none
Windows 10 1607 - Proxy problems RRS feed

  • Question

  • Hello,

    today I updated my 10 installation with the anniversary update.

    After the installation I started receiving weird errors in the event log such as 

    The description for Event ID 2 from source Forefront TMG Client cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event: 

    WiFiTask.exe

    (an error for every program using the firewall client to connect)

    I have an ISA 2006 as a proxy and all my clients have the firewall client installed. I already tried to uninstall it but so far, only internet browsing is working an nothing else.

    Launching another program (an internal software) I got this:

    Error 100050: Socket Operation Encountered a Dead network

    What can be happened?

    Thanks in advance

    Renato

    Thursday, August 4, 2016 1:47 PM

Answers

All replies

  • A biref update:

    I tried to deepen the problem but honestly, it's really over my knowledge.

    The problem is afflicting the (luckily) 3 clients I installed the update to, and some applications like communicator.exe cannot even start.

    I think it's all related to the network authentication but I don't know how to troubleshoot the issue.

    I tried to run a fwctool pingserver:

    FwcTool version 7.0.7734.100
    Forefront TMG Client support tool
    Copyright (c) Microsoft Corporation. All rights reserved.

    Action:         Verify Forefront TMG connectivity
        Forefront TMG Client Windows Sockets 2 Service Provider:
            DLL Name:                  FwcWsp.dll
            DLL Version:               7.0.7734
            Client Protocol Version:   11
        Forefront TMG Client Agent service:
            Forefront TMG Client Agent service is responsive
        Forefront TMG:
            Firewall Server:           servername
            Server address:            serverip
            Server Protocol Version:   11
            Control Channel ping:      Error: authentication error
    Result:         The command failed and was not completed.

    as you can see without getting more info.

    Thanks in advance


    Thursday, August 4, 2016 4:30 PM
  • Same error. After anniversary update TMG client "Disabled: Cannot authenticate to Forefront TMG". Help!


    Friday, August 5, 2016 6:18 AM
  • I got the same error. Happy Anniversary :(
    • Edited by P.Yonchev Friday, August 5, 2016 6:20 AM
    Friday, August 5, 2016 6:20 AM
  • Same error on isa server 2006 ! 

    Fwclient connect to server. As soon as the some application connect to the network,  fwclient disconnect from ISA server.


    • Edited by DronM Friday, August 5, 2016 6:36 AM
    Friday, August 5, 2016 6:33 AM
  • "happy" to see that I'm not alone.

    I opened a similar thread on another forum Here where a really nice guy is trying to help me out.

    Feel free to test. I'll post in both places the results

    Thanks

    Friday, August 5, 2016 7:02 AM
  • I read this post. Is not working! 

    Andrei

    Friday, August 5, 2016 7:03 AM
  • This information based on Forefront TMG Product Team Blog but is not our decision (

    I use ProcMon and check file acess, register errors and cant find any problem 

    Run FwcAgent service with system service credentionals - does not help

    Any ides?


    Andrei



    • Edited by DronM Friday, August 5, 2016 7:13 AM
    Friday, August 5, 2016 7:11 AM
  • I read this post. Is not working! 

    Andrei

    I suspected that. Anyway I'm trying to make audit on different folders to understand if indeed it could be a permission issue, but I'm not sure...



    Friday, August 5, 2016 7:14 AM
  •  that. Anyway I'm trying to make audit on different folders to understand if indeed it could be a permission issue, but I'm not sure...



    I use ProcMon and check file acess, register errors and cant find any acess problem ! 


    • Edited by DronM Friday, August 5, 2016 7:16 AM
    Friday, August 5, 2016 7:16 AM
  • Yesterday I noticed that the firewall client uses a file under C:\Windows\SysWOW64\en-US (or other language) named wldap.dll.mui

    This file has changed with the update (with many others) but I don't know what is its purpose.. does someone knows that?

    Friday, August 5, 2016 7:18 AM
  • Same issue with TMG 2010 and ForeFront TMG Client 7.0.7734.100
    Friday, August 5, 2016 9:08 AM
  • Mine is 7.0.7734.182, i forgot to mention

    At the moment I'm working on a GPO to defer the updates on the other machines (hopefully).

    Friday, August 5, 2016 9:10 AM
  • c:\Program Files (x86)\Forefront TMG Client>FwcTool.exe pingserver
    FwcTool version 7.0.7734.100
    Forefront TMG Client support tool
    Copyright (c) Microsoft Corporation. All rights reserved.
    Action:         Verify Forefront TMG connectivity
        Forefront TMG Client Windows Sockets 2 Service Provider:
            DLL Name:                  FwcWsp.dll
            DLL Version:               7.0.7734
            Client Protocol Version:   11
        Forefront TMG Client Agent service:
            Forefront TMG Client Agent service is responsive
        Forefront TMG:
            Firewall Server:           my_server
            Server address:            my_server_ip_address
            Server Protocol Version:   12
            Control Channel ping:      Error: authentication error
    Result:         The command failed and was not completed.

    ICQ 11700279

    netsh winsock reset  does not help
    Friday, August 5, 2016 1:08 PM
  • Here my tests so far:

    - Running the service with a domain administrator account - NO LUCK

    - Running the fwvtool with a domain administrator account - NO LUCK

    - Trying to understand something else using Wireshark - NO LUCK

    - Uninstalling the Anniversary Update - UNABLE TO

    Friday, August 5, 2016 1:14 PM
  • local group policy, kerberos, ldap, Ntlm 

    the truth is somewhere near. 

    It looks like the situation with new Outlook 2016 and old versions of Exchange server.

    Encryption is not supported- Live as you wish ;)


    • Edited by DronM Friday, August 5, 2016 1:55 PM
    Friday, August 5, 2016 1:53 PM
  • I just updated 2 PC's to 1607 and it's causing the firewall client to fail on my Windows 10 PC's.

    Im running ISA 2004  ..

    Friday, August 5, 2016 6:13 PM
  • Welcome to the family...

    @DronM, I checked the settings of a working machine and they seem identical to mine, but I agree with you. More than policies, I was thinking about some system file handling the network authentication, but as said, way over my skillset


    Friday, August 5, 2016 7:40 PM
  • As you can see authentication protocol RWS is successful, see http://www.isaserver.org/articles-tutorials/configuration-general/deconstructing-forefront-threat-management-gateway-tmg-2010-firewall-client-operation-and-communication.html

    But TMG 2010 shows anonymous connections from this client.


    ICQ 11700279


    Friday, August 5, 2016 8:55 PM
  • Anyone has an idea how to block this update in WSUS? we are still using TMG clients and if there isn't any suggestions from MS how to deal with the 1607 "features" i have to block it.
    Monday, August 8, 2016 11:18 AM
  • Hi

    For example with Windows Update for Business Policies...

    https://technet.microsoft.com/en-us/itpro/windows/plan/windows-update-for-business

    But that's not the solution for this post...

    Monday, August 8, 2016 11:22 AM
  • According to the Technet blog, Windows 10 Anniversary Update, also known as version 1607, is available from the Volume Licensing Service Center or from the MSDN Subscriptions Center. The Anniversary Update will become available on August 16th through the Windows Server Update Services (WSUS) or the System Center Configuration Manager.
    Also noteworthy is that Windows 10 version 1607 will become part of the Current Branch for Business sometime around December.

