Microsoft KB Archive/894679

= Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004 =

Article ID: 894679

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-



SYMPTOMS
After you enable the &quot;Content requiring user authentication for retrieval&quot; cache rule in Microsoft Internet Security and Acceleration (ISA) Server 2004, the ISA Server computer caches content that is requested by users who are permitted to retrieve that content. However, users who do not have permissions to access that particular content can still request and receive this content from the ISA Server computer.



CAUSE
By default, ISA Server 2004 does not cache content that is requested by authenticated users. However, if you enable the &quot;Content requiring user authentication for retrieval cache&quot; rule, ISA Server caches content that is requested by authenticated users. Then, ISA Server serves the cached content for all future requests without verifying access permissions.



Service pack information
To resolve this problem, obtain the ISA Server 2004 hotfix package. For more information about the ISA Server 2004 hotfix package, click the following article number to view the article in the Microsoft Knowledge Base:

921937 Description of the ISA Server 2004 hotfix package: July 6, 2006

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
You must have ISA Server 2004 Standard Edition Service Pack 1 (SP1) installed before you apply this hotfix.

Restart requirement
You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.   Date         Time   Version            Size    File name ---  01-Apr-2005  17:20  4.0.2163.254      647,440  W3filter.dll



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
After you apply this hotfix, ISA Server may return an error. This error indicates that the page that you requested has expired. This behavior occurs if any one of the following conditions is true:
 * You configure the ISA Server computer to retrieve content from the cache, regardless of whether the content is still valid or not.
 * The client request specifies that expired content that is returned by the ISA Server is acceptable.

To resolve this issue, use one of the following methods:  Block the “max-stale” HTTP header field.

To block the “max-stale” HTTP header field, you must create a new signature for the “max-stale” HTTP header field in the Signature tab.

For more information about HTTP filtering in ISA Server 2004, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx

Note The &quot;max-stale&quot; HTTP header field indicates that the client may accept a media stream that has exceeded its expiration time. If max-stale is assigned a value, the client may accept a response that has exceeded its expiration time by no more than the specified number of seconds. If no value is assigned to max-stale, the client may accept a stale response of any age. For example, if you create a value of 3600 for the “max-stale” HTTP header field, the client can accept data that has exceeded the expiration time by no more than one hour (3600 seconds). Configure the ISA Server computer to prevent it from retrieving expired cache content. To do this, click the following option on the Contents Retrieval page in the New Cache Rule Wizard:

'''Only if a valid version of the object exists in cache. If no valid version exists, route the request to the server.'''



For more information about how to install ISA Server 2004 hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base:

885957 How to install ISA Server hotfixes and updates

Keywords: kbfix kbbug kbhotfixserver KB894679

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.