The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition

Article translations Article translations
Article ID: 935767 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

You upgrade Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition to ISA Server 2004 Enterprise Edition and then to ISA Server 2006 Enterprise Edition. However, after you perform these two upgrades, authentication delegation does not work in the existing Web publishing rules. The Authentication Delegation property of the Web publishing rule displays the following messages:
No delegation, and client cannot authenticate directly.
No delegation, but client may authenticate directly.
Additionally, if you create a new Web listener, the Client Authentication Method list in the Web listener displays two extra entries as follows:
  • FBA with AD
  • SecureID
Even after you create the new Web listener, authentication delegation still does not work.

Note The same problem occurs if you manually import a backup copy of ISA Server 2004 Enterprise Edition after you upgrade ISA Server 2004 to ISA Server 2006.

CAUSE

This problem occurs because the import function of ISA Server 2006 incorrectly sets the Predefined property of the "FBA with AD" authentication scheme and of the SecureID authentication scheme.

WORKAROUND

To work around this problem, use either of the following methods.

Method 1

Edit the .xml file that you exported from ISA Server 2004 Enterprise Edition. To do this, follow these steps.

Note Perform this workaround before you import a backup copy of ISA Server 2004 Enterprise Edition.
  1. Open the .xml file in Notepad.
  2. Search for "SecurID." This text is located in a "<fpc4:AuthenticationScheme>" section that resembles the following.
    	<fpc4:Name dt:dt="string">SecurID</fpc4:Name>
    	<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
  3. Change the value of the "<fpc4:Predefined>" node from 0 to 1.
  4. Search for "OWA Forms-Based." This text is located in a "<fpc4:AuthenticationScheme>" section that resembles the following.
    	<fpc4:Name dt:dt="string">OWA Forms-Based</fpc4:Name>
    	<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
  5. Change the value of the "<fpc4:Predefined>" node from 0 to 1.
  6. Save the .xml file, and then exit Notepad.
  7. Import the .xml file into ISA Server 2006.

Method 2

Edit the Active Directory Application Mode (ADAM) instance that is used by ISA Server 2006 Enterprise Edition. To do this, follow these steps.

Note You may perform this workaround regardless of whether you have imported a backup copy of ISA Server 2004 Enterprise Edition.
  1. Click Start, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.
  2. In the console tree, right-click ADAM ADSI Edit, and then click Connect to.
  3. In the Connection Settings dialog box, type any name in the Connection Name box. For example, type ISA Configurations.
  4. In the Server name box, type the name or the IP address of the configuration storage server that ISA Server 2006 uses.
  5. Type 2171 in the Port box.
  6. Click to select the Distinguished name (DN) or naming context option, and then type CN=FPC2 in the Distinguished name (DN) or naming context box.
  7. Click OK.
  8. In the console tree, click the connection that you named in step 3, and then locate the following object:
    CN={AuthSchemeGUID},CN=AuthenticationSchemes,CN=RuleElements,CN={ArrayGUID},CN=Arrays,CN=Array-Root,CN=FPC2
    Note The {ArrayGUID} placeholder represents the GUID that corresponds to the server array. The {AuthSchemeGUID} placeholder represents the GUID that corresponds to the "FBA with AD" authentication scheme and to the SecureID authentication scheme. The {AuthSchemeGUID} item that you locate should have a msFPCName attribute of "FBA with AD" or of SecurID.
  9. Right-click the object that you located in step 8, and then click Properties.
  10. In the Attributes list, select the msPFCPredefined attribute, and then click Edit.
  11. Click to select True for the Value option, and then click OK.
  12. Click OK to exit the Properties dialog box.
  13. In the console tree, right-click the connection that you named in step 3, and then click Update Scheme Now.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The "FBA with AD" authentication scheme is a predefined authentication scheme that enables forms-based (cookie) authentication by using the Active Directory directory service. The SecurID authentication scheme is a predefined authentication scheme that enables forms-based authentication by using RSA SecurID authentication.

For more information, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms812581.aspx

Properties

Article ID: 935767 - Last Review: July 31, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbtshoot kbexpertiseinter kbprb KB935767

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com