none
Windows Store and Windows Update Fail With Error 0x8024401c On a PC Under Corporate Proxy With Direct Access (Proxy Disabled) RRS feed

  • Question

  • Hello,

    I am having problems installing Windows apps from Windows Store on a workstation computer that is a Windows 8 client joined to Active Directory domain with WSUS and Proxy configured.

    Using proxy is disabled on this workstation and running NetSh returns:

    C:\Windows\system32>netsh winhttp show proxy

    Current WinHTTP proxy settings:

        Direct access (no proxy server).

    WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) is stopped and set to Disabled on this workstation to prevent from using proxy.

    Windows Update retrieves updates directly from Microsoft web service without contacting local corporate Windows Server Update Services (WSUS) server (because otherwise WU fails to retrieve updates for Windows 8).

    All attempts to obtain updates from Windows Update go flawless. However, attempts to install apps from Windows Store failure. I've found that Windows uses Windows Update (WU) service to retrieve apps from Windows Store.

    Looking up for %systemroot%\WindowsUpdate.log has shown that Windows Update is making an attempt to contact out corporate proxy server despite the fact that using proxy has been disabled!

    I am posting an excerpt from WindowsUpdate log file that confirms that Windows Update is still trying to access Microsoft web services via our proxy despite the fact that it should not do that:

    2012-09-07	06:18:48:915	 632	287c	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++
    2012-09-07	06:18:48:915	 632	287c	PT	  + ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}, Server URL = https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: Nws Failure: errorCode=0x803d0006
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: There was an error communicating with the endpoint at 'https://fe1.ws.microsoft.com/v6/ClientWebService/client.asmx'.
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: The operation timed out after 60000 (0xEA60) milliseconds.
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: The operation could not be completed because the channel has been aborted.
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: Web service call failed with hr = 8024401c.
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: Current service auth scheme='None'.
    2012-09-07	06:18:48:958	 632	287c	WS	WARNING: Proxy List used: 'companyproxy.mycompany.com:8080', Bypass List used: '(null)', Last Proxy used: 'companyproxy.mycompany.com:8080', Last auth Schemes used: 'None'.
    2012-09-07	06:18:48:958	 632	287c	WS	FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: PTError: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: GetConfig_WithRecovery failed: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: RefreshConfig failed: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: RefreshPTState failed: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: Sync of Updates: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024401c
    2012-09-07	06:18:48:959	 632	287c	Agent	  * WARNING: Failed to synchronize, error = 0x8024401C
    2012-09-07	06:18:48:960	 632	287c	Agent	  * WARNING: Exit code = 0x8024401C
    2012-09-07	06:18:48:960	 632	287c	Agent	*********
    2012-09-07	06:18:48:960	 632	287c	Agent	**  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2012-09-07	06:18:48:960	 632	287c	Agent	*************
    2012-09-07	06:18:48:960	 632	287c	Agent	WARNING: WU client failed Searching for update with error 0x8024401c

    This leads the 0x8024401c error to arise.  As far as I am aware of, this error indicates HTTP status 408: "server timed out waiting for request"

    Error code (hex): 0x8024401c

    HRESULT (dec): -2145107940

    Error string: WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT

    Description: HTTP status 408 - Server timed out waiting for request

    1. Why does WU continue to use proxy when it has been disabled?

    2. How do I make WU to authenticate correctly on this proxy if it is impossible to bypass it? Would using Vault help here?

    3. Is it possible to obtain apps from Windows Store without using Windows Update?

    4. Why does Windows Update use different network connection settings for retrieving Windows updates and Windows apps?

    This is what I get when trying to install an app in the Windows Store app:

    I also see this line in WU log which is pretty strange because it shows that Explicit proxy is initialized to 1.

    2012-09-07	18:50:58:287	 632	16a0	DnldMgr	  * Priority = 4, NetworkCostPolicy = 6, Interactive = 1, Owner is system = 0, Explicit proxy = 1, Proxy session id = -1, ServiceId = {117CAB2D-82B1-4B5A-A08C-4D62DBEE7782}
    

    Thank you.

    EH

    P.S.: It seems like the problem is similar to the one described here.


    Well this is the world we live in And these are the hands we're given...



    Friday, September 7, 2012 4:17 PM

Answers

  • Gentlemen, it looks like I've found a possible solution to the problem with Modern apps not working in a corporate environment with a NTLM proxy.

    I've written complete step-by-step procedure that will guide you through issues with purchasing and installing Modern apps from Windows Store when working on a Windows 8 computer in a domain environment with corporate NTLM-enabled proxy server.

    Symptoms

    When working with Modern apps, you cannot make the apps to connect to a remote location. For example, your radio apps return connection errors, your Mail app returns Offline in a top-right corner of the app display when you sync messages for the selected mailbox, or you cannot purchase apps from Windows Store, and looking into the WindowsUpdate.log (the log file that journals Windows Update and Windows Store activity) shows the log contains records like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Cause

    Unlike desktop applications such as Windows Internet Explorer, which uses WinInet library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa383630(v=vs.85).aspx) to establish

    connections, Modern apps establish connections using WinHTTP library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925(v=vs.85).aspx).

    You may find comparison table for these to communication libraries available at http://msdn.microsoft.com/en-us/library/windows/desktop/hh227297(v=vs.85).aspx but the main difference, I guess, is here:


    Credential Prompting

    Provides an API
        that allows the calling code to prompt the user for credentials.

    yes

    no


    In other words, when WinInet library supports requesting connection credentials, the WinHTTP library does not. I am not a developer in either way, and I don't know if my assumptions are true, and I definitely can't understand why impersonation from threads, supported by WinHTTP library, does not work here but my guess is that WinHTTP library impersonates under some service account such as LocalSystem or WinHttpGetIEProxyConfigForCurrentUser function is NOT user in currently available Modern apps.


    That being said, I believe that the root of the problem lies in the current WinHTTP limitation (mentioned here http://msdn.microsoft.com/en-us/library/windows/desktop/aa384086(v=vs.85).aspx):

    When processing asynchronous requests, WinHTTP does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions.

    In other words, currently available apps, including Windows Store app, do not properly use WinHTTP library.

    Solution

    Part I

    To make your Modern apps properly authenticate on a corporate NTLM-enabled proxy server using current user credentials (that is your credentials you provided when logging into Windows 8 on the logon screen), you have to use third-party application that would authenticate connections outgoing from apps on the proxy server.

    This third-party application would be a NTLM-capable proxy server such as cntlm (cntlm.sf.net) (you may use any other proxy that can ask you for NTLM credentials required by your corporate proxy and is capable of working in a chain of proxy).

    Once installed on your local Windows 8 computer, cntlm proxy will accept outgoing anonymous connections established by Modern apps and redirect them to a parent proxy server (that is, chain to upstream proxy), that is to your corporate proxy server. This way, your Modern apps that are not capable of authenticating via NTLM protocol authenticate on a corporate proxy server without even knowing that this corporate proxy server requires explicit authentication --- cntlm will do this trick for the apps.

    Briefly, connection chain will now look as:

    Modern app (localhost) -> cntlm (localhost) -> corporate proxy (domain network) -> web service (remote end-point).

    To install local cntlm proxy, do the following:

    1. Download the cntlm proxy setup package from cntlm.sf.net (direct link to the latest version: http://sourceforge.net/projects/cntlm/files/latest/download?source=files) or any other NTLM-capable proxy server; install the setup package.

    2. Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and stop the Cntlm Authentication Proxy service;

    Alternatively, to stop the service type at the elevated command prompt

    sc stop cntlm

    3. Open cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly) and open cntlm.ini configuration file in the notepad.

    3.1 Specify the user account name used to authenticate on your corporate proxy server such as:

    Username Jon

    3.2 Specify authority to which your user account name is belonging, this is typically your domain name, for example:

    Domain corporation.com

    ATTENTION: If you do not know your domain/authority name used to authenticate your account name, type the following at the command prompt:

    systeminfo | findstr /B /C:Domain

    This will return a string like:

    Domain:                    corporation.com

    3.1 Comment out the Password option by preceding it with the sharp sign:

    #Password password

    because you don't want to specify your domain password in a plain text.

