Microsoft KB Archive/927265

From BetaArchive Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Article ID: 927265

Article Last Modified on 12/4/2007



APPLIES TO

  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition



SYMPTOMS

Consider the following scenario:

  • You configure an upstream Microsoft Internet Security and Acceleration (ISA) Server computer that requires authentication.
  • You configure a downstream ISA Server computer that does not require authentication.
  • Client computers that are connected to the downstream ISA Server computer are running Windows Internet Explorer 7.

In this scenario, the client computers cannot authenticate with the upstream ISA Server computer.

CAUSE

Client computers that are running Internet Explorer 7 obtain a Kerberos ticket that is valid for authentication with the downstream server. However, this Kerberos ticket is not validated by the authenticating upstream ISA Server computer.

Specifically, when the upstream ISA Server computer requests authentication, the client computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is valid for authentication with the downstream ISA Server computer. This ticket cannot be used to authenticate with the upstream ISA Server computer. When the Kerberos ticket is presented to the upstream ISA Server computer, the upstream ISA Server computer cannot validate the ticket. Therefore, authentication fails.

Notes

  • The downstream ISA Server computer is the proxy server with which the client computer is communicating.
  • Internet Explorer 7 includes support for Kerberos authentication against proxy servers.

NTLM authentication is the alternative authentication method for instances when Kerberos authentication fails. However, the client computer does not use NTLM authentication because the client computer has successfully obtained a Kerberos ticket for the proxy server.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

Prerequisites

The computer must be running ISA Server 2004 Service Pack 2 (SP2) to apply the ISA Server 2004 version of this hotfix.

Restart requirement

After you apply this hotfix, the hotfix will restart ISA Server services.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

ISA Server 2006
File name File version File size Date Time Platform
Linktranslation.dll 5.0.5720.154 247,136 25-Oct-2006 09:24 x86
Msfpc.dll 5.0.5720.154 549,216 25-Oct-2006 09:24 x86
Msfpccom.dll 5.0.5720.154 6,409,568 25-Oct-2006 09:24 x86
W3filter.dll 5.0.5720.154 890,208 25-Oct-2006 09:24 x86
ISA Server 2004, Enterprise Edition
File name File version File size Date Time Platform
Comphp.dll 4.0.3443.628 167,784 27-Oct-2006 14:45 x86
Complp.dll 4.0.3443.628 63,336 27-Oct-2006 14:45 x86
Cookieauthfilter.dll 4.0.3443.628 159,592 27-Oct-2006 14:45 x86
Linktranslation.dll 4.0.3443.628 123,752 27-Oct-2006 14:45 x86
Msfpc.dll 4.0.3443.628 377,192 27-Oct-2006 14:45 x86
Msfpccom.dll 4.0.3443.628 5,024,104 27-Oct-2006 14:45 x86
Msfpcsnp.dll 4.0.3443.628 4,656,488 27-Oct-2006 14:45 x86
Msfpcui.dll 4.0.3443.628 2,420,584 27-Oct-2006 14:45 x86
Mspadmin.exe 4.0.3443.628 282,984 27-Oct-2006 14:45 x86
Msphlpr.dll 4.0.3443.628 405,352 27-Oct-2006 14:45 x86
Mspmon.dll 4.0.3443.628 52,584 27-Oct-2006 14:45 x86
Mspmsg.dll 4.0.3443.628 254,312 27-Oct-2006 14:45 x86
Ratlib.dll 4.0.3443.628 40,808 27-Oct-2006 14:45 x86
Rpcfltr.dll 4.0.3443.628 130,920 27-Oct-2006 14:45 x86
Socksflt.dll 4.0.3443.628 95,592 27-Oct-2006 14:45 x86
W3filter.dll 4.0.3443.628 752,488 27-Oct-2006 14:45 x86
Wspsrv.exe 4.0.3443.628 1,067,368 27-Oct-2006 14:45 x86
ISA Server 2004, Standard Edition
File name File version File size Date Time Platform
Comphp.dll 4.0.2165.628 167,272 27-Oct-2006 14:35 x86
Complp.dll 4.0.2165.628 63,848 27-Oct-2006 14:35 x86
Cookieauthfilter.dll 4.0.2165.628 161,128 27-Oct-2006 14:35 x86
Msfpc.dll 4.0.2165.628 330,088 27-Oct-2006 14:35 x86
Msfpccom.dll 4.0.2165.628 3,543,400 27-Oct-2006 14:35 x86
Msfpcui.dll 4.0.2165.628 2,142,568 27-Oct-2006 14:35 x86
Ratlib.dll 4.0.2165.628 39,272 27-Oct-2006 14:35 x86
Msfpcsnp.dll 4.0.2165.628 3,574,632 27-Oct-2006 14:35 x86
Mspadmin.exe 4.0.2165.628 233,320 27-Oct-2006 14:35 x86
Msphlpr.dll 4.0.2165.628 375,656 27-Oct-2006 14:35 x86
Mspmon.dll 4.0.2165.628 52,584 27-Oct-2006 14:35 x86
Mspmsg.dll 4.0.2165.628 230,760 27-Oct-2006 14:35 x86
Rpcfltr.dll 4.0.2165.628 135,528 27-Oct-2006 14:35 x86
Socksflt.dll 4.0.2165.628 100,200 27-Oct-2006 14:35 x86
W3filter.dll 4.0.2165.628 736,616 27-Oct-2006 14:35 x86
Wspsrv.exe 4.0.2165.628 945,512 27-Oct-2006 14:35 x86
Linktranslation.dll 4.0.2165.628 124,776 27-Oct-2006 14:35 x86
Radiusauth.dll 4.0.2165.628 66,408 27-Oct-2006 14:35 x86

Post-hotfix installation information

After you apply this hotfix, you must run the following Microsoft Visual Basic script to configure the upstream ISA Server computer to return NTLM authentication headers only when Windows Integrated authentication is used. To run this script, follow these steps:

  1. Click Start, point to Programs, point to Accessories, and then click Notepad.
  2. Copy the following code, and then paste it into Notepad.

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script sets authentication schemes that ISA will return for Integrated authentication.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.
    const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always  = 1
    
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"
    Const SE_VPS_VALUE = 1
    
    Sub SetValue()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects that are needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and to the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item.
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
  3. Save this Notepad file as UseOnlyNTLMforWindowsAuth.vbs.
  4. Double-click the .vbs file to run the script.

Note To revert to the default time-out value, change the SE_VPS_VALUE to 0, and then rerun the script.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

An additional problem may occur after you enable this hotfix on the upstream server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

938465 Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004: "502 Proxy Error"




For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684Description of the standard terminology that is used to describe Microsoft software updates


Keywords: kbbug kbfix kbqfe kbpubtypekc kbexpertiseadvanced kbhotfixserver KB927265