FIX: A VPN client that uses RADIUS authentication may not log on to the internal network when the User Mapping option is enabled in ISA Server 2006

Article translations Article translations
Article ID: 956923 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • A virtual private network (VPN) client tries to connect to an internal network across Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • The VPN client uses Remote Authentication Dial-In User Service (RADIUS) authentication.
  • The VPN client specifies the credential in a user principal name (UPN) format (userName@FullyQualifiedDomainName).
  • The User Mapping option is enabled in ISA Server 2006.
In this scenario, the VPN client may not log on to the internal network.

Note The User Mapping option is used to map VPN clients from non-Windows namespaces, such as RADIUS or Extensible Authentication Protocol (EAP) authenticated users, to the Windows namespace.

CAUSE

This problem occurs because ISA Server 2006 does not recognize that the RADIUS user name is a UPN name format and incorrectly adds the domain name in front of the user name. When the computer that is running ISA Server tries to perform the User Mapping later, it cannot find the user because the user name format is invalid.

RESOLUTION

To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
956925 Description of the ISA Server 2006 hotfix package: August 20, 2008

WORKAROUND

To work around this problem, the VPN users can specify their credentials in a Security Accounts Manager (SAM) name format (DomainName\UserName). This will allow ISA Server to appropriately parse the credentials and perform the user mapping.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 956923 - Last Review: November 11, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbexpertiseinter kbfix kbqfe KB956923

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com