Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

�HTTP 401 Unauthorized� error message when you send an HTTP TRACE command to a Web server that is published by either ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition


View products that this article applies to.

Symptoms

When you send an HTTP TRACE command to a Web server that is published by Microsoft Internet Security and Acceleration (ISA) Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, you receive the following error message:
HTTP 401 Unauthorized

↑ Back to the top


Cause

This behavior occurs because ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition has disabled the HTTP TRACE functionality to prevent a remote attacker from accessing sensitive information, such as authentication information, that is available in the HTTP headers. This behavior was introduced in ISA Server 2004 Service Pack 2 (SP2).

Note This behavior applies to the versions of ISA Server and Microsoft Forefront Threat Management Gateway, Medium Business Edition that are listed in the �Applies to� section

↑ Back to the top


Workaround

To work around this behavior, you can enable the HTTP TRACE functionality for all Web publishing rules. To do this, follow these steps.

Note Use the one of the workaround methods according to the version of ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition that you are running.

Warning If you enable HTTP TRACE functionality, you increase the security risk to the computer.

For Microsoft Forefront Threat Management Gateway, Medium Business Edition, ISA Server 2006, and ISA Server 2006 SP1, Standard and Enterprise editions

The FPCWebPublishingProperties.DenyTraceRequests COM property is included in ISA Server 2006. This property gets or sets a boolean value that indicates whether the Web proxy will deny TRACE requests to the published server.

For more information about the FPCWebPublishingProperties COM property, visit the following Microsoft Web site:

By default, the Boolean value is set to True. You must set the value to "False" to allow TRACE requests to access the published server.

For ISA Server 2004 SP2 and ISA Server 2004 SP3, Standard and Enterprise editions

You can enable the HTTP TRACE functionality for all Web publishing rules. To do this, follow these steps:
  1. Paste the following into a text editor, such as Notepad:
    -----------------
    
    ' This script adds a new VendorParametersSets under the array root.
    ' add a new VendorParametersSet and add a value called "AllowTRACEForPublishing" set to 1.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    Sub AddAllowTRACEForPublishing()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("AllowTRACEForPublishing")
        End If
    
        if VendorSet.Value("AllowTRACEForPublishing") <> 1 Then
    
            Err.Clear
            VendorSet.Value("AllowTRACEForPublishing") = 1
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done, saved!"
                End If
            End If
        Else
            WScript.Echo "Done, no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    AddAllowTRACEForPublishing
    
    ==============================
    
  2. Save the file by using the following file name: "AllowISATrace.vbs."
  3. Type the following command at a command prompt to run the script.
    cscript.exe  AllowISATrace.vbs
    Note You must run this script from the same location at which you saved the script in step 2.

↑ Back to the top


Keywords: kbtshoot, kbprb, KB914532

↑ Back to the top

Article Info
Article ID : 914532
Revision : 5
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 423