Microsoft KB Archive/832168

= FIX: SecurID does not redirect to the requested page after a successful logon =

Article ID: 832168

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-





SYMPTOMS
When you use SecurID authentication to request a Web page that is published by a Web publishing rule in Microsoft ISA Server 2000, you are not redirected to the requested URL after you enter the correct credentials on the SecurID logon page. Instead, ISA Server responds with the SecurID logon page and prompts you to enter your SecurID credentials again.

This problem occurs if all the following conditions are true:
 * You have installed ISA Server Feature Pack 1 and SecurID authentication on your system, and you have enabled the SecurID authentication Webfilter.
 * You have two Web publishing rules. The initial Web page request is served by the first Web publishing rule. This rule has no SecurID authentication enabled. The page that is published by the first Web publishing rule links to another URL that is published by the second Web publishing rule. The second Web publishing rule has SecurID authentication enabled.
 * The second Web publishing rule processes the redirection. The second rule applies the same host name as the first Web publishing rule.

For more information about how to install ISA Server Feature Pack 1 and configure SecurID authentication, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en.

For more information about how to setup SecurID authentication in ISA Server 2000, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en.

The problem does not occur if the initial request is immediately processed by the second Web publishing rule. For example, if the client first requests http://www.example.com, the page that is published by the first Web publishing rule redirects to http://www.example.com/securefolder/default.html. The second Web publishing rule processes this request, and the request is denied. If the client first requests http://www.example.com/securefolder/default.html, this problem does not occur.



CAUSE
This is a problem in the SecurID filter in ISA Server 2000. This filter does not send the correct redirection URL in response to a successful SecurID logon.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Prerequisites
ISA Server 2000 Service Pack 1 and ISA Server Feature Pack 1 are required to install this hotfix.

For additional information about how to obtain ISA Server SP1 and ISA Server Feature Pack 1, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313139 How to obtain the latest Internet Security and Acceleration Server 2000 service pack

319380 ISA Server 2000 Feature Pack 1 overview

Hotfix replacement information
This hotfix does not replace any other hotfixes.

Restart requirement
You must restart your computer after installing the hotfix.   Date         Time   Version      Size  File name --  22-Feb-2004 17:02 3.0.1200.305 178,448 Mspadmin.exe 22-Feb-2004 17:02 3.0.1200.305 103,184 Msphlpr.dll 22-Feb-2004 17:01 3.0.1200.305 393,488 W3proxy.exe 22-Feb-2004 17:02 3.0.1200.305 299,280 Wspsrv.exe 22-Feb-2004 17:01 3.0.1200.305 81,680 Sdisa.dll The Hotfix applies to all ISA Server languages.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
ISA Server 2000 implements RSA authentication as follows:
 * 1) If a client requests a Web site that is published by ISA Server, and SecurID is enabled on the Web publishing rule, the SecurID Web filter first responds with the SecurID logon page.
 * 2) After the client has successfully entered the SecurID credentials and submitted the page, the SecurID Web filter redirects to the page that was originally requested.

To enable or to disable the SecurID authentication Webfilter, follow these steps:
 * 1) In the ISA Microsoft Management Console (MMC), expand Servers and Arrays and the server name node.
 * 2) Expand Extensions, and then click Web Filters.
 * 3) Right-Click the Web Filter for RSA SecurID Webfilter.
 * 4) Click enable or disable.

To set SecurID authentication for your Web publishing rule, follow these steps:
 * 1) In the ISA MMC, expand Servers and Arrays and the server name node.
 * 2) Expand Access Policy, and then click Web Publishing Rules.
 * 3) Create a new Web Publishing Rule, or select an existing rule that you want to configure. Right-click the rule, and then click Properties.
 * 4) Click the RSA SecurID tab, and then click to select or to clear the Enable RSA Web Authentication Feature Set for this rule check box.

To troubleshoot this problem, use Microsoft Network Monitor to analyze the HTTP traffic. After the client submits the SecurID credentials, the HTTP response from the ISA Server may include a response that is similar to the following: HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK   HTTP: Protocol Version =HTTP/1.1 HTTP: Status Code = OK   HTTP: Reason =OK HTTP: Connection =close HTTP: Content-Length =733 HTTP: Refresh = 1; URL= Because the URL= field is empty, the client is not redirected to the original URL. After you install this hotfix, the response will look similar to the following: HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK   HTTP: Protocol Version =HTTP/1.1 HTTP: Status Code = OK   HTTP: Reason =OK HTTP: Connection =close HTTP: Content-Length =733 HTTP: Refresh = 1; URL=/securefolder/default.html

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 How to install Network Monitor in Windows 2000

Keywords: kbqfe kbhotfixserver kbdownload kbisaserv2000presp2fix kbfix kbbug KB832168

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.