In a Web publishing scenario where Basic authentication is enabled on the Incoming Web Requests listener, Basic credentials may be sent over an external HTTP connection even though the Web publishing rule that processes the request is configured for SSL required. This problem may create a security issue because Basic credentials are Base64-encoded. If Basic credentials are sent over an HTTP connection, they may be read as clear text and decoded.

This problem may occur if all the following conditions are true:

•	Basic authentication is configured on the Incoming Web Requests listener.
•	The Web publishing rule is configured for SSL required because you want to permit only HTTPS traffic on this rule.
•	The Web publishing rule is configured for User authentication.
•	The initial client request is sent by using HTTP and the http://server.domain.tld format.

For more information about how to configure these settings, see the "More Information" section of this article.

Note RFC 2617 requires HTTP clients to select the strongest authentication scheme from all the options that are provided by a server or proxy. For example, Microsoft Internet Explorer complies with this requirement. Because this requirement cannot be guaranteed by other browsers, you may find that Basic authentication is selected, even when stronger authentication schemes are offered.

Note One common example of when this problem may occur is if external users request http://www.owaserver.com/exchange instead of https://www.owaserver.com/exchange.

This problem does not occur in the following situations:

•	You have not configured Basic authentication on the Incoming Web Requests listener.
•	You have multiple authentication methods enabled on the Incoming Web Requests listener, and the client authenticates by using NTLM or Digest authentication on the computer that is running Internet Security and Acceleration (ISA) Server. Although the authentication is also sent over HTTP, this problem does not occur because NTLM and Digest authentication cannot be easily decrypted.

Back to the top

When an incoming request is sent to a computer that is running ISA Server and authentication must occur on the Web publishing rule that processes the request, ISA Server first returns a "401 Unauthorized" response to use the authentication handshake with the client. This response occurs independent of the protocol (HTTP or HTTPS) that the client uses. After successful authentication occurs, ISA Server checks the properties of the appropriate Web publishing rule. If the rule is configured for SSL required, the request is denied with a "403" (12211) response. The security issue may occur at this point because the Basic credentials may already have been sent by using HTTP before the "403" response is sent.

Back to the top

To resolve this problem, apply security update MS05-034. To download this security update, visit the following Microsoft Web site:Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

This security update lets you control whether ISA Server requests Basic authentication for non-secure incoming HTTP Web requests. If you do want ISA Server to request Basic authentication on non-secure connections, add the following registry key: By default, ISA Server will not request Basic authentication on on-secure connections when you apply this update. If you do want this behavior to occur, either delete this registry key, or set the value of the registry key to 0.

If you install this security update, ISA Server immediately sends a "403" response to the client instead of a "401" response when the following conditions are true:

•	The registry key is either missing or set to 0.
•	The request is sent over HTTP.
•	Basic authentication is configured on the Incoming Web Requests listener.

Note If you install this security update, Basic authentication cannot be used for non-secure incoming Web requests, even if other Web publishing rules are configured to use Basic authentication. Because Basic authentication over HTTP is not a secure authentication method, we do not recommend that you use Basic authentication in HTTP-based Web publishing scenarios.

Back to the top

To configure Basic authentication on the Incoming Web Requests listener, follow these steps:

1.	In the ISA Server Microsoft Management Console (MMC), right-click the server or array, and then click Properties.
2.	Click the Incoming Web Requests tab, and then click Basic authentication.

To configure SSL required on the Web publishing rule, follow these steps:

1.	In the ISA Server MMC, expand Publishing, and then expand Web Publishing Rules.
2.	Right-click the rule that you want to configure, and then click Properties.
3.	Click the Bridging tab, and then click to select the Require SSL check box.

To configure the Web publishing rule for User authentication, follow these steps:

1.	In the ISA Server MMC, expand Publishing, and then expand Web Publishing Rules.
2.	Right-click the rule that you want to configure, and then click Properties.
3.	Click the Applies to tab, and then select the users who are permitted to access the Web publishing rules.

Back to the top

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top