    3.3 Determine what version of NTLM challenge is supported by corporate proxy server.

    To do that, open the command prompt and change working directory to cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly), or simply navigate to cntlm program folder in Windows Explorer and choose File|Open command prompt.

    At the command prompt type:

    cntlm.exe -M http://google.com

    Type your domain user account password when prompted.

    This will return the most secure NTLM authentication response hash supported by your corporate proxy server.

    ATTENTION: If you want to use other types of response hashes to authenticate on a corporate proxy server (such as LM or NT, which is not recommended for security reasons if the corporate proxy server supports NTLMv2 responses), type the following:

    cntlm.exe -H

    Type your domain user account password when prompted.

    This will return the all the three NTLM authentication response hash supported by cntlm proxy server.

    3.4 Copy hash string (a 16-byte [32-character] alpha-numeric string) that looks like:

    FBB7DAA8D3663EC34F199E3CF838D3BD

    This is a result of HMAC-MD5 function (NTv2 = HMAC-MD5(v2-Hash, SC, CC*), see http://en.wikipedia.org/wiki/NTLM for more details.

    3.5 Paste the copied string next to the PassNTLMv2 option (if you used NTLMv2 response returned by cntlm -H or cntlm -M commands):

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    ATTENTION: Comment out all the unused responses

    #PassLM

    #PassNT

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    3.6 [optional] Specify your computer name:

    Workstation computername

    3.7 Specify the IP or hostname of the corporate proxy server, for example:

    Proxy 192.0.2.2:8080

    ATTENTION: You may get the corporate proxy server address from the %systemroot%\WindowsUpdate.log log file by locating line like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Alternatively, type the following at the command prompt:

    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | find /i "proxyserver"

    SR at 14.11.2012 17:21

    This command will obtain the proxy server address used by WinInet library from Windows registry.

    3.8 [optional] Specify the target network addresses that should not be routed via cntlm proxy

    NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

    3.9 Specify the local TCP port that will be used by cntlm proxy server to listen for incoming connections from Modern apps (actually from WinHTTP library), for example:

    Listen 3128

    3.10 [optional] Specify which source networks are allowed to establish incoming connection to your cntlm proxy server. Since you only install proxy to route Modern apps that run on your local computer, specify the loopback 127.0.0.0/8 network as the only allowed and prohibit connections from all other (0/0) networks:

    Allow  127.0.0.1

    Deny  0/0

    3.11 Leave all other cntlm configuration file options intact, close notepad, and save changes to the configuration file.

    ATTENTION: Because User Account Control (UAC) needs to be enabled for Modern apps to run, you may need your cntlm.ini sent to a non-prohibited location such as your My Documents folder (because %programfiles% folder is prohibited for writing under non-elevated processes). Once save to a temporary storage, copy changed cntlm.ini file back to cntlm proxy server program folder.


    Continued in the message below.


    Well this is the world we live in And these are the hands we're given...



    Thursday, November 15, 2012 1:55 PM

    Part II

    Continuation, see Part I above for the beginning.


    4.  Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and start the Cntlm Authentication Proxy service;

    Alternatively, to start the service type at the elevated command prompt

    sc start cntlm

     

    This will start cntlm proxy server's Windows service. This time the service will use settings you have specified in the cntlm.ini configuration file.

     

    1. Now this is time to specify the local cntlm proxy server you have      just configured within WinHTTP library settings to make Modern app connect      via cntlm proxy.

    The quickest way to do that is to import proxy settings from WinInet library settings, but before you could do that, you would need to set proxy settings for the WinInet library itself, which you can do using desktop version of Windows Internet Explorer.

     

    5.1 Start Windows Internet Explorer by clicking its icon on the taskbar. In the started Windows Internet Explorer press Alt+X to show settings menu, chose Internet Options and switch to the Connections tab in the opened Internet Options dialog box. Next click LAN Settings and set Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) check box.

    In the Address and Port fields specify the localhost IP address and listen port correspondingly as specified in the cntlm.ini configuration file, namely:

    Address: 127.0.0.1

    Port: 3128

    Click OK to apply proxy settings to WinInet library and close Internet Explorer.

     

    1. When proxy settings are      defined for the WinInet library, you are good to go with WinHTTP.

     

        6.1 Firstly, check currently used WinHTTP connection settings using Network Shell NetSH tool. To do that, start an elevated command prompt and type:

    cd "..\..\Windows\System"

    to open Windows system folder.

     

    Now execute the following command:

    netsh winhttp show proxy

     

    This will return your current proxy settings used by WinHTTP library, and hence this will show you the way it is currently used to connect to remote addresses by Modern apps:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    Most likely, you will see that your Modern apps are connecting directly, that is connections go from your local computer to the default gateway (an IP address such as 192.0.2.1 provided that your computer is a located within the 192.0.2.0/24 private subnet).

    If you are using 64-bit Windows 8 on a x64 platform, check settings with 32-bit version of NetSh tool located in SysWOW64 folder. When in the System folder, type

     

    cd ..\SysWOW64

     

    to change to SysWOW64 folder and then execute

     

    netsh winhttp show proxy

     

    This will return the same settings:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    ATTENTION: To be doubly sure direct settings are used when impersonating under different user accounts, including service accounts, such as LocalService, Local System, Network Service, and your Microsoft account such as username@live.com or username@outlook.com provided that you have connected your domain user account to your Microsoft account (formerly known as Windows Live ID or WLID account).

     

    6.2 To check WinHTTP library connection settings under different accounts, use PSExec tool from SysInternals.

    Download Sysinternals Suite zip file from http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx and unpack it to %ProgramFiles%\Sysinternals\. Open elevated command prompt and type:

     

    cd "..\..\Program Files\SysInternals"

     

    to navigate to SysInternals program folder.

     

    6.2.1 To interactively start command prompt window with LocalSystem privileges type

    PsExec.exe /s /i cmd

     

    Check that command prompt is running under LocalSystem privileges, type:

    whoami

     

    You should get

    nt authority\system

     

    To verify  WinHTTP library settings when it impersonates under LocalSystem, type:

     

    netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under LocalSystem and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.1 To interactively start command prompt window with Network Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\NETWORKSERVICE" "cmd"

     

    Check that command prompt is running under  Network Service privileges, type:

    whoami

     

    You should get

    nt authority\network service

     

    To verify  WinHTTP library settings when it impersonates under  Network Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under  Network Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.2 To interactively start command prompt window with Local Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\LOCALSERVICE" "cmd"

     

    Check that command prompt is running under Local Service privileges, type:

    whoami

     

    You should get

    nt authority\local service

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.3 To interactively start command prompt window with privileges of your Microsoft account press WindowsKey and type cmd.

    Right-click the command prompt icon and choose Open file location from the bar.

    In the opened Windows Explorer window right-click command prompt shortcut when holding Shift key pressed and choose Run as different user. In the Windows Security dialog choose Microsoft account. Specify your Microsoft account credentials.

     

    Check that command prompt is running under Microsoft account privileges, type:

    whoami

     

    You should get

    computername\microsoftaccounlogin

     

    (where computername and microsoftaccountlogin will substitute for your actual computer name and account name used on Live services)

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

      

    1. Now import connection      settings from WinInet library to WinHTTP library.

     

    Repeat all steps on the step 6 and its minor steps, but do use the following command that will import connection settings:

     netsh winhttp import proxy source=ie

     

    Do that for both flavors of Network Shell.

    Repeat step 6 and its minor steps when finished to confirm your cntlm proxy server is specified within WinHTTP library connection settings.


    Well this is the world we live in And these are the hands we're given...

    • Marked as answer by Exotic Hadron Friday, November 16, 2012 9:46 AM
    Thursday, November 15, 2012 1:57 PM
  • Part III

    Continuation, see Part II above for the beginning.

     
    1. By default, each Modern app  runs in a separate container and so applies to its network connections.      Connection isolation is performed by Network Isolation.

    Network Isolation uses its own proxy autodiscovery feature to discover proxy server to use for connecting Modern apps. This autodiscovery feature (please correct me here) is different to WPAD (Web Proxy Auto Discovery) protocol used by desktop applications.

