Users who do not have the appropriate permissions can receive restricted content from ISA Server 2006 or from ISA Server 2004

Article translations Article translations
Article ID: 894679 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

After you enable the Content requiring user authentication for retrieval cache rule in Microsoft Internet Security and Acceleration (ISA) Server 2006 or in Microsoft Internet Security and Acceleration (ISA) Server 2004, ISA Server caches content that is requested by users who are permitted to retrieve that content. However, users who do not have permissions to access that particular content can still request and receive this content from ISA Server.

CAUSE

By default, ISA Server does not cache content that is requested by authenticated users. However, if you enable the Content requiring user authentication for retrieval cache rule, ISA Server caches content that is requested by authenticated users. Then, ISA Server serves the cached content for all future requests without verifying access permissions.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest ISA Server service pack (SP).

For more information about how to obtain the latest ISA Server 2006 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack

For more information about how to obtain the latest ISA Server 2004 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
891024 How to obtain the latest ISA Server 2004 service pack

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

After you apply this fix, ISA Server may return an error. This error indicates that the page that you requested has expired. This behavior occurs if any one of the following conditions is true:
  • You configure the the computer that is running ISA Server to retrieve content from the cache, regardless of whether the content is still valid or not.
  • The client request specifies that expired content that is returned by the ISA Server is acceptable.
To resolve this issue, use one of the following methods:
  • Block the “max-stale” HTTP header field.

    To block the “max-stale” HTTP header field, you must create a new signature for the “max-stale” HTTP header field in the Signature tab.

    For more information about HTTP filtering in ISA Server 2004, visit the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/cc302627.aspx
    Note The "max-stale" HTTP header field indicates that the client may accept a media stream that has exceeded its expiration time. If "max-stale" is assigned a value, the client may accept a response that has exceeded its expiration time by no more than the specified number of seconds. If no value is assigned to "max-stale," the client may accept a stale response of any age. For example, if you create a value of 3600 for the “max-stale” HTTP header field, the client can accept data that has exceeded the expiration time by no more than one hour (3600 seconds).
  • Configure the computer that is running ISA Server to prevent it from retrieving expired cache content. To do this, click the following option on the Contents Retrieval page in the New Cache Rule Wizard:
    Only if a valid version of the object exists in cache. If no valid version exists, route the request to the server.
For more information about how to install ISA Server 2004 hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base:
885957 How to install ISA Server hotfixes and updates

Properties

Article ID: 894679 - Last Review: March 23, 2009 - Revision: 5.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
Keywords: 
kbautohotfix kbfix kbbug kbhotfixserver KB894679

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com