You are currently offline, waiting for your internet to reconnect

ISA Server 2006 sends back an HTTP 502 error if invalid credentials are provided to an FBA Web listener

This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
  • You have a Web server that is published by using Microsoft Internet Security and Acceleration (ISA) Server 2006 with Service Pack 1 (SP1).
  • A Web listener is configured to authenticate by using Forms Based Authentication (FBA).
  • A non-browser client tries to access the Web server. However, it provides an incorrect credential.
In this scenario, the client receives an HTTP 502 error. The client also does not access the Web server. The expected behavior is that the client should receive an HTTP 401 error and be prompted to provide a valid credential.

For example, the following two kinds of clients may encounter this problem under certain conditions:
  • ActiveSync client
    After you change the user password on a computer, an Activesync client tries to use the original password to authenticate. The client will receive an HTTP 502 error from ISA Server, and the client is never prompted to provide new credentials.
  • Outlook Anywhere client that uses the Autodiscovery feature
    By default, Outlook Autodiscovery tries to authenticate by using the Simple Mail Transfer Protocol (SMTP) address of the user first. If this SMTP address does not match the user's user principal name (UPN), ISA Server does not authenticate the client and sends back an HTTP 502 error instead of an HTTP 401 error.
In the scenario that is described in the "Symptoms" section, ISA Server 2006 falls back to use basic authentication for the non-browser client, such as ActiveSync or Outlook Anywhere Autodiscovery. This problem occurs because ISA 2006 SP1 incorrectly handles the authentication message when FBA switches to basic authentication and the wrong credential is provided by client.
To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008
To work around this problem, set up a dedicated Web listener for the ActiveSync client or for the Outlook Anywhere client, and then configure the Web listener by using basic authentication instead of FBA.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956192 An Outlook Anywhere client continually uses the wrong credentials every time that it tries to authenticate itself on an Exchange server after you install ISA Server 2006 Service Pack 1
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Article ID: 958952 - Last Review: 01/15/2015 19:17:41 - Revision: 2.0

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

  • kbnosurvey kbarchive kbexpertiseinter kbqfe kbfix kbsurveynew KB958952