Microsoft KB Archive/924374

= Client requests to access a published Web site are blocked when you configure ISA Server 2006 to use pass-through authentication to access a published Web server =

Article ID: 924374

Article Last Modified on 9/26/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.



SYMPTOMS
You configure a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006 to use pass-through authentication to access a published Web server. After you do this, all client requests to access the published Web site are blocked. Additionally, you may receive an error message that resembles the following:

Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)

Notes
 * You experience this issue when you use the No delegation, but client may authenticate directly (pass-through) authentication method.
 * This issue may occur even if the ISA Server 2006 computer publishes a site that requires no authentication.



CAUSE
This issue may occur if the following conditions are true:
 * The Allow client authentication over HTTP check box in the Web listener's Advanced Authentication Options dialog box is not selected.
 * The Web listener is not enabled to listen for Secure Sockets Layer (SSL) requests.



WORKAROUND
To work around this issue, use one of the following methods.

Method 1
Use HTTPS to access the published Web site after you configure the Web listener to listen for SSL requests. To do this, follow these steps:
 * 1) Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand  , and then click Firewall Policy.
 * 3) On the Toolbox tab, click Network Objects.
 * 4) Expand Web Listeners, and then click the Web listener that you want to configure.
 * 5) In the toolbox task pane, click Edit.
 * 6) On the Preferences tab, click to select the Enable SSL check box.
 * 7) In the SSL port box, type the port number on which ISA Server listens for SSL requests.
 * 8) Click Select to select a certificate to use for SSL requests.
 * 9) Click Apply, and then click OK.

Note To access Firewall Policy in ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand  , and then click Firewall Policy.

Method 2
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Click to select the Allow client authentication over HTTP check box. To do this, follow these steps:
 * 1) Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Right-click the Web site publishing rule that you want to change, and then click Properties.
 * 3) Click the Listener tab, click Properties, click the Authentication tab, and then click Advanced.
 * 4) Under Client Configuration Settings, click to select the Allow client authentication over HTTP check box.
 * 5) Click OK to close Advanced Authentication Options.
 * 6) Click OK two times.

Note Method 2 is less secure because client credentials are sent in plain text format (not encrypted) to the ISA Server computer.

Keywords: kbprb kberrmsg kbtshoot KB924374

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.