     

    To make sure your Modern apps connect though your specified proxy server, set local group policy.

     

    8.1     Press WindowsKey+R to open Run dialog box and type gpedit.msc to start Local Group Policy Editor.

     

    8.2 In the Local Group Policy Editor window right-click Administrative Templates folder under Computer Configuration and choose Filter options.

     

    8.3 In the Filter Options dialog box type 'proxy' (without quotes) in the Filter for word(s) field and choose Any in the drop-down list. Make sure all checkboxes are set for Within to make the filter apply to settings that have 'proxy' keyword in policy name, description, or help.

     

    8.4 Set the Enable Keyword Filters check box and click OK to apply the filter.

     

    8.5 Expand the Administrative Templates folder under Computer Configuration and click All Settings to display all policies related to configuring proxy settings.

     

    8.6 In the right results panel find the following policies

     

    Internet proxy servers for apps

    Intranet proxy servers for apps

     

    and  enable them.

     

    8.7 To enable a proxy policy, double click it and choose Enabled. Specify a local proxy server address such as 127.0.0.1:3128 (just as specified in the WinHTTP library settings) in the Domain proxies field and click OK.

     

    8.8 Enable the Proxy definitions are authoritative policy to make sure your local proxy server is a preferred proxy should your corporate proxy be discovered by Windows Network Isolation automatic proxy discovery.

     

    8.9 Press WindowsKey+R and type gpupdate/force to forcibly apply changes to local Group Policy settings.

     

    1. Because of enhanced security      measures implemented in Windows 8, Modern apps run in isolated in      application containers. Let me quote Eric Lawrence:

    "Metro-style applications run inside isolated processes known as “AppContainers,” and by default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. The post went on to explain how the CheckNetIsolation tool can be used to permit an AppContainer to send traffic to the local computer. However, using CheckNetIsolation is pretty cumbersome—it requires that you know the AppContainer’s name or security ID, and you must configure each AppContainer individually. To resolve those difficulties, I have built a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic. This tool requires Windows 8 and runs on the .NET Framework v4. When launched, the utility scans your computer’s AppContainers and displays them in a list view. Each entry has a checkbox to the left of it, indicating whether the AppContainer may send loopback traffic. You can toggle these checkboxes individually, or use the buttons at the top to set all of the checkboxes at once. Click Save Changes to commit the configuration changes you’ve made, or click Refresh to reload the current configuration settings.

    After you install the EnableLoopback Utility, a new “Win8 Loopback Exemptions” item is added to Fiddler’s Tools menu; clicking this item launches the utility. To make changes to the exemption list, you must elevate to Administrator."

     

    9.1 Download and install the Enable Loopback tool by Eric Lawrence from http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

     

    9.2 After installing run it with elevated privileges and and exempt necessary apps.

    To exempt an app, find the app in the app list within the AppContainer Loopback Exemption Utility and set a check box next to app name and click Save changes.

    If you had selected app opened, close the app by tapping and dragging it down to the bottom of the screen or move the mouse pointer to the top of the app display, wait until the pointer will turn from arrow to and drag the app screen with the mouse.

    Start the app again. It will now be exempted and will connect via your local cntlm proxy server.

     

    IMPORTANT: DO NOT EXEMPT your SkyDrive app if you are using it with your Microsoft Office 365 2013 ProPlus, or it will render it impossible for Office apps to open your documents from SkyDrive. Most likely, you will face with an error described in this my post at Microsoft forums: http://social.technet.microsoft.com/Forums/en-US/w8itprogeneral/thread/a87dd6ce-6339-4677-a9e1-27a4903a8b8f

     

    1. Finally, make sure apps that      are delivered from Windows Store are downloaded via local cntlm proxy.

    Like Windows Update, Windows Store uses BITS (Background Intelligent Transfer Service) to create download jobs and download purchased APPX Modern app packages from Windows Store.

    You may use BITSADMIN tool (or a dedicated PowerShell cmdlet) to make sure BITS transfers are made through manually specified cntlm proxy server:

     

    Also, make sure BITS service is routed via local proxy:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalSystem:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account NetworkService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    If for some service account you get a return that shows direct connection is used, like in this example for Local:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  NO_PROXY

     

    make sure you specify MANUAL_PROXY for this account:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 12

    7.0.0.1:3128 NULL

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Internet proxy settings for account LocalService were set.

    (connection = default)

     

    Proxy usage set to       MANUAL_PROXY

    Proxy list set to        127.0.0.1:3128

    Proxy bypass list set to <empty>

     

    Make sure to restart Windows, seems like it is necessary (possibly, settings are applied to machine account?).

     

     

    Sure, this seems to be extremely unfriendly procedure, but it works.

     

    Once again, the problem lies in the fact that current WinHTTP "does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions".

     

    Shortly, start with explicitly specifying the address of your corporate proxy server in Windows Internet Explorer LAN Settings and importing them to WinHTTP service settings using

     

    netsh winhttp import proxy source=ie

     

    But when it does not help you and you still see records like

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

     

    in WindowsUpdate.log, follow this 10-step instruction, chain your local proxy server and upstream connections to your corporate proxy server.


    Well this is the world we live in And these are the hands we're given...

    • Marked as answer by Exotic Hadron Friday, November 16, 2012 9:46 AM
    Thursday, November 15, 2012 1:58 PM
  • Okay, back on topic, the workaround that worked to me to fix the issue with Network Awareness Locator service, yellow exclamation mark on the Network Connection icon in the notification area, and No internet connection state in the Details for the LAN connection is:

    Reset proxy settings for WinHTTP library

    netsh>winhttp reset proxy
     Set proxy settings back to point to your local chained cntlm proxy:
    netsh>winhttp set proxy 127.0.0.1:3128

    (or whatever is set as a listening socket in cntlm's settings). No system restart is necessary, restarting apps is okay.


    Well this is the world we live in And these are the hands we're given...


    • Edited by Exotic Hadron Wednesday, January 23, 2013 6:02 PM
    • Marked as answer by Exotic Hadron Wednesday, January 23, 2013 6:02 PM
    Wednesday, January 23, 2013 6:01 PM

All replies

  • Hi,

    Instead of disabling Proxy, can you try to add  the url *.update.microsoft.com/v6/* to the proxy rule. Or check this post: Windows Update Error Code 8024401C on Windows 8. Please post back with the result.


    Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

    http://www.ChicagoTech.net

    How to Setup Windows, Network, VPN & Remote Access on

    http://www.howtonetworking.com

    Friday, September 7, 2012 6:11 PM
  • Hi Bob,

    Thank you for your response. Sure thing, but I am not the administrator of that proxy, and that's the problem. Or do you mean to add this line to Internet Explorer settings?

    Is it possible to patch wpad.dat locally and re-route Windows Store away from the proxy? I don't think I'll be able to manage with local network administration because they seem to use this proxy for a group of other users (that don't use Windows 8)...

    Moreover, I'd love to avoid using that proxy because direct route is MUCH faster than the one via proxy.

    By the way, your first case:

    Case 1: The issue may be caused by the proxy. Try to disable Proxy for a test.

    helps only for Windows Updates and does not work for Windows Store! That's exactly my issue: no updates and no ability to install apps with proxy and no ability to install apps without proxy.

    Looks we are stuck here and need to wait for a fix from Microsoft. Pretty strange... how do they suppose to move corporate users to Windows 8 when there are issues like that an I am not the only one to experience this problem.

    I hope there will be a workaround or a fix soon. I don't want to move from Windows 8 because all in all it's much better than Windows 7 just because I've noticed that many things I can do much faster than I used to do on Windows 7.

    Thank you for your help.


    Well this is the world we live in And these are the hands we're given...

    Sunday, September 9, 2012 7:27 PM
  • With local test, I also found that when downloading APP in Windows Store, it called Windows update service to download and install it.

    For Windows Update service, It will try to get proxy from local Winhttp settings first;  if the local Winhttp proxy is not enabled, it may get proxy setting from WPAD, determined by the WUA caller (here it is Windows Store).

    To avoid using proxy from WPAD, you may try this and see if it is a workaround for you:

      • Run CMD with Local administrator permission.
      • Run:

    Netsh winhttp set proxy dummyproxy *.microsoft.com

    With this command line, it will set local winhttp with proxy “dummyproxy”, but set *.microsoft.com as exception.

