ISA Server 2006 sends back an HTTP 502 error if invalid credentials are provided to an FBA Web listener

Article ID: 958952 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You have a Web server that is published by using Microsoft Internet Security and Acceleration (ISA) Server 2006 with Service Pack 1 (SP1).
  • A Web listener is configured to authenticate by using Forms Based Authentication (FBA).
  • A non-browser client tries to access the Web server. However, it provides an incorrect credential.
In this scenario, the client receives an HTTP 502 error. The client also does not access the Web server. The expected behavior is that the client should receive an HTTP 401 error and be prompted to provide a valid credential.

For example, the following two kinds of clients may encounter this problem under certain conditions:
  • ActiveSync client
    After you change the user password on a computer, an Activesync client tries to use the original password to authenticate. The client will receive an HTTP 502 error from ISA Server, and the client is never prompted to provide new credentials.
  • Outlook Anywhere client that uses the Autodiscovery feature
    By default, Outlook Autodiscovery tries to authenticate by using the Simple Mail Transfer Protocol (SMTP) address of the user first. If this SMTP address does not match the user's user principal name (UPN), ISA Server does not authenticate the client and sends back an HTTP 502 error instead of an HTTP 401 error.
Back to the top | Give Feedback

CAUSE

In the scenario that is described in the "Symptoms" section, ISA Server 2006 falls back to use basic authentication for the non-browser client, such as ActiveSync or Outlook Anywhere Autodiscovery. This problem occurs because ISA 2006 SP1 incorrectly handles the authentication message when FBA switches to basic authentication and the wrong credential is provided by client.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357
(http://support.microsoft.com/kb/959357/ )
Description of the ISA Server 2006 hotfix package: October 29, 2008
Back to the top | Give Feedback

WORKAROUND

To work around this problem, set up a dedicated Web listener for the ActiveSync client or for the Outlook Anywhere client, and then configure the Web listener by using basic authentication instead of FBA.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956192
(http://support.microsoft.com/kb/956192/ )
An Outlook Anywhere client continually uses the wrong credentials every time that it tries to authenticate itself on an Exchange server after you install ISA Server 2006 Service Pack 1
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/ )
Description of the standard terminology that is used to describe Microsoft software updates
Back to the top | Give Feedback

Properties

Article ID: 958952 - Last Review: February 26, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Keywords: 
kbexpertiseinter kbqfe kbfix kbsurveynew KB958952
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top