Java SE (Java Platform, Standard Edition)

Hello all,

I'm working for a company that provides an application based on IIS and using Sun Java to load applet, recently we have a problem with this applet, and I wander if you can help.

Please find below the problem description:

After updating the JVM to one of the latest version 1.6 builds, our users started to experience a problem with opening java applets.

All the users have JVM versions 1.6.0_19 – 1.6.0_26 on Windows 7/2008. The browser is IE8. On the server usually there is IIS7, with ‘Integrated Windows authentication’
on applet’s virtual folder. Applet’s classes are packaged into a signed JAR file. Both the client and the server are located in the same local area network with no proxy or firewall between them.
The applet’s website usually belongs to the trusted security zone. When loaded, the applet establishes HTTP connection to the server to get the necessary data.


When the user tries to open an HTML page containing the applet, there can be the following scenarios:

1. The applet fails to load. We’re getting a ‘red cross’ screen. All the HTML elements except of the applet are loaded OK.
From the IIS log we can see that the loading of the JAR file failed with the error code 401, the user name field in the log for the JAR is empty.
2. The java asks for the user name and password showing a popup ‘Authentication required’. At this moment we can see the following message in the Java console:

network: Firewall authentication: site=/XX.XX.XX.XX:XX, protocol=http, prompt=, scheme=ntlm

If the user enters the correct credentials, the applet loads OK. Even if the user checks the ‘Save the password in your password list’ checkbox, Java continues to ask for credentials
on every page reload. It’s worth to note that the company’s external firewall doesn’t get any requests from the applet.

The problems happen even when the client and the server are located on the same machine, but never happens when we use localhost as the server name in the page URL.

During investigations we found out the following workarounds:

1. Enabling anonymous authentication on the virtual folder always solves the problem.
2. Sometimes, changing security zone from ‘Trusted’ to ‘Local intranet’ solves the scenario 2 (‘Authentication required’ popup) problem.
It’s worth to note that changing the security zone never helps if the page URL contains dots (for example, uses IP address instead the server name).
3. Upgrading to IE9 solves the scenario 2 problem partly: Java asks for the credentials only once. But our customers will not be able to go with IE9, as its not tested by them yet, and this process will take at least a year (most of them banks and gambling companies with strict and secure environment)


Will be glad to hear any comments/ideas on how to solve the issue