    So WindowsUpdate will pick up Winhttp local proxy setting, but will go to *.microsoft.com directly. 


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    • Proposed as answer by Hugo_Andrioli Wednesday, January 8, 2014 3:41 PM
    Thursday, September 20, 2012 2:08 PM
  • Hi Kevin,

    Thank you for your response!

    >if the local Winhttp proxy is not enabled, it may get proxy setting from WPAD, determined by the WUA caller (here it is Windows Store).

    Does it mean that Windows Store will forcibly lookup DNS server to get WPAD data file despite the fact that it is told to connect via default gateway?

    > try this and see if it is a workaround for you:

    >Netsh winhttp set proxy dummyproxy *.microsoft.com

    Could you please confirm, I understand this right. This command effectively tells the WinHTTP services to ALWAYS connect to dummy address unless there are exceptions following this dummyproxy address, correct? If so, what will be with WinInet library's, which is a superset of WinHTTP (as per http://msdn.microsoft.com/en-us/library/windows/desktop/hh227297(v=vs.85).aspx), settings? Will connection calls to WinInet library be affected by this setting?


    Well this is the world we live in And these are the hands we're given...

    Friday, September 21, 2012 8:34 AM
  • Hi,

    When WUA is called by different application to scan update, the behavior to determine proxy is in this way:

    How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site

    http://support.microsoft.com/?id=900935

    The dummyproxy configured by netsh is only for Winhttp service, in this case, WUA. For other application like IE using WinInet, they will not be impacted.


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Monday, September 24, 2012 6:00 AM
  • Hi, Do you have any updates for this issue, or if the command works on your server?

    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Friday, September 28, 2012 6:19 AM
  • I could really do with fix for this problem as well! Anyone come up with a solution yet?

    Thanks.

    Wednesday, November 14, 2012 1:14 PM
  • Hello,

    I am sorry to have overlooked updates to this thread and haven't posted here. I have found a solution that is a workaround for WinHTTP library used by Modern apps (including Windows Store) to authenticate on your corporate NTLM-enabled proxy server.

    I have posted detailed procedure in the Windows 8 RTM still has problems with "metro" apps going through proxy servers topic thread and I am copying it here for your convenience.

    I confirm that procedure below worked in my environment, and you are free to test it for yourself.


    Well this is the world we live in And these are the hands we're given...

    Thursday, November 15, 2012 1:54 PM
  • Gentlemen, it looks like I've found a possible solution to the problem with Modern apps not working in a corporate environment with a NTLM proxy.

    I've written complete step-by-step procedure that will guide you through issues with purchasing and installing Modern apps from Windows Store when working on a Windows 8 computer in a domain environment with corporate NTLM-enabled proxy server.

    Symptoms

    When working with Modern apps, you cannot make the apps to connect to a remote location. For example, your radio apps return connection errors, your Mail app returns Offline in a top-right corner of the app display when you sync messages for the selected mailbox, or you cannot purchase apps from Windows Store, and looking into the WindowsUpdate.log (the log file that journals Windows Update and Windows Store activity) shows the log contains records like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Cause

    Unlike desktop applications such as Windows Internet Explorer, which uses WinInet library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa383630(v=vs.85).aspx) to establish

    connections, Modern apps establish connections using WinHTTP library (http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925(v=vs.85).aspx).

    You may find comparison table for these to communication libraries available at http://msdn.microsoft.com/en-us/library/windows/desktop/hh227297(v=vs.85).aspx but the main difference, I guess, is here:


    Credential Prompting

    Provides an API
        that allows the calling code to prompt the user for credentials.

    yes

    no


    In other words, when WinInet library supports requesting connection credentials, the WinHTTP library does not. I am not a developer in either way, and I don't know if my assumptions are true, and I definitely can't understand why impersonation from threads, supported by WinHTTP library, does not work here but my guess is that WinHTTP library impersonates under some service account such as LocalSystem or WinHttpGetIEProxyConfigForCurrentUser function is NOT user in currently available Modern apps.


    That being said, I believe that the root of the problem lies in the current WinHTTP limitation (mentioned here http://msdn.microsoft.com/en-us/library/windows/desktop/aa384086(v=vs.85).aspx):

    When processing asynchronous requests, WinHTTP does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions.

    In other words, currently available apps, including Windows Store app, do not properly use WinHTTP library.

    Solution

    Part I

    To make your Modern apps properly authenticate on a corporate NTLM-enabled proxy server using current user credentials (that is your credentials you provided when logging into Windows 8 on the logon screen), you have to use third-party application that would authenticate connections outgoing from apps on the proxy server.

    This third-party application would be a NTLM-capable proxy server such as cntlm (cntlm.sf.net) (you may use any other proxy that can ask you for NTLM credentials required by your corporate proxy and is capable of working in a chain of proxy).

    Once installed on your local Windows 8 computer, cntlm proxy will accept outgoing anonymous connections established by Modern apps and redirect them to a parent proxy server (that is, chain to upstream proxy), that is to your corporate proxy server. This way, your Modern apps that are not capable of authenticating via NTLM protocol authenticate on a corporate proxy server without even knowing that this corporate proxy server requires explicit authentication --- cntlm will do this trick for the apps.

    Briefly, connection chain will now look as:

    Modern app (localhost) -> cntlm (localhost) -> corporate proxy (domain network) -> web service (remote end-point).

    To install local cntlm proxy, do the following:

    1. Download the cntlm proxy setup package from cntlm.sf.net (direct link to the latest version: http://sourceforge.net/projects/cntlm/files/latest/download?source=files) or any other NTLM-capable proxy server; install the setup package.

    2. Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and stop the Cntlm Authentication Proxy service;

    Alternatively, to stop the service type at the elevated command prompt

    sc stop cntlm

    3. Open cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly) and open cntlm.ini configuration file in the notepad.

    3.1 Specify the user account name used to authenticate on your corporate proxy server such as:

    Username Jon

    3.2 Specify authority to which your user account name is belonging, this is typically your domain name, for example:

    Domain corporation.com

    ATTENTION: If you do not know your domain/authority name used to authenticate your account name, type the following at the command prompt:

    systeminfo | findstr /B /C:Domain

    This will return a string like:

    Domain:                    corporation.com

    3.1 Comment out the Password option by preceding it with the sharp sign:

    #Password password

    because you don't want to specify your domain password in a plain text.

    3.3 Determine what version of NTLM challenge is supported by corporate proxy server.

    To do that, open the command prompt and change working directory to cntlm program folder (%programfiles(x86)%\cntlm or %programfiles%\cntlm for x64 and x86 platforms correspondingly), or simply navigate to cntlm program folder in Windows Explorer and choose File|Open command prompt.

    At the command prompt type:

    cntlm.exe -M http://google.com

    Type your domain user account password when prompted.

    This will return the most secure NTLM authentication response hash supported by your corporate proxy server.

    ATTENTION: If you want to use other types of response hashes to authenticate on a corporate proxy server (such as LM or NT, which is not recommended for security reasons if the corporate proxy server supports NTLMv2 responses), type the following:

    cntlm.exe -H

    Type your domain user account password when prompted.

    This will return the all the three NTLM authentication response hash supported by cntlm proxy server.

    3.4 Copy hash string (a 16-byte [32-character] alpha-numeric string) that looks like:

    FBB7DAA8D3663EC34F199E3CF838D3BD

    This is a result of HMAC-MD5 function (NTv2 = HMAC-MD5(v2-Hash, SC, CC*), see http://en.wikipedia.org/wiki/NTLM for more details.

    3.5 Paste the copied string next to the PassNTLMv2 option (if you used NTLMv2 response returned by cntlm -H or cntlm -M commands):

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    ATTENTION: Comment out all the unused responses

    #PassLM

    #PassNT

    PassNTLMv2 FBB7DAA8D3663EC34F199E3CF838D3BD

    3.6 [optional] Specify your computer name:

    Workstation computername

    3.7 Specify the IP or hostname of the corporate proxy server, for example:

    Proxy 192.0.2.2:8080

    ATTENTION: You may get the corporate proxy server address from the %systemroot%\WindowsUpdate.log log file by locating line like:

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

    Alternatively, type the following at the command prompt:

    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | find /i "proxyserver"

    SR at 14.11.2012 17:21

    This command will obtain the proxy server address used by WinInet library from Windows registry.

    3.8 [optional] Specify the target network addresses that should not be routed via cntlm proxy

    NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

    3.9 Specify the local TCP port that will be used by cntlm proxy server to listen for incoming connections from Modern apps (actually from WinHTTP library), for example:

    Listen 3128

    3.10 [optional] Specify which source networks are allowed to establish incoming connection to your cntlm proxy server. Since you only install proxy to route Modern apps that run on your local computer, specify the loopback 127.0.0.0/8 network as the only allowed and prohibit connections from all other (0/0) networks:

    Allow  127.0.0.1

    Deny  0/0

    3.11 Leave all other cntlm configuration file options intact, close notepad, and save changes to the configuration file.

    ATTENTION: Because User Account Control (UAC) needs to be enabled for Modern apps to run, you may need your cntlm.ini sent to a non-prohibited location such as your My Documents folder (because %programfiles% folder is prohibited for writing under non-elevated processes). Once save to a temporary storage, copy changed cntlm.ini file back to cntlm proxy server program folder.


    Continued in the message below.


    Well this is the world we live in And these are the hands we're given...



    Thursday, November 15, 2012 1:55 PM

    Part II

    Continuation, see Part I above for the beginning.


    4.  Open Services snap in by pressing WindowsKey and typing 'services' (without quotes), locate and start the Cntlm Authentication Proxy service;

    Alternatively, to start the service type at the elevated command prompt

    sc start cntlm

     

    This will start cntlm proxy server's Windows service. This time the service will use settings you have specified in the cntlm.ini configuration file.

     

    1. Now this is time to specify the local cntlm proxy server you have      just configured within WinHTTP library settings to make Modern app connect      via cntlm proxy.

    The quickest way to do that is to import proxy settings from WinInet library settings, but before you could do that, you would need to set proxy settings for the WinInet library itself, which you can do using desktop version of Windows Internet Explorer.

     

    5.1 Start Windows Internet Explorer by clicking its icon on the taskbar. In the started Windows Internet Explorer press Alt+X to show settings menu, chose Internet Options and switch to the Connections tab in the opened Internet Options dialog box. Next click LAN Settings and set Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) check box.

    In the Address and Port fields specify the localhost IP address and listen port correspondingly as specified in the cntlm.ini configuration file, namely:

    Address: 127.0.0.1

    Port: 3128

    Click OK to apply proxy settings to WinInet library and close Internet Explorer.

     

    1. When proxy settings are      defined for the WinInet library, you are good to go with WinHTTP.

     

        6.1 Firstly, check currently used WinHTTP connection settings using Network Shell NetSH tool. To do that, start an elevated command prompt and type:

    cd "..\..\Windows\System"

    to open Windows system folder.

     

    Now execute the following command:

    netsh winhttp show proxy

     

    This will return your current proxy settings used by WinHTTP library, and hence this will show you the way it is currently used to connect to remote addresses by Modern apps:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    Most likely, you will see that your Modern apps are connecting directly, that is connections go from your local computer to the default gateway (an IP address such as 192.0.2.1 provided that your computer is a located within the 192.0.2.0/24 private subnet).

    If you are using 64-bit Windows 8 on a x64 platform, check settings with 32-bit version of NetSh tool located in SysWOW64 folder. When in the System folder, type

     

    cd ..\SysWOW64

     

    to change to SysWOW64 folder and then execute

     

    netsh winhttp show proxy

     

    This will return the same settings:

     

    Current WinHTTP proxy settings:

    Direct access (no proxy server).

     

    ATTENTION: To be doubly sure direct settings are used when impersonating under different user accounts, including service accounts, such as LocalService, Local System, Network Service, and your Microsoft account such as username@live.com or username@outlook.com provided that you have connected your domain user account to your Microsoft account (formerly known as Windows Live ID or WLID account).

     

    6.2 To check WinHTTP library connection settings under different accounts, use PSExec tool from SysInternals.

    Download Sysinternals Suite zip file from http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx and unpack it to %ProgramFiles%\Sysinternals\. Open elevated command prompt and type:

     

    cd "..\..\Program Files\SysInternals"

     

    to navigate to SysInternals program folder.

     

    6.2.1 To interactively start command prompt window with LocalSystem privileges type

    PsExec.exe /s /i cmd

     

    Check that command prompt is running under LocalSystem privileges, type:

    whoami

     

    You should get

    nt authority\system

     

    To verify  WinHTTP library settings when it impersonates under LocalSystem, type:

     

    netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under LocalSystem and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.1 To interactively start command prompt window with Network Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\NETWORKSERVICE" "cmd"

     

    Check that command prompt is running under  Network Service privileges, type:

    whoami

     

    You should get

    nt authority\network service

     

    To verify  WinHTTP library settings when it impersonates under  Network Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under  Network Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.2 To interactively start command prompt window with Local Service privileges type

    PsExec.exe /i /u "NT AUTHORITY\LOCALSERVICE" "cmd"

     

    Check that command prompt is running under Local Service privileges, type:

    whoami

     

    You should get

    nt authority\local service

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

     

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

     

    6.2.3 To interactively start command prompt window with privileges of your Microsoft account press WindowsKey and type cmd.

    Right-click the command prompt icon and choose Open file location from the bar.

    In the opened Windows Explorer window right-click command prompt shortcut when holding Shift key pressed and choose Run as different user. In the Windows Security dialog choose Microsoft account. Specify your Microsoft account credentials.

     

    Check that command prompt is running under Microsoft account privileges, type:

    whoami

     

    You should get

    computername\microsoftaccounlogin

     

    (where computername and microsoftaccountlogin will substitute for your actual computer name and account name used on Live services)

     

    To verify  WinHTTP library settings when it impersonates under Local Service, type:

     netsh winhttp show proxy

     

    both for 64-bit and 32-bit flavors of the Network Shell just as you did in bullet item 6.1

    Close started interactive command prompt running under Local Service and return back to the elevated command prompt opened in the %Program Files%\SysInternals\ working directory.

      

    1. Now import connection      settings from WinInet library to WinHTTP library.

     

    Repeat all steps on the step 6 and its minor steps, but do use the following command that will import connection settings:

     netsh winhttp import proxy source=ie

     

    Do that for both flavors of Network Shell.

    Repeat step 6 and its minor steps when finished to confirm your cntlm proxy server is specified within WinHTTP library connection settings.


    Well this is the world we live in And these are the hands we're given...

    • Marked as answer by Exotic Hadron Friday, November 16, 2012 9:46 AM
    Thursday, November 15, 2012 1:57 PM
  • Part III

    Continuation, see Part II above for the beginning.

     
    1. By default, each Modern app  runs in a separate container and so applies to its network connections.      Connection isolation is performed by Network Isolation.

    Network Isolation uses its own proxy autodiscovery feature to discover proxy server to use for connecting Modern apps. This autodiscovery feature (please correct me here) is different to WPAD (Web Proxy Auto Discovery) protocol used by desktop applications.

     

    To make sure your Modern apps connect though your specified proxy server, set local group policy.

     

    8.1     Press WindowsKey+R to open Run dialog box and type gpedit.msc to start Local Group Policy Editor.

     

    8.2 In the Local Group Policy Editor window right-click Administrative Templates folder under Computer Configuration and choose Filter options.

     

    8.3 In the Filter Options dialog box type 'proxy' (without quotes) in the Filter for word(s) field and choose Any in the drop-down list. Make sure all checkboxes are set for Within to make the filter apply to settings that have 'proxy' keyword in policy name, description, or help.

     

    8.4 Set the Enable Keyword Filters check box and click OK to apply the filter.

     

    8.5 Expand the Administrative Templates folder under Computer Configuration and click All Settings to display all policies related to configuring proxy settings.

     

    8.6 In the right results panel find the following policies

     

    Internet proxy servers for apps

    Intranet proxy servers for apps

     

    and  enable them.

