    FBB7DAA8D3663EC34F199E3CF838D3BD

    This is a result of HMAC-MD5 function (NTv2 = HMAC-MD5(v2-Hash, SC, CC*), see http://en.wikipedia.org/wiki/NTLM for more details.

    3.5 Paste the copied string next to the PassNTLMv2 option (if you used NTLMv2 response returned by cntlm -H or cntlm -M commands):

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    ATTENTION: Comment out all the unused responses

    #PassLM

    #PassNT

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    3.6 [optional] Specify your computer name:

    Workstation computername

    3.7 Specify the IP or hostname of the corporate proxy server, for example:

    Proxy 192.0.2.2:8080

    ATTENTION: You may get the corporate proxy server address from the %systemroot%\WindowsUpdate.log log file by locating line like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Alternatively, type the following at the command prompt:

    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | find /i "proxyserver"

    SR at 14.11.2012 17:21

    This command will obtain the proxy server address used by WinInet library from Windows registry.

    3.8 [optional] Specify the target network addresses that should not be routed via cntlm proxy

    NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

    3.9 Specify the local TCP port that will be used by cntlm proxy server to listen for incoming connections from Modern apps (actually from WinHTTP library), for example:

    Listen 3128

    3.10 [optional] Specify which source networks are allowed to establish incoming connection to your cntlm proxy server. Since you only install proxy to route Modern apps that run on your local computer, specify the loopback 127.0.0.0/8 network as the only allowed and prohibit connections from all other (0/0) networks:

    Allow  127.0.0.1

    Deny  0/0

    3.11 Leave all other cntlm configuration file options intact, close notepad, and save changes to the configuration file.

    ATTENTION: Because User Account Control (UAC) needs to be enabled for Modern apps to run, you may need your cntlm.ini sent to a non-prohibited location such as your My Documents folder (because %programfiles% folder is prohibited for writing under non-elevated processes). Once save to a temporary storage, copy changed cntlm.ini file back to cntlm proxy server program folder.

    Continued in the message below.


    Well this is the world we live in And these are the hands we're given...

    Thursday, October 25, 2012 7:31 PM
  • Part II

    Continuation, see Part I above for the beginning.


    4.  Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and start the Cntlm Authentication Proxy service;

    Alternatively, to start the service type at the elevated command prompt

    sc start cntlm

     

    This will start cntlm proxy server's Windows service. This time the service will use settings you have specified in the cntlm.ini configuration file.

     

    1. Now this is time to specify the local cntlm proxy server you have      just configured within WinHTTP library settings to make Modern app connect      via cntlm proxy.

    The quickest way to do that is to import proxy settings from WinInet library settings, but before you could do that, you would need to set proxy settings for the WinInet library itself, which you can do using desktop version of Windows Internet Explorer.

     

    5.1 Start Windows Internet Explorer by clicking its icon on the taskbar. In the started Windows Internet Explorer press Alt+X to show settings menu, chose Internet Options and switch to the Connections tab in the opened Internet Options dialog box. Next click LAN Settings and set Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) check box.

    In the Address and Port fields specify the localhost IP address and listen port correspondingly as specified in the cntlm.ini configuration file, namely:

    Address: 127.0.0.1

    Port: 3128

    Click OK to apply proxy settings to WinInet library and close Internet Explorer.

     

    1. When proxy settings are      defined for the WinInet library, you are good to go with WinHTTP.

     

        6.1 Firstly, check currently used WinHTTP connection settings using Network Shell NetSH tool. To do that, start an elevated command prompt and type:

    cd "..\..\Windows\System"

    to open Windows system folder.

     

    Now execute the following command:

    netsh winhttp show proxy

     

    This will return your current proxy settings used by WinHTTP library, and hence this will show you the way it is currently used to connect to remote addresses by Modern apps:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    Most likely, you will see that your Modern apps are connecting directly, that is connections go from your local computer to the default gateway (an IP address such as 192.0.2.1 provided that your computer is a located within the 192.0.2.0/24 private subnet).

    If you are using 64-bit Windows 8 on a x64 platform, check settings with 32-bit version of NetSh tool located in SysWOW64 folder. When in the System folder, type

     

    cd ..\SysWOW64

     

    to change to SysWOW64 folder and then execute

     

    netsh winhttp show proxy

     

    This will return the same settings:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    ATTENTION: To be doubly sure direct settings are used when impersonating under different user accounts, including service accounts, such as LocalService, Local System, Network Service, and your Microsoft account such as username@live.com or username@outlook.com provided that you have connected your domain user account to your Microsoft account (formerly known as Windows Live ID or WLID account).

