Microsoft KB Archive/225250

= PRB: Site Server 3.0 with HTML Authentication Form Fails After IE 5.0 Upgrade =

Article ID: 225250

Article Last Modified on 2/12/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 5.0
 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q225250





SYMPTOMS
After you upgrade to Internet Explorer version 5.0, you cannot log on to a site using an HTML Authentication Form. When you submit username and password details, the HTML Authentication Form reloads and asks for the username and password again, but no error message is returned.



CAUSE
Site Server 3.0 Authentication Forms use an ISAPI Filter called an Auth Filter. This filter returns a cookie that is used to establish session authentication. If the domain name of the server hosting the site is international (for example www.microsoft.com.au), then the default installation of Site Server 3.0 sends the FormsAuth cookie with a domain of com.au. Internet Explorer versions 5.0 and later reject this cookie, as it does not clearly indicate the origin of the cookie and therefore is a potential security risk. Site Server 3.0 Authentication Forms return only com.au for the FormsAuth cookie domain because the default installation of Site Server 3.0 sets the global configuration variable CookieScope to a value of 2.



RESOLUTION
To resolve this problem, apply the latest Site Server 3.0 service pack.



STATUS
Microsoft has confirmed this to be a problem in Site Server version 3.0. This problem has been corrected in the latest U.S. service pack for Site Server version 3.0. For information on obtaining the service pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

S E R V P A C K

Additional query words: cookie SS3 SP1

Keywords: kbprb KB225250

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.