Article ID: 951509 - View products that this article applies to.
Consider the following scenario:
The page cannot be displayed
Error Code: 401 Unauthorized
By default, when an ISA Server Web Publishing rule is configured to use KCD, ISA Server uses the Kerberos version 5 authentication package to create a Negotiate authentication HTTP request. If the Web site accepts only the SPNEGO package, access is rejected.
To resolve this problem, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
If the Web Listener can be configured to use either Basic authentication or Forms-Based authentication together with any of the following validation methods, you can configure the Web publishing rule to use Negotiate (Kerberos/NTLM) authentication to delegate credentials:
If you examine the HTTP GET request that ISA Server sends to the Web server, you may capture the following data:
After you enable this hotfix in compliance with the procedure in the "Resolution" section, the HTTP GET request should resemble the following:
///// Authorization: Negotiate YIIGpwYJKoZIhvcSAQICAQBuggaWMIIGkqADAgEFoQMCAQ6iBwMFAAAAAACjggXKYYIFxjCCBcKgAwIBBaETGxFFTUVBLkxPUkVBTC5JTlRSQaIsMCqgAwIBAqEjMCEbBEhUVFAbGWZyZGdyaHJkc2FwMDQubG9yZWFsLndhbnOjggV2MIIFcqADAgEDoQMCAQaiggVkBIIFYDMpi/3cMT GSS-API Generic Security Service Application Program Interface OID: 1.2.840.1135184.108.40.206 (KRB5 - Kerberos 5) ----> Kerberos V5 krb5_blob: 01006E82069630820692A003020105A10302010EA2070305... /////
//// Hypertext Transfer Protocol GET /sec_form/ HTTP/1.1\r\n Connection: Keep-Alive\r\n Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/ms Accept-Encoding: identity\r\n Accept-Language: fr-FR\r\n Authorization: Negotiate YIIHJQYGKwYBBQUCoIIHGTCCBxWgGDAWBgkqhkiC9xIBAgIGCSqGSIb3EgECAqKCBvcEggbzYIIG7wYJKoZIhvcSAQICAQBuggbeMIIG2qADAgEFoQMCAQ6iBwMFACAAAACjggYKYYIGBjCCBgKgAwIBBaETGxFFTUVBLkxPUkVBTC5JTlRSQaIsMCqgAwIBAqEjMCEbBEhUVFAbGWZyZG GSS-API Generic Security Service Application Program Interface OID: 220.127.116.11.5.5.2 (SPNEGO - Simple Protected Negotiation) à SPNEGO ////