     

    6.2 To check WinHTTP library connection settings under different accounts, use PSExec tool from SysInternals.

    Download Sysinternals Suite zip file from http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx and unpack it to %ProgramFiles%\Sysinternals\. Open elevated command prompt and type:

     

    cd "..\..\Program Files\SysInternals"

     

    to navigate to SysInternals program folder.

     

    6.2.1 To interactively start command prompt window with LocalSystem privileges type

    PsExec.exe /s /i cmd

     

    Check that command prompt is running under LocalSystem privileges, type:

    whoami

     

    You should get

    nt authority\system

     

    To verify  WinHTTP library settings when it impersonates under LocalSystem, type:

     

    netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under LocalSystem and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.1 To interactively start command prompt window with Network Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\NETWORKSERVICE" "cmd"

     

    Check that command prompt is running under  Network Service privileges, type:

    whoami

     

    You should get

    nt authority\network service

     

    To verify  WinHTTP library settings when it impersonates under  Network Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under  Network Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.2 To interactively start command prompt window with Local Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\LOCALSERVICE" "cmd"

     

    Check that command prompt is running under Local Service privileges, type:

    whoami

     

    You should get

    nt authority\local service

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.3 To interactively start command prompt window with privileges of your Microsoft account press WindowsKey and type cmd.

    Right-click the command prompt icon and choose Open file location from the bar.

    In the opened Windows Explorer window right-click command prompt shortcut when holding Shift key pressed and choose Run as different user. In the Windows Security dialog choose Microsoft account. Specify your Microsoft account credentials.

     

    Check that command prompt is running under Microsoft account privileges, type:

    whoami

     

    You should get

    computername\microsoftaccounlogin

     

    (where computername and microsoftaccountlogin will substitute for your actual computer name and account name used on Live services)

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

      

    1. Now import connection      settings from WinInet library to WinHTTP library.

     

    Repeat all steps on the step 6 and its minor steps, but do use the following command that will import connection settings:

     netsh winhttp import proxy source=ie

     

    Do that for both flavors of Network Shell.

    Repeat step 6 and its minor steps when finished to confirm your cntlm proxy server is specified within WinHTTP library connection settings.


    Well this is the world we live in And these are the hands we're given...

    Thursday, October 25, 2012 7:32 PM
  • Part III

    Continuation, see Part II above for the beginning.

     
    1. By default, each Modern app  runs in a separate container and so applies to its network connections.      Connection isolation is performed by Network Isolation.

    Network Isolation uses its own proxy autodiscovery feature to discover proxy server to use for connecting Modern apps. This autodiscovery feature (please correct me here) is different to WPAD (Web Proxy Auto Discovery) protocol used by desktop applications.

     

    To make sure your Modern apps connect though your specified proxy server, set local group policy.

     

    8.1     Press WindowsKey+R to open Run dialog box and type gpedit.msc to start Local Group Policy Editor.

     

    8.2 In the Local Group Policy Editor window right-click Administrative Templates folder under Computer Configuration and choose Filter options.

     

    8.3 In the Filter Options dialog box type 'proxy' (without quotes) in the Filter for word(s) field and choose Any in the drop-down list. Make sure all checkboxes are set for Within to make the filter apply to settings that have 'proxy' keyword in policy name, description, or help.

     

    8.4 Set the Enable Keyword Filters check box and click OK to apply the filter.

     

    8.5 Expand the Administrative Templates folder under Computer Configuration and click All Settings to display all policies related to configuring proxy settings.

     

    8.6 In the right results panel find the following policies

     

    Internet proxy servers for apps

    Intranet proxy servers for apps

     

    and  enable them.

     

    8.7 To enable a proxy policy, double click it and choose Enabled. Specify a local proxy server address such as 127.0.0.1:3128 (just as specified in the WinHTTP library settings) in the Domain proxies field and click OK.

     

    8.8 Enable the Proxy definitions are authoritative policy to make sure your local proxy server is a preferred proxy should your corporate proxy be discovered by Windows Network Isolation automatic proxy discovery.