     

    8.7 To enable a proxy policy, double click it and choose Enabled. Specify a local proxy server address such as 127.0.0.1:3128 (just as specified in the WinHTTP library settings) in the Domain proxies field and click OK.

     

    8.8 Enable the Proxy definitions are authoritative policy to make sure your local proxy server is a preferred proxy should your corporate proxy be discovered by Windows Network Isolation automatic proxy discovery.

     

    8.9 Press WindowsKey+R and type gpupdate/force to forcibly apply changes to local Group Policy settings.

     

    1. Because of enhanced security      measures implemented in Windows 8, Modern apps run in isolated in      application containers. Let me quote Eric Lawrence:

    "Metro-style applications run inside isolated processes known as “AppContainers,” and by default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. The post went on to explain how the CheckNetIsolation tool can be used to permit an AppContainer to send traffic to the local computer. However, using CheckNetIsolation is pretty cumbersome—it requires that you know the AppContainer’s name or security ID, and you must configure each AppContainer individually. To resolve those difficulties, I have built a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic. This tool requires Windows 8 and runs on the .NET Framework v4. When launched, the utility scans your computer’s AppContainers and displays them in a list view. Each entry has a checkbox to the left of it, indicating whether the AppContainer may send loopback traffic. You can toggle these checkboxes individually, or use the buttons at the top to set all of the checkboxes at once. Click Save Changes to commit the configuration changes you’ve made, or click Refresh to reload the current configuration settings.

    After you install the EnableLoopback Utility, a new “Win8 Loopback Exemptions” item is added to Fiddler’s Tools menu; clicking this item launches the utility. To make changes to the exemption list, you must elevate to Administrator."

     

    9.1 Download and install the Enable Loopback tool by Eric Lawrence from http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

     

    9.2 After installing run it with elevated privileges and and exempt necessary apps.

    To exempt an app, find the app in the app list within the AppContainer Loopback Exemption Utility and set a check box next to app name and click Save changes.

    If you had selected app opened, close the app by tapping and dragging it down to the bottom of the screen or move the mouse pointer to the top of the app display, wait until the pointer will turn from arrow to and drag the app screen with the mouse.

    Start the app again. It will now be exempted and will connect via your local cntlm proxy server.

     

    IMPORTANT: DO NOT EXEMPT your SkyDrive app if you are using it with your Microsoft Office 365 2013 ProPlus, or it will render it impossible for Office apps to open your documents from SkyDrive. Most likely, you will face with an error described in this my post at Microsoft forums: http://social.technet.microsoft.com/Forums/en-US/w8itprogeneral/thread/a87dd6ce-6339-4677-a9e1-27a4903a8b8f

     

    1. Finally, make sure apps that      are delivered from Windows Store are downloaded via local cntlm proxy.

    Like Windows Update, Windows Store uses BITS (Background Intelligent Transfer Service) to create download jobs and download purchased APPX Modern app packages from Windows Store.

    You may use BITSADMIN tool (or a dedicated PowerShell cmdlet) to make sure BITS transfers are made through manually specified cntlm proxy server:

     

    Also, make sure BITS service is routed via local proxy:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalSystem"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalSystem:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "NetworkService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account NetworkService:

    (connection = default)

     

    Proxy usage:  MANUAL_PROXY

    Proxy list:   127.0.0.1:3128

    Proxy bypass: <empty>

     

    If for some service account you get a return that shows direct connection is used, like in this example for Local:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /GetIEProxy "LocalService"

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Current Internet proxy settings for account LocalService:

    (connection = default)

     

    Proxy usage:  NO_PROXY

     

    make sure you specify MANUAL_PROXY for this account:

    C:\Windows\SysWOW64>bitsadmin.exe /Util /SetIEProxy LocalService MANUAL_PROXY 12

    7.0.0.1:3128 NULL

     

    BITSADMIN version 3.0 [ 7.6.9200 ]

    BITS administration utility.

    (C) Copyright 2000-2006 Microsoft Corp.

     

    BITSAdmin is deprecated and is not guaranteed to be available in future versions

     of Windows.

    Administrative tools for the BITS service are now provided by BITS PowerShell cm

    dlets.

     

    Internet proxy settings for account LocalService were set.

    (connection = default)

     

    Proxy usage set to       MANUAL_PROXY

    Proxy list set to        127.0.0.1:3128

    Proxy bypass list set to <empty>

     

    Make sure to restart Windows, seems like it is necessary (possibly, settings are applied to machine account?).

     

     

    Sure, this seems to be extremely unfriendly procedure, but it works.

     

    Once again, the problem lies in the fact that current WinHTTP "does not handle thread impersonation properly. This causes requests that require NTLM/Negotiate authentication to fail, unless credentials are explicitly given using the WinHttpSetCredentials or WinHttpSetOption functions".

     

    Shortly, start with explicitly specifying the address of your corporate proxy server in Windows Internet Explorer LAN Settings and importing them to WinHTTP service settings using

     

    netsh winhttp import proxy source=ie

     

    But when it does not help you and you still see records like

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The server returned HTTP status code '407 (0x197)' with text 'Proxy Authentication Required'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: The proxy requires HTTP authentication scheme 'NTLM'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Web service call failed with hr = 8024401b.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Current service auth scheme='None'.

    012-09-14      22:50:09:933     624    17f4    WS      WARNING: Proxy List used: 'proxy.domain.com:port', Bypass List used: '(null)', Last Proxy used: 'proxy.domain.com:port', Last auth Schemes used: 'None'.

     

    in WindowsUpdate.log, follow this 10-step instruction, chain your local proxy server and upstream connections to your corporate proxy server.


    Well this is the world we live in And these are the hands we're given...

    • Marked as answer by Exotic Hadron Friday, November 16, 2012 9:46 AM
    Thursday, November 15, 2012 1:58 PM
  • Hi!

    I've tried the solution with cntlm and all those 10 steps and for the first time my Windows Store started to work and even showed avalable updates for built-in Modern Apps and also Windows Update started to go fine.

    But after reboot I've noticed that Windows shows that I have 'No Internet access' - yellow exclamation mark on the Network connection icon in tray.

    Windows Store and other showing me that my PC isn't connected to Internet while all other software and even Windows Update are working fine.

    I've checked all the settings and it seems that Network Awareness Service can't check Internet connectivity and reports to Modern Apps that there is no Internet avalaible.

    What can go wrong?

    Wednesday, January 23, 2013 11:40 AM
  • Alex, thanks for rising this up.

    I wish I new the answer. The problem is, I started experiencing this problem myself in late December. I even DISABLED the policy to use the proxy at all, but it seem like the problem persists.

    In effect, now I have some apps working, where some don't. This worked since September without problems. Looks to be an update that quirked Network Awareness.

    I'm trying to resolve this, but nothing helps for the time being. I am stuck here...

    How did you get to know the issue with Network Awareness? Or did you just guessed this? I mean, I too understand that the cause is that Network Awareness can't probe the Internet (if you open Details for your Network connection, you'll notice it is showing No Internet Access).

    Heck, that's the issue! I thought that was only me, but it looks like the problem is still there. Possibly we should disable proxy settings for WinHTTP and re-set other settings...


    Well this is the world we live in And these are the hands we're given...


    Wednesday, January 23, 2013 12:39 PM
  • Hello again.

    The solution with cntlm and your guide was working until I used and installed some Windows and Office updates, this is my only guess for reasons that made Windows think that I have no internet access. Because I wasn't rebooting after I made all this steps - I started updating Windows and rebooted only after all selected updates were installed. Will try to remove all newly installed updates for Windows, maybe it would help.

    What is defaul proxy settings for NETWORKSERVICE, LOCALSYSTEM and LOCALSERVICE accounts - NO_PROXY or AUTODETECT?

    Wednesday, January 23, 2013 12:53 PM
  • Alex,

    I have just tried resetting my TCP/IP stack (that is winsock) and winhttp setting.

    At least setting WinHTTP to use direct access helped with Network Awareness immediately.

    Do the following in the elevated command prompt:

    1. netsh show proxy

    That would show your current proxy like:

    netsh>winhttp show proxy
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)

    2. netsh winhttp reset proxy

    This will reset proxy for WinHTTP and return:

    netsh>winhttp reset proxy
    
    Current WinHTTP proxy settings:
    
        Direct access (no proxy server).

