Article ID: 821724 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/ )Description of the Microsoft Windows registry
In a Web publishing scenario where Basic authentication is enabled on the Incoming Web Requests listener, Basic credentials may be sent over an external HTTP connection even though the Web publishing rule that processes the request is configured for SSL required. This problem may create a security issue because Basic credentials are Base64-encoded. If Basic credentials are sent over an HTTP connection, they may be read as clear text and decoded.
This problem may occur if all the following conditions are true:
Note RFC 2617 requires HTTP clients to select the strongest authentication scheme from all the options that are provided by a server or proxy. For example, Microsoft Internet Explorer complies with this requirement. Because this requirement cannot be guaranteed by other browsers, you may find that Basic authentication is selected, even when stronger authentication schemes are offered.
Note One common example of when this problem may occur is if external users request http://www.owaserver.com/exchange instead of https://www.owaserver.com/exchange.
This problem does not occur in the following situations:
When an incoming request is sent to a computer that is running ISA Server and authentication must occur on the Web publishing rule that processes the request, ISA Server first returns a "401 Unauthorized" response to use the authentication handshake with the client. This response occurs independent of the protocol (HTTP or HTTPS) that the client uses. After successful authentication occurs, ISA Server checks the properties of the appropriate Web publishing rule. If the rule is configured for SSL required, the request is denied with a "403" (12211) response. The security issue may occur at this point because the Basic credentials may already have been sent by using HTTP before the "403" response is sent.
To resolve this problem, apply security update MS05-034. To download this security update, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms05-034.mspxWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
This security update lets you control whether ISA Server requests Basic authentication for non-secure incoming HTTP Web requests. If you do want ISA Server to request Basic authentication on non-secure connections, add the following registry key:
By default, ISA Server will not request Basic authentication on on-secure connections when you apply this update. If you do want this behavior to occur, either delete this registry key, or set the value of the registry key to 0.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\AllowAskBasicAuthOverNonSecureConnection : DWORD : 1
If you install this security update, ISA Server immediately sends a "403" response to the client instead of a "401" response when the following conditions are true:
To configure Basic authentication on the Incoming Web Requests listener, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 821724 - Last Review: December 3, 2007 - Revision: 5.10