     

    8.9 Press WindowsKey+R and type gpupdate/force to forcibly apply changes to local Group Policy settings.

     

    1. Because of enhanced security      measures implemented in Windows 8, Modern apps run in isolated in      application containers. Let me quote Eric Lawrence:

    "Metro-style applications run inside isolated processes known as “AppContainers,” and by default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. The post went on to explain how the CheckNetIsolation tool can be used to permit an AppContainer to send traffic to the local computer. However, using CheckNetIsolation is pretty cumbersome—it requires that you know the AppContainer’s name or security ID, and you must configure each AppContainer individually. To resolve those difficulties, I have built a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic. This tool requires Windows 8 and runs on the .NET Framework v4. When launched, the utility scans your computer’s AppContainers and displays them in a list view. Each entry has a checkbox to the left of it, indicating whether the AppContainer may send loopback traffic. You can toggle these checkboxes individually, or use the buttons at the top to set all of the checkboxes at once. Click Save Changes to commit the configuration changes you’ve made, or click Refresh to reload the current configuration settings.

    After you install the EnableLoopback Utility, a new “Win8 Loopback Exemptions” item is added to Fiddler’s Tools menu; clicking this item launches the utility. To make changes to the exemption list, you must elevate to Administrator."

     

    9.1 Download and install the Enable Loopback tool by Eric Lawrence from http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

     

    9.2 After installing run it with elevated privileges and and exempt necessary apps.

    To exempt an app, find the app in the app list within the AppContainer Loopback Exemption Utility and set a check box next to app name and click Save changes.

    If you had selected app opened, close the app by tapping and dragging it down to the bottom of the screen or move the mouse pointer to the top of the app display, wait until the pointer will turn from arrow to and drag the app screen with the mouse.

    Start the app again. It will now be exempted and will connect via your local cntlm proxy server.

     

    IMPORTANT: DO NOT EXEMPT your SkyDrive app if you are using it with your Microsoft Office 365 2013 ProPlus, or it will render it impossible for Office apps to open your documents from SkyDrive. Most likely, you will face with an error described in this my post at Microsoft forums: http://social.technet.microsoft.com/Forums/en-US/w8itprogeneral/thread/a87dd6ce-6339-4677-a9e1-27a4903a8b8f

     

    1. Finally, make sure apps that      are delivered from Windows Store are downloaded via local cntlm proxy.

    Like Windows Update, Windows Store uses BITS (Background Intelligent Transfer Service) to create download jobs and download purchased APPX Modern app packages from Windows Store.

    You may use BITSADMIN tool (or a dedicated PowerShell cmdlet) to make sure BITS transfers are made through manually specified cntlm proxy server:

     

    Also, make sure BITS service is routed via local proxy:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalSystem:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account NetworkService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    If for some service account you get a return that shows direct connection is used, like in this example for Local:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  NO_PROXY

     

    make sure you specify MANUAL_PROXY for this account:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 12

    7.0.0.1:3128 NULL

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Internet proxy settings for account LocalService were set.

    (connection = default)

     

    Proxy usage set to       MANUAL_PROXY

    Proxy list set to        127.0.0.1:3128

    Proxy bypass list set to <empty>

     

    Make sure to restart Windows, seems like it is necessary (possibly, settings are applied to machine account?).

     

     

    Sure, this seems to be extremely unfriendly procedure, but it works.

     

    Once again, the problem lies in the fact that current WinHTTP "does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions".

     

    Shortly, start with explicitly specifying the address of your corporate proxy server in Windows Internet Explorer LAN Settings and importing them to WinHTTP service settings using

     

    netsh winhttp import proxy source=ie

     

    But when it does not help you and you still see records like

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

     

    in WindowsUpdate.log, follow this 10-step instruction, chain your local proxy server and upstream connections to your corporate proxy server.


    Well this is the world we live in And these are the hands we're given...

    Thursday, October 25, 2012 7:33 PM
  • Please excuse this weird formatting, but I had to write this procedure in my OneNote because the last time I was writing it right in forum my Internet Explorer Modern UI hung due to internet connection issues (I don't know why intermittent interruptions in internet connections caused Internet Explorer to hang but that was it. The app hung and I lost the large part of my post).


    Well this is the world we live in And these are the hands we're given...

