Microsoft KB Archive/943214

= When you publish a back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet, you cannot enable forms-based authentication on both computers =

Article ID: 943214

Article Last Modified on 11/13/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



SYMPTOMS
Consider the following scenario:
 * You publish a Web site on a back-end Microsoft Internet Security and Acceleration (ISA) Server 2006 computer.
 * You publish the back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet.
 * You want to enable forms-based authentication on both ISA Server 2006 computers to authenticate Web traffic. For example, the front-end server uses RADIUS one-time password (OTP) together with forms-based authentication. The back-end ISA Server computer is joined to the corporate Active Directory directory service domain. This ISA Server computer uses Windows integrated authentication.

In this scenario, you cannot enable forms-based authentication on both ISA Server computers.



CAUSE
Currently, ISA Server 2006 is hardcoded to use the CookieAuth.dll string as an identifier to implement forms-based authentication. In this case, ISA Server 2006 uses the &quot;cookieauth.dll&quot; string in the URL of the Web requests. If both the front-end ISA Server computer and the back-end ISA Server computer use the same identifier, the front-end computer will process the authentication form that is intended for the back-end computer.



RESOLUTION
An update is available that lets you enable an alternative cookie authentication handler string for forms-based authentication. Therefore, the front-end computer can use the &quot;cookieauth.dll&quot; string in the URL of the Web requests. The back-end computer can use the &quot;FBAHANDLER.DLL&quot; string in the URL of the Web requests.

Changes on the back-end ISA Server computer
Follow these steps on the back-end computer that is running ISA Server 2006:  Apply the hotfix package that is described in the following Microsoft Knowledge Base article:

943215 Description of the ISA Server 2006 hotfix package: October 7, 2007

 Start Notepad.  Copy and then paste the following text into Notepad.  ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED. 

Const SE_VPS_GUID = &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; Const SE_VPS_NAME = &quot;UseAltExtensionRequestIdentifier&quot; Const SE_VPS_VALUE = true

Sub SetValue

' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed. Dim array      ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(SE_VPS_NAME) End If

Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo &quot;Done with &quot; & SE_VPS_NAME & &quot;, saved!&quot; End If   End If

End Sub

Sub CheckError

If Err.Number <> 0 Then WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description Err.Clear End If

End Sub

SetValue Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.  Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, use the following name to save the file:

UseAltExtensionRequestIdentifier.vbs

 Open a command prompt, move to the location in which you saved the UseAltExtensionRequestIdentifier.vbs file, and then type the following command:

cscript UseAltExtensionRequestIdentifier.vbs



Changes on the front-end ISA Server computer
On the front-end computer, create a link translation mapping in the Web publishing rule to translate &quot;/cookieauth.dll&quot; to &quot;/FBAHANDLER.DLL.&quot; To do this, follow these steps:
 * 1) Open the ISA Server Management console.
 * 2) In the console tree, expand Microsoft Internet Security and Acceleration Server 2006.
 * 3) If you are running ISA Server 2006 Enterprise Edition, expand Arrays, and then expand the node that corresponds to the array. If you are running ISA Server 2006 Standard Edition, expand the node that corresponds to the front-end computer.
 * 4) Click Firewall Policy.
 * 5) Right-click the Web publishing rule, and then click Properties.
 * 6) On the Link Translation tab, make sure that the Apply link translation to this rule check box is selected, and then click Configure.
 * 7) In the Locally Defined Mappings dialog box, click Add.
 * 8) In the Replace this text box, type /cookieauth.dll.
 * 9) In the With this text box, type /FBAHANDLER.DLL.
 * 10) Click OK three times.
 * 11) Click Apply.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbqfe kbexpertiseinter KB943214

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.