メイン コンテンツへスキップ
サポート
Microsoft アカウントでサインイン
サインインまたはアカウントを作成してください。
こんにちは、
別のアカウントを選択してください。
複数のアカウントがあります
サインインに使用するアカウントを選択してください。
英語
申し訳ございません。この記事は、ご利用の言語では用意されていません。

Symptoms

A Microsoft Forefront Threat Management Gateway (TMG) 2010 Forms-based authentication cookie is only valid on the array member that generated the cookie.

If a client request that contains an authentication cookie from one array member is sent to a different array member, the client is asked to reauthenticate. This behavior may occur when a node is taken offline. Or, this behavior may occur if the client source IP changes between requests that affect which array member handles the incoming request. The Client IP address can change during a browsing session when clients access the Internet on a 3G connection.

Cause

TMG uses a set of server-specific encryption keys to generate the Forms-based authentication cookie. These keys change periodically and are not shared between array members. Therefore, an authentication cookie that one array member issues cannot be used on another array member.

Resolution

TMG Service Pack 2 adds functionality to support cookie sharing across array members. To do this, TMG Service Pack 2 enables support for the cookie encryption keys to be shared across array members. To support sharing cookie encryption keys, the array members must be domain-joined. Be aware that this does not work for workgroup-based array members.

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010To enable Forms-based authentication cookie sharing across array members, follow these steps after you install TMG Service Pack 2:

  1. Copy the following script into Notepad, and save it by using the file name, EnableFix.vbs:

    set curArray = CreateObject("FPC.Root").GetContainingArray()

    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableSharedCookie"
    Const SE_VPS_VALUE = 1

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = curArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue
  2. Run the script on one of the TMG array members.

  3. Restart the Firewall Service on all array members for the change to take effect.

To revert the change and return to default behavior, follow these steps:

  1. Locate the following line in the script:

    Const SE_VPS_VALUE = 1 
  2. Change the line that you identified in step 1 to the following:

    Const SE_VPS_VALUE = 0 
  3. Save the script, run this script on one of the array members, and then restart the Firewall Service on all array members.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

As noted earlier, for the cookie sharing to work, the TMG Array members must be domain-joined. This condition is required to support the sharing of cookie encryption keys between array members.

You should be aware that the Published server logoff URL functionality does not work across array members. For the Published server logoff URL functionality to work, a specific application URL is configured as the logoff URL. When the user requests this URL, the TMG server moves the user cookie into a tombstone list. Therefore, if a client re-presents the URL, the URL is interpreted as invalid.

This new functionality does not allow for the tombstone list to be shared across array members. After the logoff URL is used, an array member can accept a cookie. Then, the cookie moves to the tombstone list on a different array member.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

ヘルプを表示

その他のオプションが必要ですか?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

この情報は役に立ちましたか?

どのような要因がお客様の操作性に影響しましたか?
[送信] を押すと、Microsoft の製品とサービスの改善にフィードバックが使用されます。 IT 管理者はこのデータを収集できます。 プライバシーに関する声明。

フィードバックをいただき、ありがとうございます。

×