Help and Support

Article ID: 951509 - Last Review: May 5, 2008 - Revision: 1.1

Users cannot access a Web site that is published in ISA Server 2006 if the Web site accepts only the SPNEGO authentication package

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You publish a Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • In the Web publishing rule, you configure ISA Server to use Kerberos Constrained Delegation (KCD) to delegate user credentials to the published Web site.
  • The Web site that you publish accepts only the Simple And Protected Negotiate (SPNEGO) authentication package.
When a user tries to access the published Web site in this scenario, the following error code is returned:
The page cannot be displayed
Error Code: 401 Unauthorized
Back to the top

CAUSE

By default, when an ISA Server Web Publishing rule is configured to use KCD, ISA Server uses the Kerberos version 5 authentication package to create a Negotiate authentication HTTP request. If the Web site accepts only the SPNEGO package, access is rejected.
Back to the top

RESOLUTION

To resolve this problem, follow these steps:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    951510  (http://support.microsoft.com/kb/951510/ ) Description of the ISA Server 2006 hotfix package: April 9, 2008
  2. Start Notepad.
  3. Copy the following code, and then paste it into Notepad:
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableKcdWithSPNego"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects that are needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and to the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item.
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
    Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
  4. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension when you save the file. For example, use the following name to save the file:
    EnableSPNEGO.vbs
  5. Open a command prompt, change directories to where you saved the EnableSPNEGO.vbs file, and then run the following command:
    cscript EnableSPNEGO.vbs
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

WORKAROUND

If the Web Listener can be configured to use either Basic authentication or Forms-Based authentication together with any of the following validation methods, you can configure the Web publishing rule to use Negotiate (Kerberos/NTLM) authentication to delegate credentials:
  • Windows
  • LDAP
  • RADIUS (not RADIUS OTP)
In this situation, ISA Server sends the authentication by using the SPNEGO package. If you use this workaround, the request to the published server will resemble the second example that is presented in the "More information" section.
Back to the top

MORE INFORMATION

If you examine the HTTP GET request that ISA Server sends to the Web server, you may capture the following data:
/////
Authorization: Negotiate YIIGpwYJKoZIhvcSAQICAQBuggaWMIIGkqADAgEFoQMCAQ6iBwMFAAAAAACjggXKYYIFxjCCBcKgAwIBBaETGxFFTUVBLkxPUkVBTC5JTlRSQaIsMCqgAwIBAqEjMCEbBEhUVFAbGWZyZGdyaHJkc2FwMDQubG9yZWFsLndhbnOjggV2MIIFcqADAgEDoQMCAQaiggVkBIIFYDMpi/3cMT
GSS-API Generic Security Service Application Program Interface
OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) ----> Kerberos V5
krb5_blob: 01006E82069630820692A003020105A10302010EA2070305...
/////
After you enable this hotfix in compliance with the procedure in the "Resolution" section, the HTTP GET request should resemble the following:
////
Hypertext Transfer Protocol
    GET /sec_form/ HTTP/1.1\r\n
    Connection: Keep-Alive\r\n
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/ms
    Accept-Encoding: identity\r\n
    Accept-Language: fr-FR\r\n
    Authorization: Negotiate YIIHJQYGKwYBBQUCoIIHGTCCBxWgGDAWBgkqhkiC9xIBAgIGCSqGSIb3EgECAqKCBvcEggbzYIIG7wYJKoZIhvcSAQICAQBuggbeMIIG2qADAgEFoQMCAQ6iBwMFACAAAACjggYKYYIGBjCCBgKgAwIBBaETGxFFTUVBLkxPUkVBTC5JTlRSQaIsMCqgAwIBAqEjMCEbBEhUVFAbGWZyZG
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)  à  SPNEGO

////
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Back to the top
Keywords: 
kbqfe kbexpertiseinter KB951509
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations