FIX: A client may be unsuccessful in accessing a Java SSO application published to the web in a Threat Management Gateway 2010 environment

Article ID: 2654016 - View products that this article applies to.
Expand all | Collapse all


Consider the following scenario:
  • You use Microsoft Forefront Threat Management Gateway 2010 to publish a Java single sign-on (SSO) application to the web.
  • You configure the web publishing rule to do Windows Challenge/Response (NTLM) delegation to the Java SSO application.
  • The Java SSO application relies on a JSESSIONID cookie that is set in the second leg of the NTLM handshake. The SSO application uses this cookie to handle the NTLM handshake.

In this scenario, a client may be unsuccessful in accessing the Java SSO application because the application does not successfully handle the NTLM delegation.


The NTLM delegation in Threat Management Gateway is typically a transparent process, and the client that accesses the site should not be aware that NTLM delegation is occurring on the back end between Threat Management Gateway and the web-published server. Because the NTLM handshake process is transparent to the client, the request is handled by a separate request object, and the cookies that are set are lost. This problem occurs because the Java SSO implementation relies on the JSESSIONID cookie to track the NTLM state and the Java SSO implementation does not successfully handle the NTLM handshake.


To resolve this issue, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2649961 Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
To enable this hotfix, follow these steps:
  1. Start Notepad. To do this, click Start, click Run, type notepad.exe in the Open box, and then click OK.
  2. Paste the following script to a new file in Notepad.
    set curArray = CreateObject("FPC.Root").GetContainingArray()
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableNTLMHandshakeCookies"
    Const SE_VPS_VALUE = 1
    Sub SetValue()
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
        ' Get references to the array object
        ' and the network rules collection.
        Set array = curArray 
        Set VendorSets = array.VendorParametersSets
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
        If Err.Number <> 0 Then
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            WScript.Echo "New VendorSet added... " & VendorSet.Name
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
            If Err.Number <> 0 Then
                VendorSets.Save false, true
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    End Sub
    Sub CheckError()
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        End If
    End Sub
  3. Save the file as a .vbs file. For example, save the file as EnableNTLMHandshakeCookies.vbs.
  4. On a Threat Management Gateway server, open a command prompt, and move to the location where you saved the EnableNTLMHandshakeCookies.vbs file that you saved in step 3. Type the following command, and then press Enter:
    Cscript.exe EnableNTLMHandshakeCookies.vbs
This hotfix enables Threat Management Gateway to handle cookies during the NTLM handshake process.

Note To change the functionality back to the default behavior, modify the following line in the script in step 2:
Const SE_VPS_VALUE = 1
Change the value from 1 to 0, and then run the script again.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates


Article ID: 2654016 - Last Review: January 11, 2012 - Revision: 1.0
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 2
kbexpertiseinter kbbug kbsurveynew kbqfe kbfix KB2654016

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from