Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: Users are prompted to authenticate when the ReturnAuthRequiredIfAuthUserDenied property is set to True, and users are denied access by an "All Users" rule in a Forefront Threat Management Gateway 2010 environment

FIX: Users are prompted to authenticate when the ReturnAuthRequiredIfAuthUserDenied property is set to True, and users are denied access by an "All Users" rule in a Forefront Threat Management Gateway 2010 environment

Symptoms

When Microsoft Forefront Threat Management Gateway (TMG) 2010 denies a request for an authenticated user, the user receives a "502" error message to inform the user that he or she is denied access. Additionally, the user is not prompted to provide alternative credentials.

The ReturnAuthRequiredIfAuthUserDenied property can be set so that when an authenticated user is denied by the TMG policy, the user receives a "407 Proxy Authentication Required" message. This allows for the user to provide alternative credentials.

For more information about the ReturnAuthRequiredIfAuthUserDenied property, visit the following Microsoft Developer Network (MSDN) website:
ReturnAuthRequiredIfAuthUserDenied Property of the IFPCWebListenerProperties Interface
If an administrator creates a deny rule that applies to all users and sets the ReturnAuthRequiredIfAuthUserDenied property to True, a user who is denied by such a rule receives a "407 Proxy Authentication Required" message. This behavior occurs even though all users would be denied by this rule. This behavior may not be desired and could lead to unnecessary authentication prompts.

↑ Back to the top

Cause

This behavior is by design. But this behavior may not be the desired behavior because an All Users deny rule blocks all users. Additionally, the prompts for alternative credentials does not resolve this issue.

↑ Back to the top

Resolution

To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base article:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
After you apply this software update, run the script that is provided in the "More Information" section on one of the TMG array members to set the SkipReauthWhenNonDefaultRule property to True.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

This software update introduces a new property, SkipReauthWhenNonDefaultRule. This property provides new behavior. For example, consider the following scenarios.
Scenario 1

An administrator creates an All Users rule that denies access to an authenticated user, and the ReturnAuthRequiredIfAuthUserDenied property is set to True. In this scenario, if the SkipReauthWhenNonDefaultRule property is set to True, the user receives a "502" error message and is not prompted to provide alternative credentials.
Scenario 2

The default rule is applied, and the rule denies the request. Also, the ReturnAuthRequiredIfAuthUserDenied property is set to True. In this scenario, the user receives the "407 Proxy Authentication Required" message as expected.
After you apply this software update, run the following script on one of the TMG array members to set the SkipReauthWhenNonDefaultRule property to True. The default setting for the SkipReauthWhenNonDefaultRule property is False.

Note This script will only change the behavior when the ReturnAuthRequiredIfAuthUserDenied property is also set to True.

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "SkipReauthWhenNonDefaultRule"
Const SE_VPS_VALUE = true

Sub SetValue()

' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")

'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object

' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets

On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )

If Err.Number <> 0 Then
Err.Clear

' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name

Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If

if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError

If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If

End Sub

Sub CheckError()

If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If

End Sub

SetValue
Note To revert to the default behavior, follow these steps:
  1. Locate the following line in the script: 
    Const SE_VPS_VALUE = true
  2. Change the line in the script to the following:
    Const SE_VPS_VALUE = false
  3. Save the script, and rerun this script on one of the TMG Array members.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbexpertiseinter, kbbug, kbsurveynew, kbqfe, kbfix, kb

↑ Back to the top

Article Info
Article ID : 2518670
Revision : 1
Created on : 1/7/2017
Published on : 6/15/2011
Exists online : False
Views : 110