    Thursday, October 25, 2012 7:35 PM

  • To make your Modern apps properly authenticate on a corporate NTLM-enabled proxy server using current user credentials (that is your credentials you provided when logging into Windows 8 on the logon screen), you have to use third-party application that would authenticate connections outgoing from apps on the proxy server.

    This third-party application would be a NTLM-capable proxy server such as cntlm (cntlm.sf.net) (you may use any other proxy that can ask you for NTLM credentials required by your corporate proxy and is capable of working in a chain of proxy).

    Once installed on your local Windows 8 computer, cntlm proxy will accept outgoing anonymous connections established by Modern apps and redirect them to a parent proxy server (that is, chain to upstream proxy), that is to your corporate proxy server. This way, your Modern apps that are not capable of authenticating via NTLM protocol authenticate on a corporate proxy server without even knowing that this corporate proxy server requires explicit authentication --- cntlm will do this trick for the apps.

    Briefly, connection chain will now look as:

    Modern app (localhost) -> cntlm (localhost) -> corporate proxy (domain network) -> web service (remote end-point).

    To install local cntlm proxy, do the following:

    1. Download the cntlm proxy setup package from cntlm.sf.net (direct link to the latest version: http://sourceforge.net/projects/cntlm/files/latest/download?source=files) or any other NTLM-capable proxy server; install the setup package.

    2. Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and stop the Cntlm Authentication Proxy service;

    Alternatively, to stop the service type at the elevated command prompt

    sc stop cntlm

    3. Open cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly) and open cntlm.ini configuration file in the notepad.

    3.1 Specify the user account name used to authenticate on your corporate proxy server such as:

    Username Jon

    3.2 Specify authority to which your user account name is belonging, this is typically your domain name, for example:

    Domain corporation.com

    ATTENTION: If you do not know your domain/authority name used to authenticate your account name, type the following at the command prompt:

    systeminfo | findstr /B /C:Domain

    This will return a string like:

    Domain:                    corporation.com

    3.1 Comment out the Password option by preceding it with the sharp sign:

    #Password password

    because you don't want to specify your domain password in a plain text.

    3.3 Determine what version of NTLM challenge is supported by corporate proxy server.

    To do that, open the command prompt and change working directory to cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly), or simply navigate to cntlm program folder in Windows Explorer and choose File|Open command prompt.

    At the command prompt type:

    cntlm.exe -M http://google.com

    Type your domain user account password when prompted.

    This will return the most secure NTLM authentication response hash supported by your corporate proxy server.

    ATTENTION: If you want to use other types of response hashes to authenticate on a corporate proxy server (such as LM or NT, which is not recommended for security reasons if the corporate proxy server supports NTLMv2 responses), type the following:

    cntlm.exe -M

    Type your domain user account password when prompted.

    This will return the all the three NTLM authentication response hash supported by cntlm proxy server.

    3.4 Copy hash string (a 16-byte [32-character] alpha-numeric string) that looks like:

    FBB7DAA8D3663EC34F199E3CF838D3BD

    This is a result of HMAC-MD5 function (NTv2 = HMAC-MD5(v2-Hash, SC, CC*), see http://en.wikipedia.org/wiki/NTLM for more details.

    3.5 Paste the copied string next to the PassNTLMv2 option (if you used NTLMv2 response returned by cntlm -H or cntlm -M commands):

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    ATTENTION: Comment out all the unused responses

    #PassLM

    #PassNT

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    3.6 [optional] Specify your computer name:

    Workstation computername

    3.7 Specify the IP or hostname of the corporate proxy server, for example:

    Proxy 192.0.2.2:8080

    ATTENTION: You may get the corporate proxy server address from the %systemroot%\WindowsUpdate.log log file by locating line like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Alternatively, type the following at the command prompt:

    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | find /i "proxyserver"

    SR at 14.11.2012 17:21

    This command will obtain the proxy server address used by WinInet library from Windows registry.

