When you use ISA Server 2006 to publish a Web server, and authentication delegation is enabled, some Web content may not be displayed correctly when a user accesses the published Web server

This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish a Web server.
  • In the Web publishing rule, authentication delegation is enabled and is configured to use one of the following authentication delegation methods:
    • NTLM
    • Negotiate (Kerberos/NTLM)
    • Kerberos constrained delegation
  • A user tries to access the published Web server.
In this scenario, some content may not be displayed correctly in the user's Web browser.

For example, this problem may occur when the following conditions are true:
  • The published Web server is an Internet Information Services (IIS) server.
  • A Web site that is served by one IIS application pool references another Web site that is served by another application pool. These Web sites both require authentication.
If you troubleshoot this problem, you may discover that ISA Server authenticates the session with the Web server when the user accesses the first site. However, assume that the user makes a second request to the second site, and ISA Server sends this request over the session that is already authenticated with the Web server. Because each application pool must authenticate user requests for these sites, the Web server returns an "HTTP 401 authentication required" response.
When ISA Server receives the HTTP 401 status from the Web server, ISA Server returns an "HTTP 302 Redirect" response to the client. This instructs the client to resubmit the request to a different URL. The different URL points to the original URL but with a tag appended onto it. For example, the request to http://domain/test.htm may be redirected to the following appended URL:
The "HTTP 302 Redirect" response includes a "Connection: Close" header. Therefore, the client will send the redirected request to ISA over a new session.

When the redirected request reaches ISA Server, the authentication delegation filter identifies the tag and then extracts the original URL. A new authenticated session is opened with the Web server by the delegation filter, and the original URL is sent over this session.

In this scenario, the following problems may occur:
  • If the Web server returns a Cache header to enable response caching, the browser caches the tagged URL instead of the original URL. However, when the browser later tries to refresh the Web site, it uses the original URL.
  • When the browser refreshes the Web site, it makes a conditional request. For example, the request may include conditional headers, such as if-modified-since and if-none-match. The Web server may respond with an "HTTP 304 (Not modified)" status. However, if the browser has not cached a tagged URL, it does not display anything when HTTP 304 is returned.
To resolve this problem, apply the hotfix package that is described in the following Microsoft Knowledge Base article:
951510 Description of the ISA Server 2006 hotfix package: April 9, 2008
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates