Microsoft KB Archive/937293

= ISA Server 2006 and ISA Server 2004 do not reject weakly encrypted authentication requests for access to an SSL Web site after you configure ISA Server to require 128-bit encryption =

Article ID: 937293

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-



SYMPTOMS
In Microsoft Internet Security and Acceleration (ISA) Server 2006 or in ISA Server 2004, you configure a Web publishing rule that has the following characteristics:
 * The Web listener accepts HTTPS traffic.
 * The Web publishing rule or the Web listener requires that all users be authenticated.
 * The authentication method transfers credentials without encryption. The following authentication methods all transfer credentials without encryption:
 * Basic
 * HTML Forms
 * RADIUS
 * Lightweight Directory Access Protocol (LDAP)
 * The Require 128-bit encryption for HTTPS traffic check box is selected on the Traffic tab of the Web publishing rule.

In this case, if you use encryption that is weaker than 128-bit encryption to try to access the Secure Sockets Layer (SSL) Web site, ISA Server accepts the connection attempt. Then, ISA Server prompts you for the credentials to access the Web site. You expect ISA Server to reject the connection attempt because your connection does not use 128-bit encryption.



CAUSE
This issue occurs because of how ISA Server 2006 and ISA Server 2004 process SSL requests. ISA Server performs the user authentication operation first. Then, ISA Server verifies the strength of the encrypted connection.

Therefore, if you try to connect to the SSL Web site by using encryption that is weaker than 128-bit encryption, the following behavior occurs when ISA Server processes the SSL request:  ISA Server prompts you for credentials, and then ISA Server uses the weakly encrypted connection to submit the credentials. After you are authenticated successfully, ISA Server verifies the encryption strength of the client connection. Because the client connection uses encryption that is weaker than ISA Server requires, ISA Server rejects the connection, and you receive the following error message:

Error Code: 403 Forbidden.

The page requires 128-bit encryption, an enhanced security mechanism. To view the page contents, use a browser that supports this enhanced encryption. (12212)





WORKAROUND
To work around this issue, disable all ciphers that have encryption that is weaker than 128-bit encryption. This configuration prevents ISA Server from forming encrypted connections that are weaker than what you have configured. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

Note After you restrict all encryption mechanisms that are weaker than 128-bit encryption, you will not receive an &quot;Error Code 40&quot; error message. Instead, if you try to connect to the Web site by using encryption that is weaker than 128-bit encryption, you receive the following error message:

Cannot find server or DNS Error

Keywords: kberrmsg kbtshoot kbfirewall kbprb KB937293

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.