Microsoft KB Archive/913782

= Error message when a client computer tries to access a shared resource through a server that is running ISA Server 2004 or ISA Server 2000: &quot;Connection failed. Access denied&quot; =

Article ID: 913782

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-





SYMPTOMS
When a client computer that is running the Microsoft Internet Security and Acceleration (ISA) Sever Microsoft Firewall Client program tries to access a shared resource through a server that is running Microsoft ISA Server, the client computer may receive an error message that is similar to the following:

Connection failed. Access Denied.

This issue only occurs when the following conditions are true.

ISA Server 2004
This issue occurs in Microsoft ISA Server 2004 when all the following conditions are true:
 * A protocol rule is configured on the server that enables communication over the Common Internet File System (CIFS) protocol.
 * This protocol rule is applied to specific users or groups.
 * The client computer tries to access the shared resource through this protocol rule.

ISA Server 2000
This issue occurs in Microsoft ISA Server 2000 when all the following conditions are true:
 * An access rule is configured on the server that enables communication over the CIFS protocol.
 * This access rule is applied to specific users or groups.
 * The client computer tries to access the shared resource through this access rule.
 * The client computer uses a local address table (LAT) to connect.

Note ISA Server 2000 does not have a default protocol definition for CIFS. A CIFS protocol definition must be created by the ISA administrator with the following properties:
 * Port = 445
 * Protocol = TCP or UDP
 * Direction = Outbound (TCP) or Send-Receive (UDP)
 * Secondary connections = None

For more information about how to create a protocol definition in ISA Server 2000, visit the following Microsoft Web site:

http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_p_h_protdefcreate.mspx



CAUSE
This issue occurs because the ISA Server Firewall Client program cannot authenticate CIFS connections to a server that is running ISA Server.

The Firewall Client program is responsible for providing authentication to the server for non-Web protocols such as Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3). The Firewall Client program can only process Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) traffic that is passed through the Windows Sockets API (Winsock). CIFS connections do not use Winsock calls. Therefore, the Firewall Client program cannot authenticate CIFS connections to the server. If you configure a rule that requires CIFS authentication, the connection will be denied.



RESOLUTION
To resolve this issue, create anonymous rules for CIFS traffic. To do this, follow these steps.

ISA Server 2004

 * 1) Open ISA Server Management.
 * 2) In the ISA Server Management console tree, expand Servers and Arrays, expand  , and then click Firewall Policies.
 * 3) Right-click the rule that you created for CIFS, and then click Properties.
 * 4) On the Users tab, click to select the users or groups that you applied the rule to under This rule applies to requests from the following user sets, and then click Remove. Repeat this step until you have removed all users or groups.
 * 5) Under This rule applies to requests from the following user sets, click Add.
 * 6) Under User sets, click All Users, click Add, and then click OK.
 * 7) Click Apply when you are prompted to save the changes.

ISA Server 2000

 * 1) Open ISA Server Management.
 * 2) In the ISA Management console tree, expand Servers and Arrays, expand  , expand Access Policy, and then click Protocol Rules.
 * 3) Right-click the rule that you created for CIFS, and then click Properties.
 * 4) On the Applies To tab, click one of the following options, and then click OK:
 * 5) * Any request.
 * 6) * Client address sets specified below.

Note If you select Client address sets specified below, you must include the client address set that you have defined in Client Address Sets under Policy Elements.

Keywords: kbhowto kbtshoot kbprb KB913782

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.