FIX: A VPN client that uses RADIUS authentication may not log on to the internal network when the User Mapping option is enabled in ISA Server 2006

Consider the following scenario:

• A virtual private network (VPN) client tries to connect to an internal network across Microsoft Internet Security and Acceleration (ISA) Server 2006.
• The VPN client uses Remote Authentication Dial-In User Service (RADIUS) authentication.
• The VPN client specifies the credential in a user principal name (UPN) format (userName@FullyQualifiedDomainName).
• The User Mapping option is enabled in ISA Server 2006.

In this scenario, the VPN client may not log on to the internal network.

Note The User Mapping option is used to map VPN clients from non-Windows namespaces, such as RADIUS or Extensible Authentication Protocol (EAP) authenticated users, to the Windows namespace.

This problem occurs because ISA Server 2006 does not recognize that the RADIUS user name is a UPN name format and incorrectly adds the domain name in front of the user name. When the computer that is running ISA Server tries to perform the User Mapping later, it cannot find the user because the user name format is invalid.

To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:

To work around this problem, the VPN users can specify their credentials in a Security Accounts Manager (SAM) name format (DomainName\UserName). This will allow ISA Server to appropriately parse the credentials and perform the user mapping.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: