When you use ISA Server 2006 to publish a Web server, and authentication delegation is enabled, some Web content may not be displayed correctly when a user accesses the published Web server

Article translations Article translations
Article ID: 951508 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish a Web server.
  • In the Web publishing rule, authentication delegation is enabled and is configured to use one of the following authentication delegation methods:
    • NTLM
    • Negotiate (Kerberos/NTLM)
    • Kerberos constrained delegation
  • A user tries to access the published Web server.
In this scenario, some content may not be displayed correctly in the user's Web browser.

For example, this problem may occur when the following conditions are true:
  • The published Web server is an Internet Information Services (IIS) server.
  • A Web site that is served by one IIS application pool references another Web site that is served by another application pool. These Web sites both require authentication.
If you troubleshoot this problem, you may discover that ISA Server authenticates the session with the Web server when the user accesses the first site. However, assume that the user makes a second request to the second site, and ISA Server sends this request over the session that is already authenticated with the Web server. Because each application pool must authenticate user requests for these sites, the Web server returns an "HTTP 401 authentication required" response.

CAUSE

When ISA Server receives the HTTP 401 status from the Web server, ISA Server returns an "HTTP 302 Redirect" response to the client. This instructs the client to resubmit the request to a different URL. The different URL points to the original URL but with a tag appended onto it. For example, the request to http://domain/test.htm may be redirected to the following appended URL:
http://domain/test.htm&authResendNNN
The "HTTP 302 Redirect" response includes a "Connection: Close" header. Therefore, the client will send the redirected request to ISA over a new session.

When the redirected request reaches ISA Server, the authentication delegation filter identifies the tag and then extracts the original URL. A new authenticated session is opened with the Web server by the delegation filter, and the original URL is sent over this session.

In this scenario, the following problems may occur:
  • If the Web server returns a Cache header to enable response caching, the browser caches the tagged URL instead of the original URL. However, when the browser later tries to refresh the Web site, it uses the original URL.
  • When the browser refreshes the Web site, it makes a conditional request. For example, the request may include conditional headers, such as if-modified-since and if-none-match. The Web server may respond with an "HTTP 304 (Not modified)" status. However, if the browser has not cached a tagged URL, it does not display anything when HTTP 304 is returned.

RESOLUTION

To resolve this problem, apply the hotfix package that is described in the following Microsoft Knowledge Base article:
951510 Description of the ISA Server 2006 hotfix package: April 9, 2008

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 951508 - Last Review: May 20, 2008 - Revision: 1.1
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbqfe kbexpertiseinter KB951508

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com