Problem: Firewall or proxy authentication fails
This article applies to Domain Time II.
Last Updated: 3 September 2003
Note: This article applies to Domain Time version 4.1 or earlier, proxy support was discontinued in verion 5.1.
Your firewall or proxy server may allow traffic when you are testing, but not when Domain Time is
running as a service. Checking firewall, proxy, or Domain Time logs may show that the error is related
If you are using Domain Time to obtain the time from an Internet-based source, you may
experience problems if you have a firewall or proxy in place that does not allow the time
protocol(s) you are using to pass through.
In addition to configuring the ports (see KB1001.033), you may need
to configure permissions. This is especially true when using Microsoft's Proxy Server with the
client-side WinProxy option. WinProxy sends the logged-on user's credentials to Proxy Server, and
Proxy Server decides whether or not to allow the traffic based on who is requesting it.
When you test a program like Domain Time using its control panel applet test buttons, everything
may seem to work fine. However, when you examine Domain Time's log, you see that the service
was unable to connect to its time sources. This is because you, the logged-on user, have one set of credentials, and
the service, running in the background, has its own credentials.
Changing your browser's settings
or logging on as a different user will not correct the problem. You must instead tell the Proxy Server
that it should allow traffic from the Domain Time service in addition to traffic from people using
browsers or other foreground programs.
In most cases, adding the user System to Proxy Server (and giving this user permissions to
use the various time ports) will be sufficient. However, in some cases, based on Windows
configuration and service packs, you may need to add the user LocalSystem, too.
If you are using the Domain Time over HTTP protocol with a web proxy (either Microsoft's Proxy Server
or another proxy server) or going through a firewall in addition to going through a proxy, you may
need to add System and/or LocalSystem to the list of authorized users on the web proxy
or firewall, too.
If you are using the SOCKS4 proxy (again, either on Microsoft's Proxy server or another proxy server),
you may need to add the user DomTime to the list of authorized users for the SOCKS4 protocol.
When Domain Time uses SOCKS4, it fills in the username field with DomTime. Some SOCKS4 proxies
care about this information, and some don't. Only experimentation will enable you to determine if
you need to add this pseudo-user.