In ISA Server 2006, you cannot set a session time-out for private computers in a Web listener that has the RSA SecurID authentication method configured

Article translations Article translations
Article ID: 941162 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

In Microsoft Internet Security and Acceleration (ISA) Server 2006, you cannot set a session time-out for private computers in a Web listener that has the RSA SecurID authentication method configured.

If the Collect additional delegation credentials in the form check box is not selected in Authentication tab of the Web listener properties, the Timeout for private computers box is disabled in the Advanced Form Options dialog box.

If the Collect additional delegation credentials in the form check box is selected in Authentication tab of the Web listener properties, the Timeout for private computers box is enabled in the Advanced Form Options dialog box. However, the RSA credentials always time out according to the value in the Timeout for public computers box, regardless of the value in the Timeout for private computers box.

CAUSE

By default, ISA Server 2006 does not support a time-out setting for private computers when RSA SecurID authentication is used.

RESOLUTION

To resolve this problem, apply the hotfix package that is described in the following Microsoft Knowledge Base article:
943215 Description of the ISA Server 2006 hotfix package: October 7, 2007
Notes
  • After you apply this hotfix, you can set a session time-out both for private computers and for public computers. The fix for this problem applies only when you use the default form that ISA Server provides.
  • The hotfix replaces the Usr_pcode.htm file with an updated file version. The Usr_pcode.htm file resides in the following folder:
    <ISA_Install_Dir>\CookieAuthTemplates\ISA\HTML
    The <ISA_Install_Dir> placeholder represents the location where ISA Server 2006 is installed. If you have customized the Usr_pcode.htm file, the hotfix does not replace the file. Therefore, the RSA SecurID form does not display the options to specify whether the client computer is a public computer or a private computer. In this situation, you have to restore the original Usr_pcode.htm file, apply the hotfix, and then recustomize the Usr_pcode.htm file.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The logon form that is used for SecureID authentication is also used for Radius OTP. However, the code for Radius OTP was not changed to support private or public computers. Therefore, when ISA authenticates Radius OTP based requests, it always considers only the public time-out. The browser on client side will persist the user name when "private computer" is selected with Radius OTP. However, private time-out will not be used.

Reverting this hotfix

After you install the hotfix rollup package 943215, you can revert the behavior that is introduced in the current hotfix. After the hotfix reversion, the ISA Server Management console will still allow you to specify a time-out for private computers. The RSA SecurID form will still display the options to specify whether the client computer is a public computer or a private computer. The settings for private computers will have no effect.

To restore ISA Server 2006 to the pre-hotfix state, follow these steps:
  1. Start Notepad.
  2. Copy and then paste the following text into Notepad.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "RevertHotfix941162"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
    Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
  3. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, use the following name to save the file:
    RevertHotfix941162.vbs
  4. Start a command prompt, move to where you saved the RevertHotfix941162.vbs file, and then run the following command:
    cscript RevertHotfix941162.vbs

Properties

Article ID: 941162 - Last Review: May 21, 2010 - Revision: 2.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Keywords: 
kbexpertiseinter kbqfe KB941162

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com