    3.8 [optional] Specify the target network addresses that should not be routed via cntlm proxy

    NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

    3.9 Specify the local TCP port that will be used by cntlm proxy server to listen for incoming connections from Modern apps (actually from WinHTTP library), for example:

    Listen 3128

    3.10 [optional] Specify which source networks are allowed to establish incoming connection to your cntlm proxy server. Since you only install proxy to route Modern apps that run on your local computer, specify the loopback 127.0.0.0/8 network as the only allowed and prohibit connections from all other (0/0) networks:

    Allow  127.0.0.1

    Deny  0/0

    3.11 Leave all other cntlm configuration file options intact, close notepad, and save changes to the configuration file.

    ATTENTION: Because User Account Control (UAC) needs to be enabled for Modern apps to run, you may need your cntlm.ini sent to a non-prohibited location such as your My Documents folder (because %programfiles% folder is prohibited for writing under non-elevated processes). Once save to a temporary storage, copy changed cntlm.ini file back to cntlm proxy server program folder.


    Friday, December 7, 2012 6:53 AM
  • Hi,

    I fixed the formatting and slightly changed the procedure, please see my 3-part post above.


    Well this is the world we live in And these are the hands we're given...

    Friday, December 7, 2012 11:46 AM
  • Sorry, this comment will not help anyone, but MY GOD. Are you serious, in that anyone would go through this to enable Metro apps? LOL....

    While I enjoy Windows 8, is it really a mystery why the adoption/satisfaction rate is poor, and the critics abound? This is ridiculous. 

    Once again, Microsoft seems to forget that there are a zillion PC's behind corporate proxies. 

    Wednesday, December 12, 2012 2:20 PM
  • Moreover, solution isn't very stable. As an example, my Store app stopped working all of a sudden. It's able to successfully fetch update data but fails to start showing as if there's no internet connection.

    So of course, above is just a workaround, not a complete solution. It allows you to work some problems around but as any complicated solution does not give a 100% stable result.

    I am VERY disappointed to not hear any comments on that from Microsoft here... They might react somehow, at least we could know they are aware of the problem, or, what's better, they could provide a more elegant solution.


    Well this is the world we live in And these are the hands we're given...

    Thursday, December 13, 2012 10:18 AM
  • Hi,when iam trying to install loopback utility I'm getting an error as "Failed to get list of appcontainers.Unable to enumerate appcontainers".

    please help to get this problem solved.

    Sunday, January 6, 2013 8:57 AM
  • I had a similar problem where some of my Metro applications could not access the network, unless I was running Fiddler.   After a lot of trial and error I tracked it down to my Hyper-V Virtual Switch using an Internal Network (the Internal network lets Virtual Machines communicate with the Host machine)   When I disabled this virtual adapter everything worked fine.  But when the Internal Network was enabled, Metro applications only worked if there was a Proxy configured (such as when using Fiddler).  

    For now I have just removed my Hyper-V Internal network and am just using Private and External networks for my virtual machines.

    Hope this helps someone.  There seem to be a lot of different ways this problem manifests itself.

    Sunday, January 6, 2013 7:23 PM
  • Microsoft (or anybody)... is there any quick and easy fix for this yet please?  We're beginning our evaluation of W8 for possible future deployment here, and not being able to use Metro without major fiddling is going to be a pretty big entry in the "Cons" column of my Pros and Cons report.
    Tuesday, February 5, 2013 6:32 PM
  • We are evaluating Windows 8 PRO HP Elite 900. Have faced the same issue. We use a PAC file for our proxy and haven't had any luck getting Metro apps to work via the proxy.
    Thursday, February 14, 2013 4:10 AM
  • We are evaluating Windows 8 PRO HP Elite 900. Have faced the same issue. We use a PAC file for our proxy and haven't had any luck getting Metro apps to work via the proxy.

    As I've written above, the problem is not with connection or routing but rather with authentication. The WinHTTP library has an issue that does not allow the application that connects through it to impersonate under your user account. As an effect, most apps connect to the proxy server with Auth field set to None what causes the server to return the HTTP error 407.

    To fix the issue you have to trick the proxy server and install a NTLM-capable proxy server that would work like a chain between your Modern apps and the proxy server and would be aware of your credentials. You configure your local NTLM server and provide it with your credentials that work on your corporate authenticating proxy server. The local NTLM-capable proxy then connects to your corporate proxy server and impersonates under your credentials. Then you re-route your Modern apps and force them to connect to your local NTLM-capable proxy instead of using corporate proxy. Because your own proxy does not require authentication, Modern apps successfully connect to your proxy and then get redirected to the corporate proxy where your local proxy authenticates those apps on the corporate proxy. 


    Well this is the world we live in And these are the hands we're given...

