White spaces in URLs are not correctly encoded or decoded when you log on

When you use SecurID authentication to request a Web page that is published by a Web publishing rule in Microsoft ISA Server 2000, you may receive one of the following error messages:

• 404 (File not found)
  
  
  This error is returned if ISA Server hotfix 829893 is not installed.
  
  For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  829893  (http://support.microsoft.com/kb/829893/ ) RSA SecurID cookie expires frequently, and clients are repeatedly prompted to authenticate
• 500 Internal Server error - Unspecified error (-2147467259)
  
  
  This error is returned if ISA Server hotfix 829893 is installed.

This problem occurs if the following conditions are true:

• You have installed ISA Server Feature Pack 1 and SecurID authentication on your computer, and you have enabled the SecurID authentication Web filter.
  
  For more information about how to install ISA Server Feature Pack 1 and configure SecurID authentication, visit the following Microsoft Web site:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en)
  Additionally, see the "More Information" section for details about how to enable SecurID authentication in ISA Server.
• During the SecurID authentication process, you request a URL that includes white space, and ISA Server responds with the SecurID logon page. This page prompts you for authentication credentials. See the "More Information" section for examples of when this problem might occur.

This problem does not occur if the following conditions are true:

• During the SecurID authentication process, you request a URL that does not include white space.
• You request a URL that includes white space after the ISA Server SecurID logon has successfully authenticated your credentials and before the SecurID logon page prompts you to enter your credentials for re-authentication.

This is a problem in the SecurID Web filter in ISA Server 2000. If you request a URL during the SecureID authentication process, and the URL contains white space, the Web filter does not correctly encode or decode the white space.

To resolve this problem, obtain the latest service pack for ISA Server 2000.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

This problem was corrected in ISA 2000 Service Pack 2.

This problem may occur in the following circumstances:

• You publish an internal Outlook Web Access (OWA) Server by using ISA Server Web publishing.
• You enable SecurID authentication in the appropriate Web publishing rule.
• You configure a SecurID cookie time-out value in the SecurID settings of the Web publishing rule. (The default time-out value is 15 minutes.)
• You are successfully authenticated to the OWA site by the SecurID logon page.
• You open e-mail on the OWA page after the ISA Server RSA cookie time-out has passed, and ISA Server responds with the SecurID logon page that prompts you to re-authenticate.
• The e-mail that you open includes white space in the subject line. For example, if the subject line contains the "Test over Outlook" string, you may see a URL that is similar to the following after the browser has normalized the URL:
  
  http://www.OWA_Server.com/exchange/e-mail_user/Inbox/Test%20over%20Outlook.eml?Cmd=open
  
  (OWA_Server is your OWA Server name, and e-mail_user is your e-mail user name.)

ISA Server 2000 implements RSA authentication as follows:

1. If a client requests a Web site that is published by ISA Server, and SecurID is enabled on the Web publishing rule, the SecurID Web filter first responds with the SecurID logon page.
2. After the client has successfully entered the SecurID credentials and submitted the page, the SecurID Web filter redirects to the page that was originally requested.

To enable or to disable the SecurID authentication Web filter, follow these steps:

1. In the ISA Microsoft Management Console (MMC), expand Servers and Arrays and the server name node.
2. Expand Extensions, and then click Web Filters.
3. Click the Web Filter for RSA SecurID Web filter.
4. Right-click properties.
5. To enable the filter, click to select the Enable this filter check box. To disable the filter, click to clear the Enable this filter check box.

To set SecurID authentication for your Web publishing rule, follow these steps:

1. In the ISA Microsoft Management Console (MMC), expand Servers and Arrays and the server name node.
2. Expand Access Policy, and then click Web Publishing Rules.
3. Create a new Web publishing rule, or select an existing rule that you want to configure. Right-click the rule, and then click Properties.
4. Click the RSA SecurID tab, and then click to select or to clear the Enable RSA Web Authentication Feature Set for this rule check box.