Invalid authentication requests in ISA Server 2006 may be sent to the Radius OTP server

Article translations Article translations
Article ID: 938966 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Microsoft Internet Security and Acceleration (ISA) Server 2006 may be configured for Forms-Based authentication together with Radius One Time Passwords (Radius OTP). In this situation, invalid authentication requests may be sent to the Radius OTP server. This behavior may cause the Radius OTP server to lock out the user account if the Radius OTP server is configured to lock out accounts after several failed authentication attempts.

CAUSE

This problem may occur if the following conditions are true:
  • A Forms-Based authentication request is received. This request does not have a valid authentication cookie, and it has a User-Agent request header that is not known to support Forms-Based authentication.
  • The ISA Server 2006 fallback authentication feature responds with a request for Basic authentication.
When the client sends the request to ISA Server by using Basic credentials, ISA Server tries to validate these credentials against the Radius OTP server. Because these credentials are Windows credentials, the Radius OTP server cannot process them. Therefore, authentication fails. If many of these requests are sent in a short time, this may cause the Radius OTP server to lock out the user account.

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have ISA Server 2006 installed to install this hotfix

Restart requirement

Hotfix replacement information

The hotfix installation program restarts the Microsoft ISA Firewall service.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Authdflt.dll5.0.5720.169157,61626-Jun-200723:11
Comphp.dll5.0.5720.169183,21626-Jun-200723:11
Complp.dll5.0.5720.16974,67226-Jun-200723:11
Cookieauthfilter.dll5.0.5720.169394,16026-Jun-200723:11
msfpc.dll5.0.5720.169551,85626-Jun-200723:11
msfpccom.dll5.0.5720.1696,412,72026-Jun-200723:11
msfpcui.dll5.0.5720.1692,812,84826-Jun-200723:11
ratlib.dll5.0.5720.16953,16826-Jun-200723:11
msfpcsnp.dll5.0.5720.1695,859,76026-Jun-200723:11
socksflt.dll5.0.5720.169110,51226-Jun-200723:11
w3filter.dll5.0.5720.169894,38426-Jun-200723:11
w3prefch.exe5.0.5720.169174,51226-Jun-200723:11
wspsrv.exe5.0.5720.1691,214,89626-Jun-200723:11
Httpfilter.dll5.0.5720.169157,61626-Jun-200723:11
Linktranslation.dll5.0.5720.169250,28826-Jun-200723:11
Wploadbalancer.dll5.0.5720.169101,80826-Jun-200723:11

Post-hotfix installation information

After you install the hotfix, you must run a Microsoft Visual Basic script to resolve the problem that is described in the "Symptoms" section. This script configures ISA Server 2006 to perform the following actions:
  • Deny requests from clients that are not known to support Forms-Based authentication when Radius OTP is being used for authentication.
  • Deny a request that uses Basic credentials without trying to validate the credentials against the OTP server.
To run this script, follow these steps after you install this hotfix:
  1. Start Notepad.
  2. Copy the following code, and then paste it into Notepad:
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    	
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script sets whether ISA will disable Basic authentication fallback when 
    ' ISA Forms-Based authentication with Radius OTP is being used and when the client is not 
    ' known to support Forms-Based authentication.
    '
    '
    ' usage - to disable Basic authentication fallback when Radius OTP authentication is being used
    ' cscript DisableBasicFallbackForOtp.vbs 
    '
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "DisableBasicFallbackForOtp"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and to the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item.
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
    
  3. Save the script as "DisableBasicFallbackForOtp.vbs."
  4. Open a command prompt in the location in which the script is saved, type the following command, and then press ENTER:
    cscript DisableBasicFallbackForOtp.vbs
Notes
  • To revert to the default setting in which fallback to Basic authentication is used for ISA Forms-Based authentication together with Radius OTP, edit the script to revise "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false."
  • Save the script, and then rerun it.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 938966 - Last Review: October 8, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Keywords: 
kbautohotfix kbexpertiseadvanced kbHotfixServer kbqfe kbfix kbbug KB938966

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com