Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication
Client computers that are running Internet Explorer 7 obtain a Kerberos ticket that is valid for authentication with the downstream server. However, this Kerberos ticket is not validated by the authenticating upstream ISA Server computer.
Specifically, when the upstream ISA Server computer requests authentication, the client computer obtains a Kerberos ticket for the downstream server. This Kerberos ticket is valid for authentication with the downstream ISA Server computer. This ticket cannot be used to authenticate with the upstream ISA Server computer. When the Kerberos ticket is presented to the upstream ISA Server computer, the upstream ISA Server computer cannot validate the ticket. Therefore, authentication fails.
Notes
•
The downstream ISA Server computer is the proxy server with which the client computer is communicating.
•
Internet Explorer 7 includes support for Kerberos authentication against proxy servers.
NTLM authentication is the alternative authentication method for instances when Kerberos authentication fails. However, the client computer does not use NTLM authentication because the client computer has successfully obtained a Kerberos ticket for the proxy server.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
The computer must be running ISA Server 2004 Service Pack 2 (SP2) to apply the ISA Server 2004 version of this hotfix.
Restart requirement
After you apply this hotfix, the hotfix will restart ISA Server services.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
ISA Server 2006
File name
File version
File size
Date
Time
Platform
Linktranslation.dll
5.0.5720.154
247,136
25-Oct-2006
09:24
x86
Msfpc.dll
5.0.5720.154
549,216
25-Oct-2006
09:24
x86
Msfpccom.dll
5.0.5720.154
6,409,568
25-Oct-2006
09:24
x86
W3filter.dll
5.0.5720.154
890,208
25-Oct-2006
09:24
x86
ISA Server 2004, Enterprise Edition
File name
File version
File size
Date
Time
Platform
Comphp.dll
4.0.3443.628
167,784
27-Oct-2006
14:45
x86
Complp.dll
4.0.3443.628
63,336
27-Oct-2006
14:45
x86
Cookieauthfilter.dll
4.0.3443.628
159,592
27-Oct-2006
14:45
x86
Linktranslation.dll
4.0.3443.628
123,752
27-Oct-2006
14:45
x86
Msfpc.dll
4.0.3443.628
377,192
27-Oct-2006
14:45
x86
Msfpccom.dll
4.0.3443.628
5,024,104
27-Oct-2006
14:45
x86
Msfpcsnp.dll
4.0.3443.628
4,656,488
27-Oct-2006
14:45
x86
Msfpcui.dll
4.0.3443.628
2,420,584
27-Oct-2006
14:45
x86
Mspadmin.exe
4.0.3443.628
282,984
27-Oct-2006
14:45
x86
Msphlpr.dll
4.0.3443.628
405,352
27-Oct-2006
14:45
x86
Mspmon.dll
4.0.3443.628
52,584
27-Oct-2006
14:45
x86
Mspmsg.dll
4.0.3443.628
254,312
27-Oct-2006
14:45
x86
Ratlib.dll
4.0.3443.628
40,808
27-Oct-2006
14:45
x86
Rpcfltr.dll
4.0.3443.628
130,920
27-Oct-2006
14:45
x86
Socksflt.dll
4.0.3443.628
95,592
27-Oct-2006
14:45
x86
W3filter.dll
4.0.3443.628
752,488
27-Oct-2006
14:45
x86
Wspsrv.exe
4.0.3443.628
1,067,368
27-Oct-2006
14:45
x86
ISA Server 2004, Standard Edition
File name
File version
File size
Date
Time
Platform
Comphp.dll
4.0.2165.628
167,272
27-Oct-2006
14:35
x86
Complp.dll
4.0.2165.628
63,848
27-Oct-2006
14:35
x86
Cookieauthfilter.dll
4.0.2165.628
161,128
27-Oct-2006
14:35
x86
Msfpc.dll
4.0.2165.628
330,088
27-Oct-2006
14:35
x86
Msfpccom.dll
4.0.2165.628
3,543,400
27-Oct-2006
14:35
x86
Msfpcui.dll
4.0.2165.628
2,142,568
27-Oct-2006
14:35
x86
Ratlib.dll
4.0.2165.628
39,272
27-Oct-2006
14:35
x86
Msfpcsnp.dll
4.0.2165.628
3,574,632
27-Oct-2006
14:35
x86
Mspadmin.exe
4.0.2165.628
233,320
27-Oct-2006
14:35
x86
Msphlpr.dll
4.0.2165.628
375,656
27-Oct-2006
14:35
x86
Mspmon.dll
4.0.2165.628
52,584
27-Oct-2006
14:35
x86
Mspmsg.dll
4.0.2165.628
230,760
27-Oct-2006
14:35
x86
Rpcfltr.dll
4.0.2165.628
135,528
27-Oct-2006
14:35
x86
Socksflt.dll
4.0.2165.628
100,200
27-Oct-2006
14:35
x86
W3filter.dll
4.0.2165.628
736,616
27-Oct-2006
14:35
x86
Wspsrv.exe
4.0.2165.628
945,512
27-Oct-2006
14:35
x86
Linktranslation.dll
4.0.2165.628
124,776
27-Oct-2006
14:35
x86
Radiusauth.dll
4.0.2165.628
66,408
27-Oct-2006
14:35
x86
Post-hotfix installation information
After you apply this hotfix, you must run the following Microsoft Visual Basic script to configure the upstream ISA Server computer to return NTLM authentication headers only when Windows Integrated authentication is used. To run this script, follow these steps:
1.
Click Start, point to Programs, point to Accessories, and then click Notepad.
2.
Copy the following code, and then paste it into Notepad.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script sets authentication schemes that ISA will return for Integrated authentication.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_default = 0 ' Use Negotiate and Kerberos, too.
const USE_ONLY_NTLM_FOR_WINDOWS_AUTH_Always = 1
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "UseOnlyNTLMForWindowsAuth"
Const SE_VPS_VALUE = 1
Sub SetValue()
' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects that are needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and to the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item.
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue
3.
Save this Notepad file as UseOnlyNTLMforWindowsAuth.vbs.
4.
Double-click the .vbs file to run the script.
Note To revert to the default time-out value, change the SE_VPS_VALUE to 0, and then rerun the script.
An additional problem may occur after you enable this hotfix on the upstream server.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
938465 (http://support.microsoft.com/kb/938465/)
Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004: "502 Proxy Error"
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 (http://support.microsoft.com/kb/824684/LN/)Description of the standard terminology that is used to describe Microsoft software updates
Need More Help? Contact a Support professional by Email, Online or Phone.
Customer Service For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
Newsgroups Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
Help and Support
Back to the top