    ICQ 11700279

    Monday, August 8, 2016 2:32 PM
  • I was trying to do the same thing via GPO. I don't use WSUS. Computer settings / Windows settings / Windows update
    Monday, August 8, 2016 3:32 PM
  • To do this in GPO:

    in Group Policy Editor: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates -> set "Feature Updates"

     set delay of this updates up to 180 days




    • Edited by DronM Monday, August 8, 2016 3:54 PM
    Monday, August 8, 2016 3:48 PM
  • My name is Adam Rudell and I am a Network Beta Engineer for Microsoft. Can you send me network traces from client machine when reproducing the behavior, as well as the Client event viewer logs and Forefront Server logs? Feel free to email me directly at arudell at microsoft dot com and I can assist in troubleshooting/debugging the issue.

    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Monday, August 8, 2016 8:14 PM
  • Thank you for your quick response. I`m send Eventlogs and Network Monitor captures. Please look at attachments. Thanks!

    Skype woody.by


    Tuesday, August 9, 2016 9:35 AM
  • My name is Adam Rudell .....

    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Hello, have You got any news? I`m attach screennshots:

    Session from Windows 10 1607 PC:

    Session from Windows 7 PC:

    and TMG log when we get the authentication error:


    ICQ 11700279

    Wednesday, August 10, 2016 8:51 AM
  • Hi Vladimir,

    FYI.
    I was facing the similar problem. I observe that it's relative with Microsoft Firewall Client 2004. Exit it, and set proxy sever setting in browser's Internet properties. Then network could be successful at my end. I am not sure whether this works for you. 

    Thanks,
    Antihero
    Thursday, August 11, 2016 2:11 AM
  • Hi, Antihero

    Yes, it working, but not for SOCKS-applications :( Try, by example, ftp-connection.


    ICQ 11700279

    Thursday, August 11, 2016 7:14 AM
  • Владимир, прояснилось что то по сабжу? Аналогичная проблема с клиентом TMG2010 после обновления до Win10 v1607

    Adios Amigos

    Thursday, August 11, 2016 11:37 AM
  • Абсолютно ничего :( В техподдержке предлагают вернуться на предыдущую версию, ссылаясь на то, что TMG не совместим с Windows 10 :)

    ICQ 11700279

    Thursday, August 11, 2016 12:07 PM
  • Так я и думал что все этим и закончится...

    В этом году майкрософт обрубает старые хвосты. Сначала эксчендж с новыми офисами перестал работать, теперь тмг... Осталось только леса ниже 2012 порубить, чтобы AD на новых версиях вин 10 на старый лес не подключалась..


    Andrei

    Thursday, August 11, 2016 12:11 PM
  • Ууууу, как всё погрустнело то....Да уж, в духе мелкомягких... Ладно, пасиба за инфу, придётся вернуться...

    Adios Amigos

    Thursday, August 11, 2016 12:13 PM
  • Судя по информации MS press и книге с новыми фитчами вин 10, новая стратегия обновления вин 10 принудительная.

    Позволяет вернутся на старые билды Fuature Update максимум на 180 дней, потом новый билд будет установлен принудительно ;)

    Версии win 10 нижe pro вообще устанавливают обновления в принудительном порядке без возможности отсрочки. Так что откат будет не долгим. И это не решение проблемы.


    Andrei



    • Edited by DronM Thursday, August 11, 2016 12:20 PM
    Thursday, August 11, 2016 12:18 PM
  • Anything useful from these fellow Russian writers? :) 
    Thursday, August 11, 2016 4:12 PM
  • Absolutely nothing useful, just talk :)

    We are waiting for Microsoft Guru ...  


    ICQ 11700279


    Thursday, August 11, 2016 8:18 PM
  • Considering that have already passed almost one week after last message on this post, is there any feedback or solution for those who still rely on TMG Client for specific connectivity? There is any preview about a new TMG Client version that solves this issues in Windows 10 Anniversary. There are may companies, like mine, that still rely on TMG Servers/clients to access internet that will still rely on this solution in the future.

    Thank you

    Wednesday, August 17, 2016 11:30 AM
  • My name is Adam Rudell and I am a Network Beta Engineer for Microsoft. Can you send me network traces from client machine when reproducing the behavior, as well as the Client event viewer logs and Forefront Server logs? Feel free to email me directly at arudell at microsoft dot com and I can assist in troubleshooting/debugging the issue.

    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Hi Adam,

    Any update related to this issue? Any solution or perspective to solve this problem for the ones that still rely son TMG Server/Clients solution?

    Thank you

    Wednesday, August 17, 2016 11:35 AM
  • I have a bug filed with the product group, however no update as of yet. The tricky situation regarding TMG is that mainstream support ended in 2015 as there is no further development being done on the product.

    https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=forefront%20&Filter=FilterNO&wa=wsignin1.0


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Wednesday, August 17, 2016 11:55 AM
  • Hi Adam,

    I understand what you mentioned about TMG mainstream support but extended support ends in 2020.

    The company I work for has access to Premier support, question is: would it be worth piggy back on your filed bug report? Or we just simply add to the list of people affected by this by creating a ticket with Premier Support?

    Regards,

    Andy


    • Edited by Andy Mena Thursday, August 18, 2016 3:24 AM
    Thursday, August 18, 2016 3:23 AM
  • I have a bug filed with the product group, however no update as of yet. The tricky situation regarding TMG is that mainstream support ended in 2015 as there is no further development being done on the product.

    https://support.microsoft.com/en-us/lifecycle/search/default.aspx?alpha=forefront%20&Filter=FilterNO&wa=wsignin1.0


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Hi Adam,

    I understand that. And the end of support are giving problems to category filtering in TMG server. But that is for the product itself, server side. 

    And for those that, are still in the position to analyse the market for an alternate solution and need to have TMG Server for a couple of months before a full migration? This is a client issue, not a server-side issue, for a client that is not updated since 2011.

    It's funny that Microsoft likes to push everyone, home and enterprise customers to the new and very best version, but then gives this kind of support for their products.

    I'm just expecting for Microsoft to assume that will not correct the client issue, to justify to my management that we'll restart Windows 7 implementation and stall Windows 10 update.

    Thursday, August 18, 2016 10:27 AM
  • we get the same issue and stall Windows 10 update indefinitel...

    Сазонов Илья

    https://isazonov.wordpress.com/

    Friday, August 19, 2016 8:20 AM
  • That would be entirely up to your call, however since the product group is already aware there may not be much for support teams to do other than collect logs/data which I would just reach out to you anyways to collect.

    I am working with them to reproduce the issue and root cause the issue. I will let you know as soon as we got something figured out.

    If you don't mind, please provide exact server/client configuration settings you have in your environment. We did a rough test using TMG Client 7.0.7734.182 and upgrading from TH2 > RS1, however we did not hit any problems.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Friday, August 19, 2016 6:10 PM
  • I agree. I am just providing some details for context, but want to reassure you that we are still working and looking into the issue. As I indicated just above, we are working on internal repro and having some issues reproducing. If you can provide exact configuration details for Client/Server, that would be appreciated.

    Feel free to contact me directly at arudell at microsoft dot com if you don't want to provide configuration details on this forum. Thanks!


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Friday, August 19, 2016 6:13 PM
  • Hi Adam,

    sorry for my late answer.

    I'm collecting some logs to send you via email, please tell me if you need further information.

    Thanks

    Renato

    Monday, August 22, 2016 7:41 AM
  • Add me to this list ....


    Monday, August 22, 2016 5:54 PM
  • We have exactly same issue. Hope MS fix it ASAP as it is already causing problems.

    BTW what a shame, MS left their best product to date, Microsoft TMG 2010... So sad!

    • Proposed as answer by fat76 Tuesday, August 23, 2016 4:54 AM
    • Unproposed as answer by fat76 Tuesday, August 23, 2016 4:54 AM
    Monday, August 22, 2016 7:00 PM
  • I join the same problem
    Tuesday, August 23, 2016 4:54 AM
  • I found some indication that WiFiTask.exe deals with encryption: MD5, SHA1, and SHA256.

    Here is a link.

    Tuesday, August 23, 2016 5:09 AM
  • I found this Microsoft website relevant to your Event ID 2 from Forefront TMG Client.
    Tuesday, August 23, 2016 5:20 AM
  • TMG Client 7.0.7734.186 (and TMG Client 7.0.7734.182 ) and Windows 10 14905 - the issue persists after TMG Client reinstall. The client does not have additional settings.

    Сазонов Илья

    https://isazonov.wordpress.com/

    Tuesday, August 23, 2016 11:52 AM
  • I was not able to resolve the issue.
    Tuesday, August 23, 2016 11:29 PM
  • New info.

    I have here at least one workstation with windows 10 1607 where tmg client is working correctly!  i will try to see the diference between this workstation and others where it isn't working. When I find something I will update here.

    Wednesday, August 24, 2016 5:12 PM
  • Guys, it's working again on all Windows 10 1607! 

    What have I done?

    Installed updates om tmg 2010 and rebooted it. After it started tmg client started to work as intended on all win10 1607! 

    These were the updates installed on tmg2010 running on Win Server 2008 R2 : 

    KB3170455

    KB3175443

    KB3167679

    KB3172605

    KB3168965

    KB3115109

    KB3178034

    KB3163245

    KB3177725

    KB3177723

    KB3179573

    Good luck. Hope this is also the solution for you guys.

    Wednesday, August 24, 2016 5:27 PM
  • It should be related to one of these :

    • https://support.microsoft.com/en-us/kb/3167679
    • https://support.microsoft.com/en-us/kb/3172605
    • https://support.microsoft.com/en-us/kb/3168965
    • https://support.microsoft.com/en-us/kb/3177725
    • https://support.microsoft.com/en-us/kb/3179573


    Wednesday, August 24, 2016 5:48 PM
  • We have all of those patches, and the current TMG 2010 roll up in place (SP2 roll up 5, v7.0.9193.644), and it's still not working for the user with Windows 10 Anniversary Update that I've been able to check with, including a restart of the TMG Client Agent Service on their computer.

    Thursday, August 25, 2016 5:47 AM
  • Did you restart the tmg server itself? I didn't restart the agent, i restarted the server.
    Thursday, August 25, 2016 12:44 PM
  • Same problem. All patches installed and Windows 10 1607 clients not working.
    Thursday, August 25, 2016 2:05 PM
  • We also have two TMG Servers. The first one, after the restart and the patch installation started to work correctly. The other one is still giving the same authentication error in windows 10 1607 tmg client.

    So I am gonna to install the updates and restart this also and see the behaviour is identical to the previous one and it will start to work, as happened with the first one.

    I'll keep you guys informed.

    Thursday, August 25, 2016 2:06 PM
  • Ok, this is getting weirder.

    My first tmg server is working as it should regarding tmg client authentication from windows 10 1607 clients. Before it didn't work also, started to work yesterday after I described before.

    I did exactly the same thing on the other tmg server (same version, same updates) and... tmg client authentication from windows 10 1607 clients STILL ISN'T WORKING to this other tmg server.

    So I have two similar tmg servers , both had the problem , then first resolved (and now I am not sure what made it started to work as intended again...) and second still has the problem.

    So, this is really weird stuff. What we can be sure is that there is a way for tmg client work as intendeed on windows 10 1607.  I will continue to analyse and see what can be the difference between my 2 tmg servers that make one work and other still not working.

    I will keep you informed.


    • Edited by Vonpire Thursday, August 25, 2016 3:57 PM
    Thursday, August 25, 2016 3:56 PM
  • So here is the info from the FWCTOOL PINGSERVER from same windows 10 1607 client :

    Against working tmg server :

    FwcTool version 7.0.7734.100
    Forefront TMG Client support tool
    Copyright (c) Microsoft Corporation. All rights reserved.

    Action:         Verify Forefront TMG connectivity

        Forefront TMG Client Windows Sockets 2 Service Provider:

            DLL Name:                  FwcWsp.dll
            DLL Version:               7.0.7734
            Client Protocol Version:   11

        Forefront TMG Client Agent service:

            Forefront TMG Client Agent service is responsive

        Forefront TMG:

            Firewall Server:           TMG2***.A************A.PT
            Server address:            192.168.**.***
            Server Protocol Version:   12
            Control Channel ping:      OK

    Result:         The command completed successfully.

    Against NOT working tmg server :

    FwcTool version 7.0.7734.100
    Forefront TMG Client support tool
    Copyright (c) Microsoft Corporation. All rights reserved.

    Action:         Verify Forefront TMG connectivity

        Forefront TMG Client Windows Sockets 2 Service Provider:

            DLL Name:                  FwcWsp.dll
            DLL Version:               7.0.7734
            Client Protocol Version:   11

        Forefront TMG Client Agent service:

            Forefront TMG Client Agent service is responsive

        Forefront TMG:

            Firewall Server:           TMGS***.A*************A.PT
            Server address:            192.168.**.***
            Server Protocol Version:   12
            Control Channel ping:      Error: authentication error

    Result:         The command failed and was not completed.

    So, I don't get it, really.

    Thursday, August 25, 2016 5:17 PM
  • Dear Vonpire,

    Are you sure, you do not use SecureNAT rules for this client on first TMG server?

    Friday, August 26, 2016 10:29 AM
  • 200% sure. Its working with firewall client. The second one still not working.
    Friday, August 26, 2016 11:48 AM
  • And what rules have you defined on this server?
    Friday, August 26, 2016 12:04 PM
  • Almost the same on the two.

    I didn't changed rules at all.

    And for the record the second tmg server also works with all workstations S.O. except Windows 10 ver 1607

    Friday, August 26, 2016 6:30 PM
  • hi to all. we have the same problem. anyone opened case with MS?
    Monday, August 29, 2016 8:21 AM
  • This 1607 "anniversary" edition is so full of bugs that they'll have to correct it anyway. Worst MS Update EVER!

    Monday, August 29, 2016 1:36 PM
  • TMG server Updated (All Updates) and TMG Client to the latest version (including latest Hotfix to client version 186) and...  authentication failure 
    Monday, August 29, 2016 8:06 PM
  • I really don't know now how I managed to put it working with our first tmg server, but the truth it's that's working. With the other no luck at all though.

    There are two changes between my 2 tmg's - The one that's working has 3 nic's , 1 for internal lan, other for wifi lan and the external one and is Enterprise Edition. The one that's not working has only 2 nics and is standard.

    But I guess there's nothing to do with it.

    Poor of us who managed to upgrade to that dreaded and bugged 1607...


    • Edited by Vonpire Tuesday, August 30, 2016 1:49 PM
    Tuesday, August 30, 2016 1:00 PM
  • Still nothing from Microsoft until now. No solution, a buggy software and a buggy Operation system.