    Thursday, February 14, 2013 11:54 AM
  • Hello everybody.

    I'm facing similar issue (corporate proxy with NTLM authentication). I can't actually afford to install tools/software for this workaround, thus I'd try to solve it with our usual way: inserting exceptions in our proxy.pac. Now... what are the destination IPs of the services needed for let's say Mail App to be able to sync? Better would be FQDNs, but I fear there are no registered names as I found the IP 207.46.11.152 being queried and accessed via https, but no hostname corresponding to that IP.

    Any clues/suggestions?

    Kind regards,

    F.


    FlavioB

    Thursday, March 14, 2013 12:30 PM
  • Hello everybody.

    I'm facing similar issue (corporate proxy with NTLM authentication). I can't actually afford to install tools/software for this workaround, thus I'd try to solve it with our usual way: inserting exceptions in our proxy.pac. Now... what are the destination IPs of the services needed for let's say Mail App to be able to sync? Better would be FQDNs, but I fear there are no registered names as I found the IP 207.46.11.152 being queried and accessed via https, but no hostname corresponding to that IP.

    Any clues/suggestions?

    Kind regards,

    F.


    FlavioB

    Hi Flavio,

    Why would you need to use IPs of web services' end points?

    Possibly you could use checks like:

    function FindProxyForURL(url, host) { if (dnsDomainIs(host, ".microsoft.com") || shExpMatch(host, "login.live.com") || shExpMatch(host, "account.live.com") || shExpMatch(host, "clientconfig.passport.net") ||

    shExpMatch(host, "wustat.windows.com") || shExpMatch(host, "*.windowsupdate.com") ||

    shExpMatch(host, "*.wns.windows.com") || shExpMatch(host, "*.hotmail.com") ||

    shExpMatch(host, "*.outlook.com") ||

    shExpMatch(host, "*.microsoft.com") ||

    shExpMatch(url, "*.msftncsi.com/ncsi.txt") ) { return"PROXY proxy.company.com:8080;DIRECT";


    More information about building PAC files can be found here.

    You could find the URLs for end points in this KB article lately published by MSFT: Using authenticated proxy servers together with Windows 8 


    Well this is the world we live in And these are the hands we're given...



    Monday, March 18, 2013 4:03 PM
  • This sounds pretty much like the issue I am having. Windows 8.1 metro applications do not work "no internet connection" ... while everything else does.  I spent Monday evening with MS tier 1 support, they scheduled a call last night with tier 2 and I spent hours waiting and pleading with tier 1 but to no avail was stood up and told, I'll be called back tonight ... sigh.

    The only variation is that I am not using Proxy (pretty sure).  I and MS assured help desk tried all the basics.  Can someone here please provide with instructions for a very rusty old CSC/developer hack?

    Tuesday, April 15, 2014 2:45 PM
  • Sorry to be getting into the thread a bit late, but I'm running into the same problem. The company I work for is starting to implement Surface Pro 2 tablets and as the corporate image builder I immediately ran into issues with the pre-installed Metro apps not wanting to play nice with DWP. After some research I eventually wrote up a quick batch script that will exempt all Metro apps. It's not perfect, because it needs to be run as administrator every time a new app is installed, but it definitely works with DWP without the need for a clunky UI slowing down deployment of who knows how many Windows 8 systems in the future:

    ::Loopback Exemption Utility
    ::Written by Matt Tucker, 2014/05/19
    
    
    :ExemptAllApplications
        ::Find all installed apps and pass the name to the ExemptLoopback function
    	For /F "Tokens=3" %%a IN ('REG Query "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings" -s -v "Moniker" ^| Find /i "Moniker"') Do Call :fn_ExemptLoopback %%a
    GoTo :EOF
    
    
    :fn_ExemptLoopback
        ::Check to see if the application is already exempted
    	CheckNetIsolation LoopbackExempt -s | Find /i "%1"
        ::If the application is already exempted, end function
    	If "%ERRORLEVEL%" EQU "0" GoTo :EOF
        ::If the application is not already exempted, exempt the application
    	CheckNetIsolation LoopbackExempt -a -n=%1
    GoTo :EOF

    Deployment method is currently undecided, haven't had a chance to test it yet. Right now all I know is that when I run this script with elevated privileges everything starts working as designed.

    Tuesday, May 20, 2014 12:08 AM