Credentials that are provided to ISA Server are sent in an unprotected form


INTRODUCTION


Under specific circumstances, Microsoft ISA Server will request Basic authentication or Forms-based authentication over an HTTP connection. If the client application responds to this authentication request, the user credentials will be passed in Base64 encoded (Basic) format or in plain-text (FBA) format to ISA Server. In both cases, the credentials that are provided to ISA Server are sent in an unprotected form. This problem does not occur when Integrated, or Digest, authentication is used. This kind of authentication sends credentials in a protected form.

Note ISA Server 2000 Web publishing listeners do not support forms-based authentication.

More Information


This scenario occurs when either of the following two conditions are true.

Condition 1

Condition 1 occurs when the ISA Server administrator wants to support HTTPS requests and one of the following configurations:
  • Rejection of HTTP-based requests
  • Automatic redirection to an HTTPS request by using a custom ISA Server error page (12217R.htm)

    Note ISA Server Help discusses how to create custom error pages.


In Condition 1, the Web listener has the following settings:
  • On the Preferences tab, Enable HTTP is selected.
  • On the Preferences tab, Basic or OWA Forms-Based authentication is selected. The Require all users to authenticate option is not selected.
Additionally, a Web publishing rule exists with the following settings:
  • Allow is selected on the Action tab.
  • The Authentication option on the Action tab includes Basic or OWA Forms-Based authentication.
  • On the Traffic tab, HTTP is listed in the This rule applies to traffic of the following protocols box.
  • On the Listener tab, a Web listener is configured as described in this section.
  • On the Users tab, the This rule applies to requests from the following user sets box contains any combination of the following users:
    • All Authenticated Users
    • Any specific user or user group

Condition 2

Condition 2 typically occurs when the ISA Server administrator does not understand the implications of combining clear-text authentication over HTTP. In this case, a Web listener has the following settings:
  • On the Preferences tab, Enable HTTP is selected.
  • On the Preferences tab,
    Basic or OWA Forms-Based authentication is selected. The Require all users to authenticate option is also selected.

Workaround


ISA Server 2000

Because no ISA Server 2000 workaround exists for this issue, an ISA Server 2000 update has been created. For more information, visit the following Microsoft Web site:

ISA Server 2004

  1. Open the ISA Management console.
  2. Click Firewall Policy.
  3. In the Task pane, click the Toolbox tab, and then expand the Web Listeners node.
  4. If appropriate, modify each Web Listener entry according to Web Listener Configuration.
  5. If appropriate, modify each Web Publishing rule entry according to Web Publishing Rule Configuration.
  6. When you are finished, click Apply to commit the changes to ISA Server policy storage.

Web listener configuration

  1. For each Web listener that is found under the Web Listeners node, follow these steps:
    1. Right-click the listener, and then click Properties.
    2. Click the Preferences tab.
    3. If the Enable HTTP and Enable HTTPS options are both selected, click Authentication.
    4. If either of the Basic or OWA Forms-Based options is selected, go to step 2.
  2. Create a new listener. To do this, follow these steps:
    1. Right-click the listener, and then click Copy.
    2. Right-click the listener, and then click Paste.
    3. Rename the new listener. For example, type Old_Name_HTTP.
    4. Rename the original listener. For example, type Old_Name_HTTPS.

  3. Modify the Old_Name_HTTP listener as follows:
    1. Right-click the listener, click Properties.
    2. Click the Preferences tab.
    3. Click to clear the Enable SSL button.
    4. Click to select the Authentication button.
    5. Click to clear the Basic or OWA Forms-Based option.
    6. Click Apply, and then click OK to close the dialog box.

  4. Modify the Old_Name_HTTPS listener as follows:
    1. Right-click the listener, and then click Properties.
    2. Click the Preferences tab.
    3. Click to clear the Enable HTTP check box.
    4. Click Apply, and then click OK to close the dialog box

  5. Repeat for each remaining Web listener.

Web publishing rule configuration

  1. For each Web publishing rule, follow these steps:
    1. Right-click the rule, and then click Properties.
    2. Click the Listener tab.
    3. If the Listener properties settings match the settings that are described in the "Condition 1" or "Condition 2" sections, go to step 2.
  2. Follow these steps to split the rule into separate rules:
    1. Right-click the rule, and then click Copy.
    2. Right-click the rule again, and then click Paste. (This action puts the new rule before the old rule.)
    3. Rename the new rule. For example, type Old_Name_HTTP.
    4. Rename the old rule. For example, type Old_Name_HTTPS.
  3. Modify the Old_Name_HTTP rule as follows:
    1. Right-click the rule, and then click Properties.
    2. Click the Listener tab.
    3. Click the appropriate Old_Name_HTTP listener.
    4. Click the Authentication button.
    5. Click to clear the Basic or OWA Forms-Based check box.
    6. Click the Users tab.
    7. If the list contains All Authenticated Users or specific users and groups, empty the list by repeatedly clicking Remove.
    8. Click Add, click All Users, and then click Add
      .
    9. Click to clear the Forward Basic authentication credentials (Basic delegation)
      check box.
    10. Click Apply, and then click OK to close the dialog box.
  4. Modify the Old_Name_HTTPS rule as follows:
    1. Right-click the rule, and then click Properties.
    2. Click the Listener tab
    3. Click the appropriate Old_Name_HTTPS listener.
    4. Click the Authentication button.
    5. Click to select Basic or OWA Forms-Based authentication as appropriate.
    6. Click the Users tab.
    7. If the list contains All Authenticated Users or specific users and groups, go to step 5.
    8. Click Add, click All Users, and then click Add.
    9. Click to select the Forward Basic authentication credentials (Basic delegation)
      check box.
    10. Click Apply, and then click OK to close the dialog box.
  5. Repeat steps 2 through 4 for each Web publishing rule.