    I have updated my TMG servers to the last patch level a KB available. Updated my TMG client to last patch lever, still nothing. Authentication error to TMG server and Event 2 messages for each app that tries to use TMG client to connect to the internet.

    Microsoft at it best. Just waiting for the information that they will not support this issue, despite that they created it.

    Wednesday, August 31, 2016 9:16 AM
  • Vonpire,

    Anyway, could you share information about rules? I would like make some tests in my environment.

    Wednesday, August 31, 2016 1:24 PM
  • Which kind of information more specifically you want?
    Wednesday, August 31, 2016 2:12 PM
  • I would be appreciate if you specify all parameters of rule that allows packets from client (if you have more than one rule, I suppose you are sure which rule actually does it). Or, better, please export this rule and share it.
    Wednesday, August 31, 2016 3:17 PM
  • There are no specific Rule for tmg client communication on port 1745 (the control channel of tmg client).

    But I can send you the logs of connections from the same windows 10 1607 on the tmg that works and in the one that doesn't work :

    From the one that works :

    First Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Connection Status ; Rule - NONE (blank) ; Result Code - 0x0 Success ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 122550 ; Bytes Sent - 124504 ; Source Port - 2861Status - The Operation Completed successfully .

    Second Record

    Client IP - 192.168.x.xDestination IP - The internal LAN IP of tmgDestination Port - 1745Protocol - Forefront TMG Client (TCP) ;

    Action - Initiated ConnectionRule - NONE (blank)Result Code - 0x0 SuccessSource Network - InternalDestination Network - Local HostBytes Received - 0 ; Bytes Sent - 0Source Port - 24065 ; Status - The Operation Completed successfully .

    Third Record

    Client IP - 192.168.x.xDestination IP - The internal LAN IP of tmgDestination Port - 1745Protocol - Forefront TMG Client (TCP)

    Action - Closed ConnectionRule - NONE (blank)Result Code - 0x80074e20 FWX_E_GRACEFUL_SHUTDOWNSource Network -   InternalDestination Network - Local Host ; Bytes Received- 814 ; Bytes Sent - 1941Source Port - 24065 ; Status - A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake .

    

    From the one that DOESN'T work with win 10 1607 :

    First Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Initiated Connection ; Rule - NONE (blank) ; Result Code - 0x0 Success ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 122550 ; Bytes Sent - 124504 ; Source Port - 24160Status - The Operation Completed successfully .

    Second Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ; 

    Action - Closed Connection ; Rule - NONE (blank) ; Result Code - 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN ; Source Network -   InternalDestination Network - Local Host ; Bytes Received- 5248 ; Bytes Sent - 293 ; Source Port - 24160 ; Status - A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake .

    Third Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Initiated Connection ; Rule - NONE (blank) ; Result Code - 0x0 Success ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 0 ; Bytes Sent - 0 ; Source Port - 24167 ; Status - The Operation Completed successfully .

    Fourth Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Closed Connection ; Rule - NONE (blank) ; Result Code - 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 1298 ; Bytes Sent - 3196 ; Source Port - 24167 ; Status - A connection was abortively closed after one of the peers sent an RST packet. 

    From the SAME one with any other WIN 10 Version (1511 specifically) :

    First Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Initiated Connection ; Rule - NONE (blank) ; Result Code - 0x0 Success ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 0 ; Bytes Sent - 0 ; Source Port - 55710 ; Status - The Operation Completed successfully .

    Second Record

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ; 

    Action - Closed Connection ; Rule - NONE (blank) ; Result Code - 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN ; Source Network -   InternalDestination Network - Local Host ; Bytes Received- 1772 ; Bytes Sent - 5374 ; Source Port - 55710 ; Status - A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake .


    • Edited by Vonpire Wednesday, August 31, 2016 4:50 PM
    Wednesday, August 31, 2016 4:48 PM
  • Vonpire,

    thank you very much. Did you make the same test for "client"->"external internet" requests from the same client? I'm very interesting the rule that allows such outbound packets on the 1st TMG server. That's why I asked the rule parameters.

    Thursday, September 1, 2016 9:30 AM
  • No problem.

    The thing here is that I dind't change any access-rule from internal to external at all. And they are both identical on both tmg's.

    And the problem is with the tmg firewall client control-channel authentication. It's now a mystery, even for me how I managed to put it working with this tmg server and I can't do the same with the other. It should be a case study.

    There's another thing I did besides installing the updates and restarting the server. I had to do that in order to change the NIC for external from a 100mbps to a 1000mbps. So I installed the updates, shutdown the tmg, phisically changed the nic and then installed drivers for new nic and reconfigured it exactly identical to the previous. I didn't uninstalled (in device manager) the previous one before the change, only changed ipv4 for getting settings via dhcp, in order to windows don't give the message saying that there were another adapter assigned with the external ip.

    But I refuse to believe that this procedure had anything to do with the fact that tmg client started working on this tmg and windows 10 1607. It would be too surreal for a racional mind to believe in it.

    But if any of you guys are willing to give this a try, then go for it. It would be a real big LOL if this thing was the "cure" for this stupid authentication error.

    BTW, I installed the new update for windows 10 1607 that came out today and it don't resolve this issue. It still works with the first and not with the second tmg.

    I will do the logging for traffic rules to external sent out of tmg client on windows 1607 through both tmg's and will post here.

    Thursday, September 1, 2016 4:15 PM
  • Here it is :

    From working tmg server from win10 1607 tmg client :

    Client IP - 192.168.x.x ; Destination IP - www.f*****.pt (62.**.***.57 ; Destination Port - 443 ; Protocol - HTTPS ;

    Action - Initiated Connectiom ; Rule - Allow external access for all users ; Result Code - 0x0 Success ; Client Username : Rodrigo.F**** (?) ; Source Network - Internal ; Destination Network - External ;  Source Port - 50069 ; Status - The Operation Completed successfully .

    From NOT working tmg server from win10 1607 tmg client :

    Stays in LOOP with the previous :

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Initiated Connection ; Rule - NONE (blank) ; Result Code - 0x0 Success ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 0 ; Bytes Sent - 0 ; Source Port - 24167 ; Status - The Operation Completed successfully .

    Client IP - 192.168.x.x ; Destination IP - The internal LAN IP of tmg ; Destination Port - 1745 ; Protocol - Forefront TMG Client (TCP) ;

    Action - Closed Connection ; Rule - NONE (blank) ; Result Code - 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN ; Source Network - Internal ; Destination Network - Local Host ; Bytes Received - 1298 ; Bytes Sent - 3196 ; Source Port - 24167 ; Status - A connection was abortively closed after one of the peers sent an RST packet. 


    Thursday, September 1, 2016 5:02 PM
  • Any official solution from microsoft? All our company is having problems connecting to email and other stuff because forefront stopped working after update 1607.
    Monday, September 5, 2016 7:53 AM
  • Vonpire,

    thank you again. Please specify what exactly is in Users tab in the rule on the 1st TMG server?

    Monday, September 5, 2016 11:50 AM
  • All Users in rule

    In the log it's the AD account name.  I put **** just to obfuscate 

    • Edited by Vonpire Thursday, September 22, 2016 12:52 PM
    Monday, September 5, 2016 2:12 PM
  • Hi guys,

    Has anyone tried to install KB3176938 on Windows 10 1607? Does it help?

    Wednesday, September 7, 2016 8:38 AM
  • Doesn't help
    Wednesday, September 7, 2016 5:25 PM
  • Hi Adam

    Are you guys doing something about this issue? It's been some weeks already.

    Thanks

    Friday, September 9, 2016 7:13 AM
  • Same issue
    Saturday, September 10, 2016 5:05 AM
  • It's been 1 1/2 month & still no solution?
    Wednesday, September 14, 2016 9:21 AM
  • It looks like theres no much interest in resolving this issue.
    Wednesday, September 14, 2016 1:38 PM
  • It looks like theres no much interest in resolving this issue.
    That's true. For more than one month that i'm saying that! Maybe they want us to invest thousands of dollars in new network solutions because they know that we maintain as Microsoft customers
    Wednesday, September 14, 2016 8:50 PM
  • If I only understood how I managed to put my first tmg working again. The truth is at this point the only thing I think of is the change of network adapter, but that's so irrational, that I refuse to believe in it...

    Microsoft, shame on you and that horrible 1607 version!

    Thursday, September 15, 2016 11:06 AM
  • Could you tell me the version that is shown in the working TMG?  I want to check mine to see if it is at the same patch level.  The latest seems to be 7.0.9193.644 (?)

    • Edited by eihoward Tuesday, September 20, 2016 5:38 PM
    Tuesday, September 20, 2016 5:35 PM
  • Could you tell me the version that is shown in the working TMG?  I want to check mine to see if it is at the same patch level.  The latest seems to be 7.0.9193.644 (?)

    yes - this last, but not work (after install 1607 on clients)

    http://social.technet.microsoft.com/wiki/contents/articles/1995.microsoft-forefront-threat-management-gateway-tmg-list-of-build-numbers.aspx


    Wednesday, September 21, 2016 5:47 AM
  • Working TMG Version :

    Forefront Threat Management Gateway ENTERPRISE

    Microsoft Corporation

    Version: 7.0.9193.500 

    Non-Working TMG Version :

    Forefront Threat Management Gateway STANDARD

    Microsoft Corporation

    Version: 7.0.9193.500 

    Yup, thats correct, same version on both, it works on first and not on second.

    No idea why since I do exactly the same on both and the second still has the same problem as all you guys have, and the first , that also had the same problem, after the update installs and nic change started working.

    Have no clue now.

    Rules are similar on both tmg's, system policys also, patches also, group policy rules also...

    • Edited by Vonpire Thursday, September 22, 2016 12:44 PM
    Thursday, September 22, 2016 12:41 PM
  • Working TMG Version :

    Forefront Threat Management Gateway ENTERPRISE

    Microsoft Corporation

    Version: 7.0.9193.500 

    Non-Working TMG Version :

    Forefront Threat Management Gateway STANDARD

    Microsoft Corporation

    Version: 7.0.9193.500 

    Yup, thats correct, same version on both, it works on first and not on second.

    No idea why since I do exactly the same on both and the second still has the same problem as all you guys have, and the first , that also had the same problem, after the update installs and nic change started working.

    Have no clue now.

    Rules are similar on both tmg's, system policys also, patches also, group policy rules also...

    Which NIC have you changed/reinstalled? In The TMG server or on the client? I suppose that is on the server, but just to confirm
    Friday, September 23, 2016 9:19 AM
  • On the tmg server.
    Monday, September 26, 2016 4:00 PM
  • solution has been found?
    I have the same problem
    Monday, October 3, 2016 7:10 AM
  • Me too.

    Hope some one will bring the good news...

    Monday, October 3, 2016 8:34 AM
  • I have this issue too since the Anniversary update with TMFG 2010.
    Tuesday, October 4, 2016 9:31 AM
  • I have this issue too.

    http://zalozny.com.ua


    Tuesday, October 4, 2016 10:57 AM
  • Issue's still there, waiting for Microsoft update.
    Wednesday, October 5, 2016 2:36 AM
  • Sorry for the delay in getting back to you on this. I have been having discussions with multiple teams in the product group to try and get to the root cause.

    We have done numerous testing on our end using TMG Forefront Client 7.0.7734.1000 using both a clean build and upgrade scenario and we have been unable to reproduce the issue when connecting to TMG 2010 (fully patched) on Server 2008 R2 server (fully patched) through multiple test passes.

    In discussions with the Forefront team, they advised that TMG Forefront Client has not been tested on Windows 10 and that it's an unsupported scenario. Even if it was a code defect in the Forefront client application, it would not be fixed unless it could be reproduced on a supported client operating system. Please refer to https://technet.microsoft.com/en-us/library/809f5f85-bb34-434b-8749-4a77e6e6b9cb for more information.

    I am still trying to do some testing on my end and loop in resources to see if this might be due to a configuration issue or setting somewhere, so I will keep going that route.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Thursday, October 6, 2016 2:11 PM
  • Same probleme here.

    We use version 7.0.9193.500 too.

    Why do you use version 7.0.7734.1000 for your testings?

    _____________________________

    Nico Stueber

    Thursday, October 6, 2016 2:44 PM
  • Hi Adam!

    You should build a domain server and join TMG 2010 Server to this domain server, make a Rule to Internet with condition is only Domain Users, you will see error Disabled: Cannot authenticate to Forefront TMG in TMG Client. Please fix this soon!

    Sunday, October 9, 2016 9:27 AM
  • So the team is basically saying FU to all of us and spend 1000000$ in new solution? Thanks Microsoft!
    Monday, October 10, 2016 7:13 AM
  • Same probleme here.

    We use version 7.0.9193.500 too.

    Why do you use version 7.0.7734.1000 for your testings?

    _____________________________

    Nico Stueber

    This is last version of the TMG Forefront Client, not server.

    Если Вам помог чей-либо ответ, пожалуйста, не забывайте жать на кнопку "Предложить как ответ" или "Пометить как ответ".

    http://zalozny.com.ua


    Monday, October 10, 2016 10:29 AM
  • Hi Adam,

    I guess there is no sense in testing that is not related to the issue. I believe you will never find this issue in officially supported environment.
    Please try to test the issue in described environment. TMG 2010 client does not work properly any more after MS released Windows 10 AU.

    Wednesday, October 12, 2016 11:24 AM
  • Hi Adam!

    Let me formulate the problem with the Forefront TMG client for you:

    Fact1 - there is NO any single problem with connectivity between FF TMG client and FF TMG2010 when the client is running on win XP/Vista/7/8/8.1 - everything works fine.

    Fact2 - FF TMG client DO work FINE on the GOLD release of Win 10 (original build Version 10.0.10240).

    Fact3 - FF TMG client DOESNT work on the builds starting from Win 10 Anniversary Edition and later (build since 10.0.14393 and so on).

    Fact4 - any further win 10 upgrades do not solve the problem - currently I am running win10 build 10.0.14393.222 and the problem still exists.

    Our company is running FF TMG2010 Standard x64 SP2 Rollup5 fully patched (Version: 7.0.9193.644) on WS 2008R2 SP1 fully patched in the large domain environment. All FF TMG clients are patched (Version 7.0.7734.186). Users with win Vista/7/8.1 do NOT experience any problem. Two users, running original release version of win 10 PRO (gold build Version 10.0.10240) - are also using TMG client without any problem.

