Select the product you need help with

Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication

Article ID: 927265 - View products that this article applies to.

Hotfix Download Available

Expand all | Collapse all

SYMPTOMS

Consider the following scenario:

You configure an upstream Microsoft Internet Security and Acceleration (ISA) Server computer that requires authentication.
You configure a downstream ISA Server computer that does not require authentication.
Client computers that are connected to the downstream ISA Server computer are running Windows Internet Explorer 7.

In this scenario, the client computers cannot authenticate with the upstream ISA Server computer.

Back to the top | Give Feedback

Client computers that are running Internet Explorer 7 obtain a Kerberos ticket that is valid for authentication with the downstream server. However, this Kerberos ticket is not validated by the authenticating upstream ISA Server computer.

Specifically, when the upstream ISA Server computer requests authentication, the client computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is valid for authentication with the downstream ISA Server computer. This ticket cannot be used to authenticate with the upstream ISA Server computer. When the Kerberos ticket is presented to the upstream ISA Server computer, the upstream ISA Server computer cannot validate the ticket. Therefore, authentication fails.

Notes

The downstream ISA Server computer is the proxy server with which the client computer is communicating.
Internet Explorer 7 includes support for Kerberos authentication against proxy servers.

NTLM authentication is the alternative authentication method for instances when Kerberos authentication fails. However, the client computer does not use NTLM authentication because the client computer has successfully obtained a Kerberos ticket for the proxy server.

Back to the top | Give Feedback

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

(http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

The computer must be running ISA Server 2004 Service Pack 2 (SP2) to apply the ISA Server 2004 version of this hotfix.

Restart requirement

After you apply this hotfix, the hotfix will restart ISA Server services.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

ISA Server 2006

Collapse this tableExpand this table

File name	File version	File size	Date	Time	Platform
Linktranslation.dll	5.0.5720.154	247,136	25-Oct-2006	09:24	x86
Msfpc.dll	5.0.5720.154	549,216	25-Oct-2006	09:24	x86
Msfpccom.dll	5.0.5720.154	6,409,568	25-Oct-2006	09:24	x86
W3filter.dll	5.0.5720.154	890,208	25-Oct-2006	09:24	x86

ISA Server 2004, Enterprise Edition

Collapse this tableExpand this table

File name	File version	File size	Date	Time	Platform
Comphp.dll	4.0.3443.628	167,784	27-Oct-2006	14:45	x86
Complp.dll	4.0.3443.628	63,336	27-Oct-2006	14:45	x86
Cookieauthfilter.dll	4.0.3443.628	159,592	27-Oct-2006	14:45	x86
Linktranslation.dll	4.0.3443.628	123,752	27-Oct-2006	14:45	x86
Msfpc.dll	4.0.3443.628	377,192	27-Oct-2006	14:45	x86
Msfpccom.dll	4.0.3443.628	5,024,104	27-Oct-2006	14:45	x86
Msfpcsnp.dll	4.0.3443.628	4,656,488	27-Oct-2006	14:45	x86
Msfpcui.dll	4.0.3443.628	2,420,584	27-Oct-2006	14:45	x86
Mspadmin.exe	4.0.3443.628	282,984	27-Oct-2006	14:45	x86
Msphlpr.dll	4.0.3443.628	405,352	27-Oct-2006	14:45	x86
Mspmon.dll	4.0.3443.628	52,584	27-Oct-2006	14:45	x86
Mspmsg.dll	4.0.3443.628	254,312	27-Oct-2006	14:45	x86
Ratlib.dll	4.0.3443.628	40,808	27-Oct-2006	14:45	x86
Rpcfltr.dll	4.0.3443.628	130,920	27-Oct-2006	14:45	x86
Socksflt.dll	4.0.3443.628	95,592	27-Oct-2006	14:45	x86
W3filter.dll	4.0.3443.628	752,488	27-Oct-2006	14:45	x86
Wspsrv.exe	4.0.3443.628	1,067,368	27-Oct-2006	14:45	x86

ISA Server 2004, Standard Edition

Collapse this tableExpand this table

File name	File version	File size	Date	Time	Platform
Comphp.dll	4.0.2165.628	167,272	27-Oct-2006	14:35	x86
Complp.dll	4.0.2165.628	63,848	27-Oct-2006	14:35	x86
Cookieauthfilter.dll	4.0.2165.628	161,128	27-Oct-2006	14:35	x86
Msfpc.dll	4.0.2165.628	330,088	27-Oct-2006	14:35	x86
Msfpccom.dll	4.0.2165.628	3,543,400	27-Oct-2006	14:35	x86
Msfpcui.dll	4.0.2165.628	2,142,568	27-Oct-2006	14:35	x86
Ratlib.dll	4.0.2165.628	39,272	27-Oct-2006	14:35	x86
Msfpcsnp.dll	4.0.2165.628	3,574,632	27-Oct-2006	14:35	x86
Mspadmin.exe	4.0.2165.628	233,320	27-Oct-2006	14:35	x86
Msphlpr.dll	4.0.2165.628	375,656	27-Oct-2006	14:35	x86
Mspmon.dll	4.0.2165.628	52,584	27-Oct-2006	14:35	x86
Mspmsg.dll	4.0.2165.628	230,760	27-Oct-2006	14:35	x86
Rpcfltr.dll	4.0.2165.628	135,528	27-Oct-2006	14:35	x86
Socksflt.dll	4.0.2165.628	100,200	27-Oct-2006	14:35	x86
W3filter.dll	4.0.2165.628	736,616	27-Oct-2006	14:35	x86
Wspsrv.exe	4.0.2165.628	945,512	27-Oct-2006	14:35	x86
Linktranslation.dll	4.0.2165.628	124,776	27-Oct-2006	14:35	x86
Radiusauth.dll	4.0.2165.628	66,408	27-Oct-2006	14:35	x86

Post-hotfix installation information

After you apply this hotfix, you must configure the upstream ISA Server computer to return NTLM authentication headers only when Windows Integrated authentication is used.

Note This is a global setting for the ISA server. This script will change the authentication headers that are returned for both forward and reverse proxy requests (web proxy and web publishing listeners).

To have us configure the upstream ISA Server computer to return NTLM authentication headers when Windows Integrated authentication is used for you, go to the "Fix it for me" section. If you would rather fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To resolve this problem automatically, click the Fix this problem link, click Run in the File Download dialog box, and then follow the steps in the wizard.

Fix this problem
Microsoft Fix it 50482

Note this wizard may be in English only; however, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD. Then, you can run this fix on the computer that has the problem.

Let me fix it myself

To configure the upstream ISA Server computer to return NTLM authentication headers when Windows Integrated authentication is used yourself, run the following Microsoft Visual Basic script, follow these steps:

Click Start, point to Programs, point to Accessories, and then click Notepad.

Copy the following code, and then paste it into Notepad.

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script sets authentication schemes that ISA will return for Integrated authentication.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.
const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always  = 1

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"
Const SE_VPS_VALUE = 1

Sub SetValue()

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects that are needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and to the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item.
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue

Save this Notepad file as UseOnlyNTLMforWindowsAuth.vbs.
Double-click the .vbs file to run the script.

Note To revert to the default authentication setting, change the SE_VPS_VALUE to 0, and then rerun the script.

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top | Give Feedback

MORE INFORMATION

An additional problem may occur after you enable this hotfix on the upstream server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

938465

(http://support.microsoft.com/kb/938465/ )

Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004: "502 Proxy Error"

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684

(http://support.microsoft.com/kb/824684/LN/ )

Description of the standard terminology that is used to describe Microsoft software updates

Back to the top | Give Feedback