FIX: SecurID does not redirect to the requested page after a successful logon

Hotfix Download Available
View and request hotfix downloads

View products that this article applies to.

SYMPTOMS

When you use SecurID authentication to request a Web page that is published by a Web publishing rule in Microsoft ISA Server 2000, you are not redirected to the requested URL after you enter the correct credentials on the SecurID logon page. Instead, ISA Server responds with the SecurID logon page and prompts you to enter your SecurID credentials again.

This problem occurs if all the following conditions are true:

You have installed ISA Server Feature Pack 1 and SecurID authentication on your system, and you have enabled the SecurID authentication Webfilter.
You have two Web publishing rules. The initial Web page request is served by the first Web publishing rule. This rule has no SecurID authentication enabled. The page that is published by the first Web publishing rule links to another URL that is published by the second Web publishing rule. The second Web publishing rule has SecurID authentication enabled.
The second Web publishing rule processes the redirection. The second rule applies the same host name as the first Web publishing rule.

For more information about how to install ISA Server Feature Pack 1 and configure SecurID authentication, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en. (http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en)

For more information about how to setup SecurID authentication in ISA Server 2000, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en. (http://download.microsoft.com/download/4/c/b/4cbe9a1f-8d97-4c71-b6b3-d967924981db/securID_readme.htm)

The problem does not occur if the initial request is immediately processed by the second Web publishing rule. For example, if the client first requests http://www.example.com, the page that is published by the first Web publishing rule redirects to http://www.example.com/securefolder/default.html. The second Web publishing rule processes this request, and the request is denied. If the client first requests http://www.example.com/securefolder/default.html, this problem does not occur.

Back to the top

CAUSE

This is a problem in the SecurID filter in ISA Server 2000. This filter does not send the correct redirection URL in response to a successful SecurID logon.

Back to the top

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Prerequisites

ISA Server 2000 Service Pack 1 and ISA Server Feature Pack 1 are required to install this hotfix.

For additional information about how to obtain ISA Server SP1 and ISA Server Feature Pack 1, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313139 (http://support.microsoft.com/kb/313139/ ) How to obtain the latest Internet Security and Acceleration Server 2000 service pack

319380 (http://support.microsoft.com/kb/319380/ ) ISA Server 2000 Feature Pack 1 overview

Hotfix replacement information

This hotfix does not replace any other hotfixes.

Restart requirement

You must restart your computer after installing the hotfix.

   Date         Time   Version      Size  File name
   --------------------------------------------------
   22-Feb-2004 17:02 3.0.1200.305 178,448 Mspadmin.exe 
   22-Feb-2004 17:02 3.0.1200.305 103,184 Msphlpr.dll 
   22-Feb-2004 17:01 3.0.1200.305 393,488 W3proxy.exe 
   22-Feb-2004 17:02 3.0.1200.305 299,280 Wspsrv.exe
   22-Feb-2004 17:01 3.0.1200.305  81,680 Sdisa.dll

The Hotfix applies to all ISA Server languages.

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top

MORE INFORMATION

ISA Server 2000 implements RSA authentication as follows:

If a client requests a Web site that is published by ISA Server, and SecurID is enabled on the Web publishing rule, the SecurID Web filter first responds with the SecurID logon page.
After the client has successfully entered the SecurID credentials and submitted the page, the SecurID Web filter redirects to the page that was originally requested.

To enable or to disable the SecurID authentication Webfilter, follow these steps:

In the ISA Microsoft Management Console (MMC), expand Servers and Arrays and the server name node.
Expand Extensions, and then click Web Filters.
Right-Click the Web Filter for RSA SecurID Webfilter.
Click enable or disable.

To set SecurID authentication for your Web publishing rule, follow these steps:

In the ISA MMC, expand Servers and Arrays and the server name node.
Expand Access Policy, and then click Web Publishing Rules.
Create a new Web Publishing Rule, or select an existing rule that you want to configure. Right-click the rule, and then click Properties.
Click the RSA SecurID tab, and then click to select or to clear the Enable RSA Web Authentication Feature Set for this rule check box.

To troubleshoot this problem, use Microsoft Network Monitor to analyze the HTTP traffic. After the client submits the SecurID credentials, the HTTP response from the ISA Server may include a response that is similar to the following:

HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK
	HTTP: Protocol Version =HTTP/1.1
	HTTP: Status Code = OK
	HTTP: Reason =OK
	HTTP: Connection =close
	HTTP: Content-Length =733
	HTTP: Refresh = 1; URL=

Because the URL= field is empty, the client is not redirected to the original URL. After you install this hotfix, the response will look similar to the following:

HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK
	HTTP: Protocol Version =HTTP/1.1
	HTTP: Status Code = OK
	HTTP: Reason =OK
	HTTP: Connection =close
	HTTP: Content-Length =733
	HTTP: Refresh = 1; URL=/securefolder/default.html

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 (http://support.microsoft.com/kb/824684/ ) How to install Network Monitor in Windows 2000

Back to the top