    And only I and some my colleagues (about 5 people), who had upgraded their desktops with Anniversary Update were HAVING PROBLEMS with TMG client connectivity to our proxy-server. When we try to activate TMG client, the green arrow doesn't appear on the client icon, any internet traffic cuts-off and some time later, client is disabled again. There are messages in clients log [Control Channel ping:      Error: authentication error Result:         The command failed and was not completed.]

    So, the problem is about work of FF TMG client on the new builds of Windows 10 only, starting from the Anniversary Update.

    Thanks for your help!

    Friday, October 14, 2016 9:53 AM
  • We too have the same issue, 'cannot authenticate for ForeFront TMG', only Windows 10 1607 having the problem, running TMG 2010 on 2008R2.
    Friday, October 21, 2016 1:02 PM
  • Same error here, latest CU doesn't fix it. Microsoft, this needs addressing!
    Thursday, October 27, 2016 10:19 PM
  • +1

    Microsoft, we need your participation in the solution of this problem.

    Friday, October 28, 2016 9:17 AM
  • Hi guys!

    Great news are coming today! FF TMG2010 client functionality is back again!

    MS released a new update for win10.1607 (KB3197954) today, and the TMG client started to  work, as it was supposed to be !!! The build is 10.0.14393.351 now

    I didn't change anything in the settings,  just installed this update, rebooted and viola! Everything is fine!

    Thank you MS! You heard us , at least :)


    Friday, October 28, 2016 5:26 PM
  • Here is the link to offline standalone CABs and MSUs of that KB:

    http://thewincentral.com/download-windows-10-build-14393-351-iso-kb3197954-kb3199986-kb3201860-cab-files/

    Friday, October 28, 2016 5:29 PM
  • Hi,

    Here, i made the update, unchanged anything but i still have the error.

    Just to inform.

    Saturday, October 29, 2016 4:33 PM
  • Hi,

    same problem still exist.

    Update doesnt work for us :-(

    Monday, October 31, 2016 9:43 AM
  • I don't know why or how, but the solution that Serge have described ARE NOT RELATED to last week update on Windows 10. Also, in the update description there's not described that could be related to this problem.

    So, still the same problem and error at this time.

    Monday, October 31, 2016 2:39 PM
  • I don't know why or how, but the solution that Serge have described ARE NOT RELATED to last week update on Windows 10. Also, in the update description there's not described that could be related to this problem.

    So, still the same problem and error at this time.

    Yup, I confirm!

    It's almost the same thing that happened to me.

    Still a mystery, but I told you guys it's possible for tmg client 2010 to work on windows 1607, just we don't know how or why!

    It appears to be totally random.

    lol

    Monday, October 31, 2016 7:24 PM
  • Hi guys again!

    My colleague had successfully installed the update, which i'd mentioned earlier, and his TMG client started working too. I made a screenshot from my desktop to confirm the work of client:

    What I can say about the work of client: the connection between the client and TMG server lasts a bit longer - something about minute vs some seconds before the Anniversary Update.

    Tuesday, November 1, 2016 11:57 AM
  • I just built a brand new clean domain using the following steps, and I cannot reproduce.

    1. Built Server 2016 domain controller

    2. Built two client OS systems, Windows 10 LTSB 2015 and Windows 10 CBB 1607

    3. Deployed Server 2008 R2 + all updates and installed TMG 2010 7.0.7734.100 using default settings. Have a default Web Access Policy to allow all domain users access to the internet from internal network.

    4. Copied the MS_FWC.msi from the TMG Server 2010 media and installed on Windows 10 clients (TH1 LTSB and RS1 CBB) and ran default configuration setup and pointed the clients to IP address of my TMG server.

    5. Ran .\fwctool.exe pingserver from both client machines and both were successful with no errors.

    This is matching up with multiple attempts the product group performed in order to test this scenario. I am working on applying SP1 right now for TMG 2010 to see if any change in behavior, but this is appearing to be due to configuration issue in your environments. Can someone who is able to reproduce consistently and has access to both clients and TMG server reach out to me via my email, arudell at microsoft dot com, so I can work on gathering some more data?


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Tuesday, November 1, 2016 5:24 PM
  • Hi Arudell,

    Thanks for your help, information and cooperation.

    In fact, i can confirm that nothing was changed on our environment and I can confirm that TMG client stopped working just after Anniversary Update and not otherwise. Also, several people reports that with installed Windows 10 before update to Anniversary update. So, something with upgrade package are related to this issue.

    As soon as i have possibility i'll test the same approach in your test lab. Also, please share with us the testing procedures for the trace that you need and i'll do it as soon as possible.

    Also, please send a procedure to check if RC4 is active or not.

    Wednesday, November 2, 2016 12:16 PM
  • Hi and Thanks Adam,

    your post gave me the hints to solve this issue for me. I did some research on google and found this Post
    https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/

    I did two things:

    "msDC-SupportedEncryptionTypes" is now set to "24" instead of "28" on my Computers account in active directory. After that TMG-Client works again.

    I also changed the user account encryption type like described in this article.

    Regards
    Marco

    Thursday, November 3, 2016 4:03 PM
  • Awesome to hear! So your TMG clients running on RS1 are now working?

    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Thursday, November 3, 2016 9:34 PM
  • Hi and Thanks Adam,

    your post gave me the hints to solve this issue for me. I did some research on google and found this Post
    https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/

    I did two things:

    "msDC-SupportedEncryptionTypes" is now set to "24" instead of "28" on my Computers account in active directory. After that TMG-Client works again.

    I also changed the user account encryption type like described in this article.

    Regards
    Marco

    Just a Follow up:
    I am running 1607 build 14393.351.

    WARNING: This morning right after login, the TMG-Client had authentication issues again. So i had a look into my computers account in active directory. The changes I made to "msDC-SupportedEncryptionTypes" flipped back to 28. So I edited it again. This time I additionally changed the local group policy, like described in step three.

    This configuration seams to break something else. Right after login, network drives are not connected and are asking for credentials. Outlook asks for credentials too.

    Windows is asking me to lock the screen to provide authentication data again and Outlook was asking for my credentials.

    After Lock the screen and login again, everything woks until I reboot again.

    I just guess there are more general changes that have to be made to our active directory. But my knowledge doesn't go this deep into active directory. The problem might occur on domains that exist since Windows NT times and where not properly migrated or have some compatibility settings enabled like RC4 Encryption.

    Friday, November 4, 2016 7:18 AM
  • Clicking "Use Kerberos DES encryption types for this account" for each account that is having problem with TMG fixed the issue.

    Update: this break visual studio, so we had to rollback the change.

    We need more support Microsoft!




    Friday, November 4, 2016 8:17 AM
  • We did some testings this morning too.

    We can confirm that the "msDC-SupportedEncryptionTypes" value is self changing back to 28 after a few minutes. But we think we do not really need this.

    After a few constellations we think only the "Use Kerberos DES encryption types for this account" flag is needed.

    BUT:

    We have the same problems that MarcoBCDE described! After activating this option (and ONLY this option) TMG is working in 1607 but Windows is asking for credentials (in Outlook etc.). This also happens in Windows 10 1511!

    Seems that there are a few more ActiveDirectory options to change ..  
    Friday, November 4, 2016 10:42 AM
  • Good morning all,

    I've also run some tests this weekend and find our this conclusions:

    - Activating DES encryption in AD user configuration solves the problem in TMG client but forces Windows notifications to lock/unlock windows sessions, like the password was remotely changed and needs to sync with user profile cache. At least, for the first hours, Outlook have not notified me about this change in encryption. But maybe is related to Office365 and not Exchange server.

