Microsoft KB Archive/933869

= Applications that use an embedded Web browser program cannot access content on a Web site that you have published by using forms-based authentication in ISA Server 2006 =

Article ID: 933869

Article Last Modified on 5/30/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition

-



SYMPTOMS
You configure forms-based authentication for a published Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006. However, after you do this, applications that use an embedded Web browser program to access the Web site cannot access the published content successfully. You experience this problem when you use applications that use the InternetGetCookie method to retrieve cookies.

Note If you cannot determine whether a program uses the InternetGetCookie method to retrieve cookies, contact Microsoft Customer Support Services or contact the program vendor. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support



CAUSE
This problem occurs because ISA Server 2006 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. A cookie that has this attribute set is known as an HTTP-only cookie.

ISA Server 2006 forms-based authentication uses a client cookie to maintain the authentication context of a user. This cookie is set after the user is authenticated successfully. When the cookie is set, ISA Server 2006 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. The HTTPOnly attribute marks the cookie as non-scriptable. This helps avoid any cross-site scripting issues that may occur. For more information about cross-site scripting issues, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms533046.aspx

An HTTP-only cookie is restricted with regard to how it can be used or accessed. Applications that use the InternetGetCookie method to retrieve an HTTP-only cookie are unsuccessful. For more information about this behavior, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa384710.aspx

When an application uses an embedded Web browser program that uses the InternetGetCookie method to retrieve cookies, the application cannot access the ISA Server 2006 forms-based authentication cookie. Therefore, the application cannot access the published Web content.

This problem is known to occur when you use the following applications:
 * Microsoft Windows Media Player
 * The Sun Java Runtime Environment (JRE), also known as the Java Virtual Machine (JVM)



RESOLUTION
A hotfix is available for computers that are running ISA Server 2006. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:

933718 Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated March 21, 2007

After you enable the functionality that this hotfix provides, ISA Server 2006 does not set the HTTPOnly attribute on client cookies for connections on a particular Web listener. This action may increase the probability that you experience a cross-site scripting issue.

Hotfix installation information
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

After you install the hotfix, you must run a script to configure ISA Server 2006 not to set the HTTPOnly attribute for a specified Web listener. To do this, follow these steps:  Start a text editor, such as Notepad.  Paste the following code into the text editor.  ' ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED.   ' This script determines whether ISA Server will set the HTTPOnly attribute on FBA cookies ' for a specified Web listener. ' ' usage - to disable the setting of the HTTPOnly attribute on a specified Web listener ' cscript DisableHttpOnlyAuthCookies.vbs /WebListener: /Value:False ' ' usage - to re-enable the setting of the HTTPOnly attribute on a specified Web listener ' cscript DisableHttpOnlyAuthCookies.vbs /WebListener: /Value:True ' 

If Not WScript.Arguments.Named.Exists(&quot;WebListener&quot;) Then WScript.Echo &quot;WebListener not defined&quot; WScript.Quit(1) End If

Set fpcRoot = CreateObject(&quot;FPC.Root&quot;) Set fpcArray = fpcRoot.GetContainingArray Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named(&quot;WebListener&quot;)) Set fpcWebListenerVps = fpcWebListener.VendorParametersSets

On Error Resume Next Set fpcCookieAuthVps = fpcWebListenerVps.Item(&quot;{29022EBA-B030-4839-9CA6-DD8875BC7B47}&quot;) If Err.number = 0 Then CookieAuthVpsExists = True Else CookieAuthVpsExists = False End If Err.Clear On Error GoTo 0

If Not CookieAuthVpsExists Then WScript.Echo &quot;Cookie auth VPS settings not defined, HTTP only cookies are ON by default&quot; Else WScript.Echo &quot;HTTP only cookies: &quot; & (fpcCookieAuthVps.Value(&quot;HttpOnlyCookie&quot;) = True) End If

If WScript.Arguments.Named.Exists(&quot;Value&quot;) Then If Not CookieAuthVpsExists Then Set fpcCookieAuthVps = fpcWebListenerVps.Add(&quot;{29022EBA-B030-4839-9CA6-DD8875BC7B47}&quot;) End If   fpcCookieAuthVps.Value(&quot;HttpOnlyCookie&quot;) = (StrComp(WScript.Arguments.Named(&quot;Value&quot;), &quot;True&quot;, 1) = 0) fpcArray.Save WScript.Echo &quot;HTTP only cookies set to &quot; & (fpcCookieAuthVps.Value(&quot;HttpOnlyCookie&quot;) = True) End If  Save the file as DisableHttpOnlyAuthCookies.vbs, and then exit the text editor. Open a command prompt, and then move to the directory to which you saved the DisableHttpOnlyAuthCookies.vbs file. Type the following command, and then press ENTER:

cscript DisableHttpOnlyAuthCookies.vbs /WebListener: /Value:False

In this command, replace  with the name of the Web listener whose behavior you want to modify.</ol>

Note To restore ISA Server 2006 to the default behavior in which the HTTPOnly attribute is set for forms-based authentication cookies, follow these steps: <ol> Open a command prompt, and then move to the directory to which you saved the DisableHttpOnlyAuthCookies.vbs file.</li> Type the following command, and then press ENTER:

cscript DisableHttpOnlyAuthCookies.vbs /WebListener: /Value:True

In this command, replace  with the name of the Web listener whose behavior you want to modify.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Additional query words: cookieauth

Keywords: kberrmsg kbfirewall kbtshoot kbfix kbbug kbprb KB933869

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.