メイン コンテンツへスキップ
サポート
Microsoft アカウントでサインイン
サインインまたはアカウントを作成してください。
こんにちは、
別のアカウントを選択してください。
複数のアカウントがあります
サインインに使用するアカウントを選択してください。
英語
申し訳ございません。この記事は、ご利用の言語では用意されていません。

Symptoms

When a Microsoft Forefront Threat Management Gateway (TMG) 2010 web proxy or web publishing client tries to authenticate to TMG but provides incorrect credentials, the TMG logs cannot be used to identify the source of the request. 

Cause

This issue occurs when an authentication attempt that is made to TMG fails. When this occurs, the request is handled as an anonymous request and will appear in the web proxy logs with the username logged as Anonymous.

The Security event logs on the TMG server will log an "Event ID 4265 Failed Logon attempt," include the domain and username, and state that the authentication attempt originated from the Firewall Service (wspsrv.exe). Because the originating request is logged in the web proxy logs as Anonymous, the TMG logs cannot be used to identify the request that caused the failed authentication attempt.

Where an account lockout occurs after several failed authentication attempts that are made by incoming web proxy or web publishing requests (for example, an ActiveSync device that has a user's old password saved), you cannot identify the source of that request from the TMG logs.

Resolution

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010By default, the change in behavior is not enabled, and the following script should be run to enable the new behavior. After you enable the new behavior, TMG will log the username that is associated with a failed logon attempt in the Username field as follows, instead of being logged as Anonymous:

domain\username (!)

The "(!)" that is appended to the username indicates that authentication was tried for this user for this request but that the authentication failed. The request will still be treated as Anonymous by TMG in all other aspects, such as rule processing.

To enable this functionality, follow these steps:

  1. Copy the following script into Notepad, and then save it by using the file name EnableFix.vbs:

    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "LogUsernameForFailedAuthentication"
    Const SE_VPS_VALUE = 1

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Obtain references to the array object
    ' and the network rules collection.
    Set array = curArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue
  2. Run the script on one of the TMG array members. The script change will take effect when the TMG configuration synchronizes. No Firewall service restart is necessary for the change to take effect.

  3. To revert the change and to return to the original behavior, locate the following line in the script:

    Const SE_VPS_VALUE = 1 
  4. Change that line as follows:

    Const SE_VPS_VALUE = 0 
  5. Save the script, and then run the script on one of the array members.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

This new functionality is intended to support the identification of failed authentication attempts that are validated against Active Directory. The new functionality specifically supports the following authentication options:

  • Forward web proxy: NTLM authentication

  • Forward web proxy: Basic authentication

  • Web publishing: NTLM authentication

  • Web publishing: Basic authentication

  • Web publishing: Forms-based authentication with Active Directory

  • Web publishing: Forms-based authentication with LDAP

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

ヘルプを表示

その他のオプションが必要ですか?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

この情報は役に立ちましたか?

どのような要因がお客様の操作性に影響しましたか?
[送信] を押すと、Microsoft の製品とサービスの改善にフィードバックが使用されます。 IT 管理者はこのデータを収集できます。 プライバシーに関する声明。

フィードバックをいただき、ありがとうございます。

×