    Before the update to 1607/Anniversary this was unnecessary to be done and the default AD settings for user and computer worked perfectly.

    - I've installed a new PC with Windows 10 1607 ISO and the same behaviour happens. This was done to remove any suspicious that any process dunring Windows 10 upgrade caused the problem, which is not the case

    We need more support from Microsoft to solve this issue. At this time, the TMG is working but the password sync notification will happen frequently so more AD settings needs to be done.

    Monday, November 7, 2016 9:57 AM
  • I would ensure you are allowing AES encryption types. We started deprecating DES in Windows 7/2008 R2.

    Also for protocols such as LDAP, we use the high order bits for kerboers. Disabling AES is unsupported so you would probably encounter kerberos related issues like you are if you disabled AES.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Monday, November 7, 2016 5:35 PM
  • Hi, again.

    I did some reading about password hashing in AD. So I decided to change my password, after I activated DES and the two AES check boxes on my user’s account, to see if it changes the behaviour. For an unknown reason (really: there was an empty message), I could not change the password from the client. So I changed it directly at the user account on the domain controller. -- Quick reboot -- Everything seems to work from the first login.

    Still: Windows is asking me to lock the screen for credentials directly after login.

    New: When I try to change my password now, it states, that my client is using an encryption type, the Kerberos domain controller doesn't support.
    Could someone please test it to confirm. I am not sure if the password change does do anything or I am just imagining it.

    Regards
    Marco

    Tuesday, November 8, 2016 8:58 AM
  • Hi, again!

    I found some more interesting things during testing.

    I built a virtual test environment (completly new and not connected to our network!) with:
    - Win 2016 Server as Domain Controller
    - Win 10 (1607) as Client
    - One new user (default settings, just name and password)
    - (without  TMG, just testing the password problem)

    With this user I could sign into the Windows 10 machine without errors (changing the password works!).

    After this, I activated the DES flag and the two AES options in the user profile. Now the "please lock and sign in again" warning appears when trying to access something in the domain (like doing a gpupdate \force on cmd)!And now changing the password doesnt work anymore. The "Domain doesnt support your encryption" error appears! (And sometimes even the error with no text like Marco wrote!)

    (Solution for this) My good friend google (sorry for not using Bing) told me to try this policy:

    Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options > "Network Security: Configure encryption types allowed for Kerberos"

    Check all options and apply!

    In my test enviroment this works perfeclty! No "lock and sign in again" and password change is possible. (Local Policy or Domain Policy - both do the job!)

    Seems that the Domain Controller forces some encryption (remember the DES option in user profile) the local computer doesn't support. After changing this policy it's supported and works!

    Unfortunately I wasn't able to get this work in our productive environment, yet! But for this there can be a lot more reasons ;-).

    I hope this informations help you testing in your enviroments. Maybe someone can confirm that the policy works.

    Regards

    Nico

    Wednesday, November 9, 2016 2:31 PM
  • Today I reverted every change I made to resolve this issue. I recognized that activating DES switch at the user account forces the windows client to fall back to NTLM instead of Kerberos, which seams to be a bad thing to me, because this breaks other things too (opening \\<domian.local>\sysvol  for example). So still no real solution.

    Thursday, November 10, 2016 9:24 AM
  • What you guys are missing here is that i didn't change anything related to encryption or group policy or whatever and the tmg firewall client started to work with one of our tmg's and not with the other.

    So, there must be something else in line here  that no one catch yet.

    Just my 2 cents

    Thursday, November 10, 2016 1:52 PM
  • I have the same issue with TMG client on Windows 10 v1607, “Disconnected: Cannot authenticate to Forefront TMG 192.168.XXX.XXX”.  BUT here are some hopefully big clues.

    This disconnect phenomena is per user.

    This disconnect phenomena is triggered by use of Internet Explorer 11.

    I cannot determine a GUI exposed setting that affects this.

    There is a concurrent thread on Spiceworks, https://community.spiceworks.com/topic/1752630-windows-10-1607-anniversary-update-isa-2006-network-proxy-authentication-issue, and the reference to permissions could be significant and perhaps should reference C:\Windows\ServiceProfiles\LocalService\...

    Situation:  I have a single TMG 2010 server hosted on Server 2008R2 – “by the book” settings – all patched up to date etc.  All workstations with Win10v1511 are fine with TMG client.  I have manually specified Forefront TMG by IP address on the TMG client.

    I have in-place upgraded one workstation to Win10v1607.  I have logged on with two different domain user accounts.  One of these is also in the local administrators’ security group.  The one with local admin rights will have the TMG client successfully connect and stay connected to the TMG server, even while browsing the web using Edge.  The moment I open Internet Explorer 11, the TMG client reverts to disconnected with the red X icon.  The other domain user account defaults to disconnected at user logon even before trying to access the internet and stays that way.  I can open the TMG client and on the settings tab, manually Test Server, and it will stay connected for a while but ultimately revert to disconnected on its own or immediately on opening IE.

    Hopefully these clues help MS support since this is a common issue, well beyond my knowledge-base, as with so many other posts to this topic. 

    Thursday, November 10, 2016 7:54 PM
  • Thank you everyone for your patience while I investigated into this. After doing some further work with our product group, we have identified the root cause to be due to a change in the negotiate/kerberos code with how callers provide credential handle or context handle for each call.

    The fix has been checked into our latest code branches for testing/validation and plans to backport to RS1 here in the next couple months. Please disregard any solutions of modifying the Kerberos Encryption Ciphers. If your environment supports NTLM, it should be able to fail the negotiate process and fallback to NTLM authentication.

    I will update as soon as have an ETA for the code fix for RS1 builds.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation


    Friday, November 11, 2016 12:30 AM
  • I provide a information, I don't install TMG client software on client, I just use proxy auto-config for IE 11 brower, it can work very well in win 10 1511 and win7, but it can't work in Win10 1607 IE brower. I also found if i manually set proxy server in IE brower and IE can work well, but i have many setting in proxy, so i have to use proxy auto-config function.  I found Firefox and Google chrome can  work very well with  proxy auto-config mode on win10 1607 client. I don't know why win10 1607 IE brower can not support proxy auto-config.


    • Edited by atong Friday, November 11, 2016 6:48 AM
    Friday, November 11, 2016 6:47 AM
  • Thank you everyone for your patience while I investigated into this. After doing some further work with our product group, we have identified the root cause to be due to a change in the negotiate/kerberos code with how callers provide credential handle or context handle for each call.

    The fix has been checked into our latest code branches for testing/validation and plans to backport to RS1 here in the next couple months. Please disregard any solutions of modifying the Kerberos Encryption Ciphers. If your environment supports NTLM, it should be able to fail the negotiate process and fallback to NTLM authentication.

    I will update as soon as have an ETA for the code fix for RS1 builds.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Monday, November 14, 2016 2:58 PM
  • Thanks Adam, great news. Keep us posted!

    Renato

    Wednesday, November 16, 2016 11:40 AM
  • Are there any news?
    Thursday, November 24, 2016 10:26 AM
  • None so far, but I'm placing my bet on Adam.
    Tuesday, November 29, 2016 8:28 AM
  • An ETA to correct the issue in Windows 10 would be very nice. Windows 10 implementation projects are stalled related to this situation
    Wednesday, November 30, 2016 6:24 PM
  • Are there any news?
    Monday, December 5, 2016 1:58 PM
  • An ETA to correct the issue in Windows 10 would be very nice. Windows 10 implementation projects are stalled related to this situation

    Yep... we had to postpone our windows 7 to Windows 10 migration project.

