Question
Why doesn't Internet Explorer prompt for authentication when connecting to non-anonymous FTP servers?
Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS
Note: This Knowledge Base article references software which is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.
This is a known limitation with Internet Explorer 7 & 8 and web proxies when using FTP over HTTP. There are certain scenarios where Internet Explorer 6 will not prompt as well.
In this scenario the WSA sends a "401 Authentication Required" requesting for user credentials, but Internet Explorer never prompts the user for credentials. As a result, Internet Explorer will show you an error page indicating that authentication against the FTP server has failed.
This limitation on Internet Explorer is also mentioned on the following page:http://technet.microsoft.com/en-us/library/bb794745.aspx. Please read section "How to access an FTP site that is not anonymous using Internet Explorer".
As indicated in the Microsoft TechNet article, the workaround is to prepend USERNAME and PASSWORD onto the URL. For example: ftp://USERNAME:PASSWORD@ftp.example.com.
Please note, Internet Explorer will NOT allow you to add certain characters, such as the '?' into the password in the URL. If your password includes a character not allowed to be entered in URL, you must encode it into a "URL encoded" value: ftp://username:Pass%3F@ftpsite.com.
Further information on this type of encoding can be found at http://en.wikipedia.org/wiki/Percent-encoding.
For reference, Firefox does not have this limitation and will correctly prompt the user for authentication.
Feedback