Microsoft KB Archive/331073

= Problems with HTTPS Requests When an ISA Server Computer Is Chained to an Upstream ISA Server Array =

Article ID: 331073

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



This article was previously published under Q331073





SYMPTOMS
When you use a downstream Internet Security and Acceleration (ISA) Server computer that is chained to an upstream ISA Server array, Secure Sockets Layer (SSL) requests may not be successful, or authentication prompts may occur on the client. These problems appear only if all the following conditions are true:
 * The upstream array includes at least two member server nodes.
 * The upstream outbound access policy uses user-based or group-based protocol rules or site and content rules.
 * The upstream ISA Server computer or array is configured to use NTLM authentication for outgoing Web requests.
 * Ask unauthenticated users for identification is not selected on the outgoing Web request listener of the upstream ISA Server array. For more information about how to configure this setting, see the &quot;More Information&quot; section.
 * The routing rule on the downstream ISA Server computer is configured to route to the upstream array and has Automatically poll upstream server for array information enabled. (That is, the header that is sent in a request to the server to enable the CARP protocol and to permit the correct routing is enabled. This header is &quot;array.dll?Get.Info.v2&quot;.) For more information about how to configure this setting, see the &quot;More Information&quot; section.

This issue does not occur when Ask unauthenticated users for identification is set for outgoing Web requests on the upstream ISA Server computer or array. For more information about how to configure this setting, see the &quot;More Information&quot; section.

Note If you use the Automatically poll upstream server for array information setting as a workaround, you may experience another issue. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

813863 Automatic requests for upstream server information (Get.info.v2) do not succeed when authentication is required in ISA Server



CAUSE
When the downstream ISA Server computer forwards an HTTP request to the upstream array, it must authenticate through NTLM first. The downstream computer sends the first part of the NTLM authentication handshake to one node of the upstream ISA Server array, and the downstream computer sends the second part to the other node of the upstream ISA Server array. Because NTLM authentication must be established on a contiguous TCP (keep-alive) connection between the downstream ISA Server array and one single node of the upstream ISA Server array, authentication to the upstream ISA Server array does not succeed, and you notice the problems that are described in the &quot;Symptoms&quot; section.



RESOLUTION
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note You must install ISA Server Service Pack 1 before you install this hotfix.

  Date         Time   Version      Size    File name --  05-June-2003 10:35 3.0.1200.275 178,448 Mspadmin.exe 05-June-2003 10:35 3.0.1200.275 103,184 Msphlpr.dll 05-June-2003 10:34 3.0.1200.275 391,952 W3proxy.exe 05-June-2003 10:35 3.0.1200.275 299,280 Wspsrv.exe This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.



MORE INFORMATION
To configure Automatically poll upstream server for array information (Get.Info.V2) on the routing rule of the downstream ISA Server computer:
 * 1) Open the ISA Server Microsoft Management Console (MMC).
 * 2) Expand Servers and Arrays.
 * 3) Expand your array name or your server name.
 * 4) Expand Network Configuration.
 * 5) Expand Routing.
 * 6) Double-click the routing rule that is appropriate for routing to the upstream server or array.
 * 7) Click the Action tab.
 * 8) In the Routing them to a specified upstream server area, click Settings.
 * 9) Click to select or click to clear the Automatically poll upstream server for array configuration check box.

To configure Ask unauthenticated users for identification:
 * 1) Open the ISA Server MMC.
 * 2) Right-click the server or array name, and then click Properties.
 * 3) Click the Outgoing Web Requests tab.
 * 4) Click to select or click to clear the Ask unauthenticated Users for identification check box.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbhotfixserver kbqfe kbisaserv2000presp2fix kbbug kbfix kbqfe KB331073

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.