    Thursday, December 8, 2016 2:17 PM
  • Make the local machine:

    1. open gpedit.msc

    2. configuration windows

    3. security Settings

    4. Local policies

    5. security Settings

    6. Network security: Configure encryption types allowed by Kerberos

    7. Select DES, AES128, AES256

    8. Reboot

    Its Work!!

    Sorry for my English

    Tuesday, December 20, 2016 6:14 AM
  • In windows 10 build 14986.rs_prerelease.161202-1928 (received with insider program), TMG client is back to work...

    :-)

    Tuesday, December 20, 2016 10:11 AM
  • @Adam Rudell

    When can we get this Update? Our Windows 10 rollout project stops becaus of this Problem. How many days, weeks (or months :-( ) do we have to wait for this.

    It would be nice to know a date (circa .. )

    Thanks

    Nico

    Wednesday, December 21, 2016 9:22 AM
  • Make the local machine:

    1. open gpedit.msc

    2. configuration windows

    3. security Settings

    4. Local policies

    5. security Settings

    6. Network security: Configure encryption types allowed by Kerberos

    7. Select DES, AES128, AES256

    8. Reboot

    Its Work!!

    Sorry for my English


    Да, это работает! Но если у вас есть подключенния RDP с сохранёнными учётными данными, то теперь, каждый раз, при подключении будет запрашиваться пароль, и выдаваться сообщение - Системный администратор запретил использовать сохранённые учётные данные для входа в систему удалённого компьютера XXXX, так как его подлинность проверена не полностью. Введите новые учётные данные!

    Google translate:

    Yes, it works! But if you have a connection RDP with saved credentials to, now, every time you connect will be prompted for a password, and issued a message - The system administrator does not allow to use the saved credentials to log on remotely XXXX computer because its authenticity has not been verified completely . Enter new credentials!


    Adios Amigos

    Monday, December 26, 2016 4:12 AM
  • In windows 10 build 14986.rs_prerelease.161202-1928 (received with insider program), TMG client is back to work...

    :-)

    I confirm. With this build TMG is back.
    Thursday, December 29, 2016 8:02 AM
  • Is this what they're calling the Creators Update, when can we see it in 1607? 14393.594 went to the release preview ring, have just installed and it doesn't fix it. Will probably have to wait until at least February, Adam any update on when we can see this?
    Wednesday, January 4, 2017 10:13 PM
  • I am still working with the PG to get the fix back ported and trying to put together a larger impact statement on why we need to fix this ASAP in RS1 builds. The fix is already in the RS2 builds.

    Can folks that are encounter this behavior send an email to arudell at microsoft dot com and include the following information.

    # of seats blocked or affected

    company name


    Adam Rudell | Windows Networking Beta | Microsoft Corporation

    Thursday, January 5, 2017 6:00 PM
  • Thanks for your patience with this issue. The issue was taken to triage last night and the fix should be available mid February for 1607 client machines.

    Edit: The fix has been released on 2017.01 D (KB 3216755) and is available for download.


    Adam Rudell | Windows Networking Beta | Microsoft Corporation


    Tuesday, January 10, 2017 3:18 PM
  • Thanks Adam for your efforts!
    Monday, January 23, 2017 11:38 AM
  • This setting seems to break something relating to group policy processing.

    "The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description."

    Monday, January 23, 2017 4:47 PM
  • After recent windows update (right after new year holidays) the build of Win 10 Anniversary updated up to 14393.693 - and the TMG client stopped working again.... Shit happens!

    The same symptoms as earlier...

    Tuesday, January 24, 2017 11:22 AM
  • After recent windows update (right after new year holidays) the build of Win 10 Anniversary updated up to 14393.693 - and the TMG client stopped working again.... Shit happens!

    The same symptoms as earlier...

    The solutions in this thread where never real solutions. They probably break security. You have to wait for the updates scheduled for mid February. As Adam Rudell announced earlier

    Please carefully read the whole thread.

    Monday, January 30, 2017 9:47 AM
    • Proposed as answer by DataBitz Wednesday, March 22, 2017 9:56 PM
    • Unproposed as answer by DataBitz Wednesday, March 22, 2017 9:56 PM
    Tuesday, January 31, 2017 7:35 AM
  • Yes, i confirm this fix work (1607, ltsb(10.0.14393))
    Tuesday, January 31, 2017 9:54 AM
  • Now it wokrs

    Win 10 x32, 10.0.14393


    • Edited by LiOH Monday, February 13, 2017 8:49 AM
    Wednesday, February 1, 2017 11:35 AM
  • Confirm, it works
    Friday, February 3, 2017 8:29 AM
  • I have Windows 10 Enterprise 14393.351 and I'm unable to install this update

    It says it does not apply to my computer

    any help?

    • Proposed as answer by DS-TEKER Monday, February 6, 2017 6:16 AM
    • Unproposed as answer by DS-TEKER Monday, February 6, 2017 6:16 AM
    Friday, February 3, 2017 12:51 PM
  • I have Windows 10 Enterprise 14393.351 and I'm unable to install this update

    It says it does not apply to my computer

    any help?

    x86 or x64?
    Monday, February 6, 2017 6:16 AM
  • Now my windows version is 14393.726 with KB 3216755, but it doesn't resovle my proxy problem.

    Tuesday, February 7, 2017 5:27 AM
  • 14393.726 fixes the issue! Thank you very much. Rgr Marco
    Tuesday, February 7, 2017 2:37 PM
  • x64 and I downloaded the package for this architecture... but i'm unable to install it
    Wednesday, February 8, 2017 11:10 AM
  • Hmm ... It works on my 14393.726.
    Wednesday, February 8, 2017 1:51 PM
  • After install KB3216755 - TMG Client work fine. BUG was fixed.THX Adam
    • Edited by TMGFan Wednesday, February 8, 2017 5:13 PM
    Wednesday, February 8, 2017 5:10 PM
  • Hi everyone, just installed and everything seems to be back to normal!

    The other workarounds, as mentioned before, seems to break or lower security settings, so the problem is simply shifted.

    Thanks again Adam for the support!

    Wednesday, February 15, 2017 11:02 AM
  • hi,

    does it work on the new build, 1703?

    Friday, April 7, 2017 1:37 PM
  • in 1703 perfectly works
    Monday, April 10, 2017 5:29 AM
  • At last  i found out the reason that why proxy cannot work on 1607 and 1703.
    I put the PAC file into root directory on a  IIS web site and set the PAC file as a default document in IIS server, such as http://pac.domain.com,and it works on all Win 7 and Win10 1511, but after upgrading to 1607 and 1703, it cannot work, at alst i found if change the IE proxy setting with full path http://pac.domain.com/proxy.pac and it can work on 1607 and 1703.

    I got this information from below post,
    https://social.technet.microsoft.com/Forums/windows/en-US/75cab17b-6d58-4639-ab3c-1213c97deb12/usage-of-pac-files-on-windows-10-1607?forum=win10itprogeneral




    • Edited by atong Wednesday, May 3, 2017 3:33 AM
    Wednesday, May 3, 2017 3:25 AM