Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. �HTTP 401 Unauthorized� error message when you send an HTTP TRACE command to a Web server that is published by either ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition

�HTTP 401 Unauthorized� error message when you send an HTTP TRACE command to a Web server that is published by either ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition

View products that this article applies to.

Symptoms

When you send an HTTP TRACE command to a Web server that is published by Microsoft Internet Security and Acceleration (ISA) Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, you receive the following error message:
HTTP 401 Unauthorized

↑ Back to the top

Cause

This behavior occurs because ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition has disabled the HTTP TRACE functionality to prevent a remote attacker from accessing sensitive information, such as authentication information, that is available in the HTTP headers. This behavior was introduced in ISA Server 2004 Service Pack 2 (SP2).

Note This behavior applies to the versions of ISA Server and Microsoft Forefront Threat Management Gateway, Medium Business Edition that are listed in the �Applies to� section

↑ Back to the top

Workaround

To work around this behavior, you can enable the HTTP TRACE functionality for all Web publishing rules. To do this, follow these steps.

Note Use the one of the workaround methods according to the version of ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition that you are running.

Warning If you enable HTTP TRACE functionality, you increase the security risk to the computer.

For Microsoft Forefront Threat Management Gateway, Medium Business Edition, ISA Server 2006, and ISA Server 2006 SP1, Standard and Enterprise editions

The FPCWebPublishingProperties.DenyTraceRequests COM property is included in ISA Server 2006. This property gets or sets a boolean value that indicates whether the Web proxy will deny TRACE requests to the published server.

For more information about the FPCWebPublishingProperties COM property, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/ms826278.aspx


By default, the Boolean value is set to True. You must set the value to "False" to allow TRACE requests to access the published server.

For ISA Server 2004 SP2 and ISA Server 2004 SP3, Standard and Enterprise editions

You can enable the HTTP TRACE functionality for all Web publishing rules. To do this, follow these steps:
  1. Paste the following into a text editor, such as Notepad:
    -----------------

' This script adds a new VendorParametersSets under the array root.
' add a new VendorParametersSet and add a value called "AllowTRACEForPublishing" set to 1.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Sub AddAllowTRACEForPublishing()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("AllowTRACEForPublishing")
    End If

    if VendorSet.Value("AllowTRACEForPublishing") <> 1 Then

        Err.Clear
        VendorSet.Value("AllowTRACEForPublishing") = 1

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done, saved!"
            End If
        End If
    Else
        WScript.Echo "Done, no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

AddAllowTRACEForPublishing

==============================
  2. Save the file by using the following file name: "AllowISATrace.vbs."
  3. Type the following command at a command prompt to run the script. 
    cscript.exe  AllowISATrace.vbs
    Note You must run this script from the same location at which you saved the script in step 2.

↑ Back to the top

Keywords: kbtshoot, kbprb, KB914532

↑ Back to the top

Article Info
Article ID : 914532
Revision : 5
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 481