    3. Open Services snap-in and restart the Network Location Aweareness service, or just run at the command prompt:

    sc stop NlaSvc && sc start NlaSvc

    You'll immediately notice, the yellow exclamation mark has disappeared from the Network connection icon in the notification area and the network status in the Networks bar will change from Limited to Connected.


    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 1:22 PM
  • Alex, as far as I remember, this should be AUTODETECT for every: NetworkService, LocalService, LocalSystem.


    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 1:34 PM
  • It looks like MSFT has fixed this issue. At least, I made sure my WinHTTP is configured for Direct access (no proxy server), and I managed to successfully update by apps via Microsoft Store.

    I haven't changed anything for BITS service though. It's configured to connect through my local proxy server under all user accounts.


    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 1:39 PM
  • It looks like MSFT has fixed this issue. At least, I made sure my WinHTTP is configured for Direct access (no proxy server), and I managed to successfully update by apps via Microsoft Store.

    I haven't changed anything for BITS service though. It's configured to connect through my local proxy server under all user accounts.



    What did you mean under MSFT?

    Regarding BITS: you left NETWORKSERVICE, LOCALSERVICE and LOCALSYSTEM accounts configured to use cntlm's proxy?
    • Edited by Alex Zed Wednesday, January 23, 2013 2:44 PM
    Wednesday, January 23, 2013 2:40 PM
  • Alex,

    I have just tried resetting my TCP/IP stack (that is winsock) and winhttp setting.

    At least setting WinHTTP to use direct access helped with Network Awareness immediately.

    Do the following in the elevated command prompt:

    1. netsh show proxy

    That would show your current proxy like:

    netsh>winhttp show proxy
    
    Current WinHTTP proxy settings:
    
        Proxy Server(s) :  127.0.0.1:3128
        Bypass List     :  (none)

    2. netsh winhttp reset proxy

    This will reset proxy for WinHTTP and return:

    netsh>winhttp reset proxy
    
    Current WinHTTP proxy settings:
    
        Direct access (no proxy server).

    3. Open Services snap-in and restart the Network Location Aweareness service, or just run at the command prompt:

    sc stop NlaSvc && sc start NlaSvc

    You'll immediately notice, the yellow exclamation mark has disappeared from the Network connection icon in the notification area and the network status in the Networks bar will change from Limited to Connected.


    Well this is the world we live in And these are the hands we're given...

    I will try this workaround tomorrow and will report about success or failure, hope this will fix my No Internet access trouble.

    How to reset winsock stack?

    Wednesday, January 23, 2013 2:42 PM
  • A little update...

    For some reason, that only worked for updating apps. All updates installed just fine with Direct access specified for the WinHTTP library. However, when it comes for installing new apps, you get the same notorious 0x8024401c error code with This app wasn't installed --- view details. 


    Well this is the world we live in And these are the hands we're given...

    • Proposed as answer by MikeRichie Tuesday, November 12, 2013 4:40 PM
    • Unproposed as answer by MikeRichie Tuesday, November 12, 2013 4:40 PM
    Wednesday, January 23, 2013 2:53 PM
  • Alex, you can reset Windows socket library using:

    netsh winsock reset
    But you don't have to. Don't do that. It's not necessary, as resetting WinHTTP settings with
    netsh>winhttp reset proxy

    is enough. You don't even need to restart your PC.

    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 4:20 PM
  • Alex, you can reset Windows socket library using:

    netsh winsock reset
    But you don't have to. Don't do that. It's not necessary, as resetting WinHTTP settings with
    netsh>winhttp reset proxy

    is enough. You don't even need to restart your PC.

    Well this is the world we live in And these are the hands we're given...

    Okay, thanks for explanation - you saved me time, will try this tomorrow - stay in touch.

    BTW, don't you mind if I will translate your guide into Russian?

    Wednesday, January 23, 2013 5:08 PM
  • Алекс, нет возражений. ))

    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 5:23 PM
  • BTW, Exotic - is this right that Windows 8 queries different updater servers neither Windows 7 or earlier?

    My corporate proxy administrator would like to set-up our ISA server ready for Windows 8 clients and it looks like we need to add

    *fe1.ws.microsoft.com/v6*

    to proxy by-pass rules to let clients use Windows Update via ISA proxy.

    Wednesday, January 23, 2013 5:35 PM
  • From what I see with %systemroot%\WindowsUpdate.log, you are perfectly right. But there must be some other web addresses of the web services you have to configure in your ISA Server rules. Some of the addresses listed in WindowsUpdate.log belong to those web services used by Store app.


    Well this is the world we live in And these are the hands we're given...

    Wednesday, January 23, 2013 5:52 PM
  • Okay, back on topic, the workaround that worked to me to fix the issue with Network Awareness Locator service, yellow exclamation mark on the Network Connection icon in the notification area, and No internet connection state in the Details for the LAN connection is:

    Reset proxy settings for WinHTTP library

    netsh>winhttp reset proxy
     Set proxy settings back to point to your local chained cntlm proxy:
    netsh>winhttp set proxy 127.0.0.1:3128

    (or whatever is set as a listening socket in cntlm's settings). No system restart is necessary, restarting apps is okay.


    Well this is the world we live in And these are the hands we're given...


    • Edited by Exotic Hadron Wednesday, January 23, 2013 6:02 PM
    • Marked as answer by Exotic Hadron Wednesday, January 23, 2013 6:02 PM
    Wednesday, January 23, 2013 6:01 PM
  • Okay, back to the Windows 8 proxy hell :)

    I tried to reset proxy using netsh winhttp reset proxy and then to set it to my cntlm's local proxy via netsh winhttp set proxy 127.0.0.1:3128, after that I've restarted NlaSvc - no luck. Still I got message - No internet access, Windows Store tells me that my PC isn't connected to Internet etc.

    Okay, I did netsh winhttp reset proxy again, then restarted NlaSvc. Yellow exclamation mark on Network connection disappeared in few moments.

    I've tried Windows Store and its working, then I've tried to update some built-in app - it updated without any troubles. 

    But I can't install any new app in Windows Store - I am getting this message - "Your purchase couldn't be completed. Something happened and your purchase can't be completed"

    Why does this happens?

    In Application Event Log section I got following messages that is related to my tries to install new app:

    1) 

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1484: 127.0.0.1 CONNECT lic.apps.microsoft.com:443

    2)

    Fault bucket , type 0
    Event Name: WindowsUpdateFailure2
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 7.8.9200.16465
    P2: 8024401c
    P3: 00000000-0000-0000-0000-000000000000
    P4: Scan
    P5: 101
    P6: Unmanaged
    P7: 0
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: f0b32d16-65e1-11e2-be77-001a4d59944e
    Report Status: 262144
    Hashed bucket: 

    3)

    Fault bucket , type 0
    Event Name: WindowsUpdateFailure2
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 7.8.9200.16465
    P2: 8024401c
    P3: 00000000-0000-0000-0000-000000000000
    P4: Scan
    P5: 101
    P6: Unmanaged
    P7: 0
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.8.9200.16465_1e91a1addf42e4569bb1679b251596615f1752da_cab_0ba1da86
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: f0b32d16-65e1-11e2-be77-001a4d59944e
    Report Status: 4

    4)

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1484: 127.0.0.1 CONNECT watson.telemetry.microsoft.com:443

    This 4 messages is related to the try to install any new app inside Windows Store. What the hell with them?

    Thursday, January 24, 2013 4:58 AM
  • I've tried to reset proxy and set it to local back but still can't install any new app - I am only able to update any apps already installed.

    EDIT:

    I've tried to update built-in apps in a row and finally got an error 0x80070005 at their update.

    Trying to run this troubleshooter: http://download.microsoft.com/download/F/2/4/F24D0C03-4181-4E5B-A23B-5C3A6B5974E3/apps.diagcab

    Tried that troubleshooter and it didn't help, still 0x80070005 error when updating any app in Windows Store.
    • Edited by Alex Zed Thursday, January 24, 2013 5:21 AM
    Thursday, January 24, 2013 5:00 AM
  • So, I've let winhttp proxy to be set to my local one and rebooted PC. After reboot No internet access state of network connection returned.

