Applications that use an embedded Web browser program cannot access content on a Web site that you have published by using forms-based authentication in ISA Server 2006 or in Windows Essential Business Server 2008

Article translations Article translations
Article ID: 933869 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

You configure forms-based authentication for a published Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006 or in Windows Essential Business Server 2008. However, after you do this, applications that use an embedded Web browser program to access the Web site cannot access the published content successfully. You experience this problem when you use applications that use the InternetGetCookie method to retrieve cookies.

Note If you cannot determine whether a program uses the InternetGetCookie method to retrieve cookies, contact Microsoft Customer Support Services or contact the program vendor. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support

CAUSE

This problem occurs because ISA Server 2006 or Windows Essential Business Server 2008 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. A cookie that has this attribute set is known as an HTTP-only cookie.

ISA Server 2006 forms-based authentication uses a client cookie to maintain the authentication context of a user. This cookie is set after the user is authenticated successfully. When the cookie is set, ISA Server 2006 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. The HTTPOnly attribute marks the cookie as non-scriptable. This helps avoid any cross-site scripting issues that may occur. For more information about cross-site scripting issues, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms533046.aspx
An HTTP-only cookie is restricted with regard to how it can be used or accessed. Applications that use the InternetGetCookie method to retrieve an HTTP-only cookie are unsuccessful. For more information about this behavior, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa384710.aspx
When an application uses an embedded Web browser program that uses the InternetGetCookie method to retrieve cookies, the application cannot access the forms-based authentication cookie in ISA Server 2006 or in Windows Essential Business Server 2008. Therefore, the application cannot access the published Web content.

This problem is known to occur when you use the following applications:
  • Microsoft Windows Media Player
  • The Sun Java Runtime Environment (JRE), also known as the Java Virtual Machine (JVM)

RESOLUTION

A hotfix is available for computers that are running ISA Server 2006 or Windows Essential Business Server 2008. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:
933718 Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated March 21, 2007

After you enable the functionality that this hotfix provides, ISA Server 2006 or Windows Essential Business Server 2008 does not set the HTTPOnly attribute on client cookies for connections on a particular Web listener. This action may increase the probability that you experience a cross-site scripting issue.

Hotfix installation information

Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

After you install the hotfix, you must run a script to configure ISA Server 2006 not to set the HTTPOnly attribute for a specified Web listener. To do this, follow these steps:
  1. Start a text editor, such as Notepad.
  2. Paste the following code into the text editor.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    	
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script determines whether ISA Server will set the HTTPOnly attribute on FBA cookies
    ' for a specified Web listener.
    '
    ' usage - to disable the setting of the HTTPOnly attribute on a specified Web listener
    ' cscript DisableHttpOnlyAuthCookies.vbs /WebListener:<nameOfWebListener> /Value:False
    '
    ' usage - to re-enable the setting of the HTTPOnly attribute on a specified Web listener
    ' cscript DisableHttpOnlyAuthCookies.vbs /WebListener:<nameOfWebListener> /Value:True
    '
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    If Not WScript.Arguments.Named.Exists("WebListener") Then
        WScript.Echo "WebListener not defined"
        WScript.Quit(1)
    End If
    
    Set fpcRoot = CreateObject("FPC.Root")
    Set fpcArray = fpcRoot.GetContainingArray()
    Set fpcWebListener = fpcArray.RuleElements.WebListeners(WScript.Arguments.Named("WebListener"))
    Set fpcWebListenerVps = fpcWebListener.VendorParametersSets
    
    On Error Resume Next
    Set fpcCookieAuthVps = fpcWebListenerVps.Item("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
    If Err.number = 0 Then
        CookieAuthVpsExists = True
    Else
        CookieAuthVpsExists = False
    End If
    Err.Clear
    On Error GoTo 0
    
    If Not CookieAuthVpsExists Then
        WScript.Echo "Cookie auth VPS settings not defined, HTTP only cookies are ON by default"
    Else
        WScript.Echo "HTTP only cookies: " & (fpcCookieAuthVps.Value("HttpOnlyCookie") = True)
    End If
    
    If WScript.Arguments.Named.Exists("Value") Then
        If Not CookieAuthVpsExists Then
            Set fpcCookieAuthVps = fpcWebListenerVps.Add("{29022EBA-B030-4839-9CA6-DD8875BC7B47}")
        End If
        fpcCookieAuthVps.Value("HttpOnlyCookie") = (StrComp(WScript.Arguments.Named("Value"), "True", 1) = 0)
        fpcArray.Save
        WScript.Echo "HTTP only cookies set to " & (fpcCookieAuthVps.Value("HttpOnlyCookie") = True)
    End If
    
  3. Save the file as DisableHttpOnlyAuthCookies.vbs, and then exit the text editor.
  4. Open a command prompt, and then move to the directory to which you saved the DisableHttpOnlyAuthCookies.vbs file.
  5. Type the following command, and then press ENTER:
    cscript DisableHttpOnlyAuthCookies.vbs /WebListener:NameofWebListener /Value:False
    In this command, replace NameofWebListener with the name of the Web listener whose behavior you want to modify.
Note To restore ISA Server 2006 or Windows Essential Business Server 2008 to the default behavior in which the HTTPOnly attribute is set for forms-based authentication cookies, follow these steps:
  1. Open a command prompt, and then move to the directory to which you saved the DisableHttpOnlyAuthCookies.vbs file.
  2. Type the following command, and then press ENTER:
    cscript DisableHttpOnlyAuthCookies.vbs /WebListener:NameofWebListener /Value:True
    In this command, replace NameofWebListener with the name of the Web listener whose behavior you want to modify.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 933869 - Last Review: May 30, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Windows Essential Business Server 2008 Standard
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
Keywords: 
kberrmsg kbfirewall kbtshoot kbfix kbbug kbprb KB933869

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com