FIX: ISA Server 2006 may be overloaded with authorization attempts after you apply hotfix 955113

Article translations Article translations
Article ID: 956922 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 and enable VPN Client access.
  • The ISA Server 2006 computer is a member server of an Active Directory forest that has a one-way trust to another forest in which the VPN user accounts exist.
  • You have configured all rules that allow traffic from the VPN clients to other networks without any authentication.
  • You have applied hotfix 955113 to enable the traffic from those VPN clients.
In this scenario, the traffic from the VPN clients is forwarded correctly. However, ISA Server may be overloaded with authorization attempts.

CAUSE

Before ISA Server checks the policy rules to determine whether traffic is allowed, it tries to create an authorization context for the client. When the client is from another forest that has a one-way trust, ISA Server cannot create that context. Therefore, ISA Server repeatedly tries to create the context for every new session. Depending on the number of sessions from the VPN clients, these attempts may overload ISA Server and cause packets to be dropped.

RESOLUTION

To resolve this problem, follow these steps:
  1. Apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
    956925 Description of the ISA Server 2006 hotfix package: August 20, 2008
  2. Start Notepad, and then copy the following script into a Notepad file.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableAuthZNULLContextCaching"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  3. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, save the file by using the following name:
    EnableAuthZNULLContextCaching.vbs
  4. Copy the .vbs file to the computer that is running ISA Server 2006, and then double-click the file.
After you apply these steps, ISA Server 2006 caches the negative responses from the AuthZ API and only tries to create the security context one time for each user.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 956922 - Last Review: November 11, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbqfe kbexpertiseinter kbfix KB956922

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com