    I've resetted winhttp proxy and restarted NlaSvc - I've got internet access. But whem I am trying to update built-in apps like 'Maps' I am getting error 0x8024401C

    Thursday, January 24, 2013 5:39 AM
  • Here is cntlm's Event Log records that is related to tries to update app in Windows Store:

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 CONNECT services.apps.microsoft.com:443
    

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 CONNECT wscont.apps.microsoft.com:443
    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d
    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d
    

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d
    

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 HEAD http://fg.v4.a.dl.ws.microsoft.com/dl/content/a/6/updt/2012/10/6ec87074-5050-4e94-b19d-aceba1922106_4e2dfb4dc0fd6399a1fb344bbb8a28d62bbec056.appx?P1=1359005336&P2=1&P3=1&P4=Cz4c8XKuPiNWQSSbun8tVH6r%2fq4%3d

    Fault bucket , type 0
    Event Name: WindowsUpdateFailure2
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 7.8.9200.16465
    P2: 8024401c
    P3: B0C443E3-4514-484A-BBCA-816755206822
    P4: Download
    P5: 101
    P6: Unmanaged
    P7: 0
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: 4f514a6d-65e7-11e2-be78-001a4d59944e
    Report Status: 262144
    Hashed bucket: 

    Fault bucket , type 0
    Event Name: WindowsUpdateFailure2
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 7.8.9200.16465
    P2: 8024401c
    P3: B0C443E3-4514-484A-BBCA-816755206822
    P4: Download
    P5: 101
    P6: Unmanaged
    P7: 0
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_7.8.9200.16465_d48dbd8ce5391eaa3cb2ac27ae1c7b5bec9e46f9_cab_03bae09e
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: 4f514a6d-65e7-11e2-be78-001a4d59944e
    Report Status: 4
    Hashed bucket: 

    The description for Event ID 0 from source cntlm cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    
    If the event originated on another computer, the display information had to be saved with the event.
    
    The following information was included with the event: 
    
    cntlm: PID 1464: 127.0.0.1 CONNECT watson.telemetry.microsoft.com:443

    Fault bucket -861334027, type 5
    Event Name: WindowsUpdateFailure2
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: 7.8.9200.16465
    P2: 8024401c
    P3: B0C443E3-4514-484A-BBCA-816755206822
    P4: Download
    P5: 101
    P6: Unmanaged
    P7: 0
    P8: 
    P9: 
    P10: 
    
    Attached files:
    
    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.8.9200.16465_d48dbd8ce5391eaa3cb2ac27ae1c7b5bec9e46f9_0ea2e86a
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: 4f514a6d-65e7-11e2-be78-001a4d59944e
    Report Status: 0
    Hashed bucket: 2e3c178cf9f9a7ace1149b93f3e76e0e


    Thursday, January 24, 2013 5:43 AM
  • Tried to set winhttp proxy back to cntlm's one - no luck, still can't update apps in Windows Store :(
    Thursday, January 24, 2013 5:47 AM
  • Alex,

    >I tried to reset proxy using netsh winhttp reset proxy and then to set it to my cntlm's local proxy via netsh winhttp set proxy 127.0.0.1:3128, after that I've >restarted NlaSvc - no luck. Still I got message - No internet access, Windows Store tells me that my PC isn't connected to Internet etc.

    I used the following procedure:

    1. Reset proxy settings for WinHTTP library

    netsh>winhttp reset proxy

    2. Restart Network Awareness Locator service

    sc stop NlaSvc && sc start NlaSvc

    3. [optional] Disable and enable back the Network Interface Card (NIC) adapter

    The yellow exclamation mark should now disappear.

    4. Set proxy settings back to point to your local chained cntlm proxy:

    netsh>winhttp set proxy 127.0.0.1:3128

    (or whatever is set as a listening socket in cntlm's settings). No system restart is necessary, restarting apps is okay.


    Well this is the world we live in And these are the hands we're given...

    Thursday, January 24, 2013 11:35 AM
  • Alex,

    >I tried to reset proxy using netsh winhttp reset proxy and then to set it to my cntlm's local proxy via netsh winhttp set proxy 127.0.0.1:3128, after that I've >restarted NlaSvc - no luck. Still I got message - No internet access, Windows Store tells me that my PC isn't connected to Internet etc.

    I used the following procedure:

    1. Reset proxy settings for WinHTTP library

    netsh>winhttp reset proxy

    2. Restart Network Awareness Locator service

    sc stop NlaSvc && sc start NlaSvc

    3. [optional] Disable and enable back the Network Interface Card (NIC) adapter

    The yellow exclamation mark should now disappear.

    4. Set proxy settings back to point to your local chained cntlm proxy:

    netsh>winhttp set proxy 127.0.0.1:3128

    (or whatever is set as a listening socket in cntlm's settings). No system restart is necessary, restarting apps is okay.

    This did helped me only during active session, after reboot - No internet access.
    Thursday, January 24, 2013 12:12 PM
  • After a few days of trying to work behind corporate proxy (ISA Server 2006) I finally came to a solution - contacted our corporate system administrator which made a rule on a proxy to allow anonymous packets to the following domains: *windows.com*, *windows.net* and *microsoft.com*. Also I installed Microsoft Firewall Client (can be downloaded here http://www.microsoft.com/en-us/download/details.aspx?id=10193) and configured IE proxy settings to 'Automatically detect settings'.

    After all of this my Windows Store is working fine, Modern apps are updating and installing without troubles. Still some of the built-in apps like News won't load info but it looks like its a problem of creating another allow rule on the ISA Server to some domain.

    Thursday, January 24, 2013 12:21 PM
  • Glad to hear you solved the problem! After all, this could be the best solution, but unfortunately, not always implementable (although I don't advocate for this IT paranoia to prohibit everything and everywhere; what's bad in anonymous POST request to Microsoft domains after all?)

    I confirm I did restart my PC after resetting WinHTTP's proxy settings and returning them back. Still my NLA service is working good. By the way, I finally decided to only have Intranet proxy servers for apps and Proxy definitions are authoritative policy settings enabled. I did not configure the Internet proxy servers for apps setting this time.

    E.H.
    BTW, the cntlm log shows everything is OK, I would've looked into WindowsUpdate.log then, but it's better to forget this hell when it's all resolved with IT.

    Well this is the world we live in And these are the hands we're given...

    Thursday, January 24, 2013 12:31 PM
  • Another addition to this helpful thread.

    Here is the way how to disable Network Location Awareness (NlaSvc) Internet detection:

    To Prevent NCSI from Communicating Across the Internet by Changing a Registry Setting
    For best results, close all programs on the computer on which you are changing the registry setting.
    
    To open a command prompt as an administrator, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    
    Type:
    
    regedit
    
    Caution
    Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
    Navigate to:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
    
    Under the Internet key, double-click EnableActiveProbing, and then in Value data, type:
    
    0
    
    The default for this value is 1. Setting the value to 0 prevents NCSI from connecting to a site on the Internet during checks for connectivity.
    
    Click OK.
    
    Restart the computer.
    

    The solution is from here: http://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx

    Thursday, January 31, 2013 4:07 AM
  • Alex, thank you for this information! Does it make other apps able to see the gateway?

    Uhm, pretty strange:

    "the following are examples of typical triggers that can cause NCSI to communicate across the Internet:

    • A user first logs on after the computer has been restarted
    • The computer connects to a different network
    • The computer is brought into a hot spot (public wireless access area) that requires sign-in"

    As far as I can see, the trigger is re-initialization of WFP filtering platform, though I may be wrong for sure.

    At least that "A user first logs on after the computer has been restarted" is a complete nonsense as you see NLA's warning sign yet before you log into the PC, so it could be caused by:

    1. Initialization of NIC (start of a NIC driver?)

    2. Initialization of WFP/TDI filtering, or maybe it's NDIS?

    3. Computer account logon

    4. Start of the NlaSvc.


    Well this is the world we live in And these are the hands we're given...


    Thursday, January 31, 2013 10:46 AM