Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Client requests to access a published Web site are blocked when you configure ISA Server 2006 to use pass-through authentication to access a published Web server


View products that this article applies to.

Symptoms

You configure a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006 to use pass-through authentication to access a published Web server. After you do this, all client requests to access the published Web site are blocked. Additionally, you may receive an error message that resembles the following:
Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)
Notes
  • You experience this issue when you use the No delegation, but client may authenticate directly (pass-through) authentication method.
  • This issue may occur even if the ISA Server 2006 computer publishes a site that requires no authentication.

↑ Back to the top


Cause

This issue may occur if the following conditions are true:
  • The Allow client authentication over HTTP check box in the Web listener's Advanced Authentication Options dialog box is not selected.
  • The Web listener is not enabled to listen for Secure Sockets Layer (SSL) requests.

↑ Back to the top


Workaround

To work around this issue, use one of the following methods.

Method 1

Use HTTPS to access the published Web site after you configure the Web listener to listen for SSL requests. To do this, follow these steps:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  3. On the Toolbox tab, click Network Objects.
  4. Expand Web Listeners, and then click the Web listener that you want to configure.
  5. In the toolbox task pane, click Edit.
  6. On the Preferences tab, click to select the Enable SSL check box.
  7. In the SSL port box, type the port number on which ISA Server listens for SSL requests.
  8. Click Select to select a certificate to use for SSL requests.
  9. Click Apply, and then click OK.

Note To access Firewall Policy in ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

Method 2

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Click to select the Allow client authentication over HTTP check box. To do this, follow these steps:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Right-click the Web site publishing rule that you want to change, and then click Properties.
  3. Click the Listener tab, click Properties, click the Authentication tab, and then click Advanced.
  4. Under Client Configuration Settings, click to select the Allow client authentication over HTTP check box.
  5. Click OK to close Advanced Authentication Options.
  6. Click OK two times.
Note Method 2 is less secure because client credentials are sent in plain text format (not encrypted) to the ISA Server computer.

↑ Back to the top


Keywords: KB924374, kbtshoot, kberrmsg, kbprb

↑ Back to the top

Article Info
Article ID : 924374
Revision : 3
Created on : 9/26/2006
Published on : 9/26/2006
Exists online : False
Views : 295