Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. ISA Server 2006 or Windows Essential Business Server 2008 cannot delegate authentication to a back-end server from a published Web server

ISA Server 2006 or Windows Essential Business Server 2008 cannot delegate authentication to a back-end server from a published Web server

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have a Web server that requires Integrated Windows authentication.
  • A back-end server authenticates the Web server by using Integrated Windows authentication. The back-end server can be a computer that is running Microsoft SQL Server, a file server, or another Web server.
  • You publish the Web server in Microsoft Internet Security and Acceleration (ISA) Server 2006 or in Windows Essential Business Server 2008.
  • In the Web listener, you set the authentication method to HTTP Authentication, and then you click to select the Basic check box. Or, you set the authentication method to HTML Form Authentication.
  • In the Web publishing rule, you set the Authentication Delegation settings to use the Negotiate (Kerberos/NTLM) authentication method.
In this scenario, the authentication between the Web server and the back-end server fails. ISA Server 2006 or Windows Essential Business Server 2008 cannot delegate authentication to a back-end server from a published Web server. Depending on the Web server configuration, the client user may see the following different symptoms:
  • If the Web server is configured to return a custom error page, the client user sees this error page.
  • If you apply HTML form authentication as the authentication method, the client user receives the following error message:
    You do not have the permissions required to access this Web site. Please contact the Web site administrator.
    Then, the client user is redirected to the logon form.
  • If you apply Basic authentication as the authentication method, the client user is repeatedly prompted for user credentials. If the client user closes the dialog box that contains the prompt, the user receives the following error message:
    You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.
    HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

↑ Back to the top

Cause

When ISA Server or Windows Essential Business Server 2008 performs Negotiate (Kerberos/NTLM) delegation, ISA Server or Windows Essential Business Server 2008 requests a Kerberos ticket that cannot be delegated. Then, ISA Server or Windows Essential Business Server 2008 uses the ticket to authenticate the published Web server. The published Web server cannot use the ticket to authenticate the back-end server because the ticket cannot be delegated.

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    934587 Description of the ISA Server 2006 hotfix package: March 30, 2007
  2. Start Notepad.
  3. Copy and then paste the following text into Notepad. 
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script sets authentication schemes that ISA will return for Integrated authentication.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "NegotiateDelegationContextReqFlags"
Const SE_VPS_VALUE = 1

Sub SetValue()

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects that are needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and to the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item.
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
  4. Save the text file as KB934583.vbs, and then copy the file to the computer that is running ISA Server 2006 or Windows Essential Business Server 2008.
  5. Double-click the KB934583.vbs file that you saved in step 4.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: KB934583, kbexpertiseinter, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 934583
Revision : 4
Created on : 10/31/2007
Published on : 10/31/2007
Exists online : False
Views : 424