Microsoft KB Archive/935767

= The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition =

Article ID: 935767

Article Last Modified on 7/31/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition

-



SYMPTOMS
You upgrade Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition to ISA Server 2004 Enterprise Edition and then to ISA Server 2006 Enterprise Edition. However, after you perform these two upgrades, authentication delegation does not work in the existing Web publishing rules. The Authentication Delegation property of the Web publishing rule displays the following messages:

No delegation, and client cannot authenticate directly.

No delegation, but client may authenticate directly.

Additionally, if you create a new Web listener, the Client Authentication Method list in the Web listener displays two extra entries as follows:
 * FBA with AD
 * SecureID

Even after you create the new Web listener, authentication delegation still does not work.

Note The same problem occurs if you manually import a backup copy of ISA Server 2004 Enterprise Edition after you upgrade ISA Server 2004 to ISA Server 2006.



CAUSE
This problem occurs because the import function of ISA Server 2006 incorrectly sets the Predefined property of the &quot;FBA with AD&quot; authentication scheme and of the SecureID authentication scheme.



WORKAROUND
To work around this problem, use either of the following methods.

Method 1
Edit the .xml file that you exported from ISA Server 2004 Enterprise Edition. To do this, follow these steps.

Note Perform this workaround before you import a backup copy of ISA Server 2004 Enterprise Edition.  Open the .xml file in Notepad.  Search for &quot;SecurID.&quot; This text is located in a &quot;&quot; section that resembles the following. SecurID 0  Change the value of the &quot;&quot; node from 0 to 1.  Search for &quot;OWA Forms-Based.&quot; This text is located in a &quot;<fpc4:AuthenticationScheme>&quot; section that resembles the following. <fpc4:Name dt:dt=&quot;string&quot;>OWA Forms-Based</fpc4:Name> 0</fpc4:Predefined> </li> Change the value of the &quot;&quot; node from 0 to 1.</li> Save the .xml file, and then exit Notepad.</li> Import the .xml file into ISA Server 2006.</li></ol>

Method 2
Edit the Active Directory Application Mode (ADAM) instance that is used by ISA Server 2006 Enterprise Edition. To do this, follow these steps.

Note You may perform this workaround regardless of whether you have imported a backup copy of ISA Server 2004 Enterprise Edition. <ol> Click Start, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.</li> In the console tree, right-click ADAM ADSI Edit, and then click Connect to.</li> In the Connection Settings dialog box, type any name in the Connection Name box. For example, type ISA Configurations .</li> In the Server name box, type the name or the IP address of the configuration storage server that ISA Server 2006 uses.</li> Type 2171 in the Port box.</li> Click to select the Distinguished name (DN) or naming context option, and then type CN=FPC2 in the Distinguished name (DN) or naming context box.</li> Click OK.</li> In the console tree, click the connection that you named in step 3, and then locate the following object:

CN= ,CN=AuthenticationSchemes,CN=RuleElements,CN= ,CN=Arrays,CN=Array-Root,CN=FPC2

Note The  placeholder represents the GUID that corresponds to the server array. The  placeholder represents the GUID that corresponds to the &quot;FBA with AD&quot; authentication scheme and to the SecureID authentication scheme. The  item that you locate should have a msFPCName attribute of &quot;FBA with AD&quot; or of SecurID.</li> Right-click the object that you located in step 8, and then click Properties.</li> In the Attributes list, select the msPFCPredefined attribute, and then click Edit.</li> <li>Click to select True for the Value option, and then click OK.</li> <li>Click OK to exit the Properties dialog box.</li> <li>In the console tree, right-click the connection that you named in step 3, and then click Update Scheme Now.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The &quot;FBA with AD&quot; authentication scheme is a predefined authentication scheme that enables forms-based (cookie) authentication by using the Active Directory directory service. The SecurID authentication scheme is a predefined authentication scheme that enables forms-based authentication by using RSA SecurID authentication.

For more information, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms812581.aspx

Keywords: kbtshoot kbexpertiseinter kbprb KB935767

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.