Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition

The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition

View products that this article applies to.

Symptoms

You upgrade Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition to ISA Server 2004 Enterprise Edition and then to ISA Server 2006 Enterprise Edition. However, after you perform these two upgrades, authentication delegation does not work in the existing Web publishing rules. The Authentication Delegation property of the Web publishing rule displays the following messages:
No delegation, and client cannot authenticate directly.
No delegation, but client may authenticate directly.
Additionally, if you create a new Web listener, the Client Authentication Method list in the Web listener displays two extra entries as follows:
  • FBA with AD
  • SecureID
Even after you create the new Web listener, authentication delegation still does not work.

Note The same problem occurs if you manually import a backup copy of ISA Server 2004 Enterprise Edition after you upgrade ISA Server 2004 to ISA Server 2006.

↑ Back to the top

Cause

This problem occurs because the import function of ISA Server 2006 incorrectly sets the Predefined property of the "FBA with AD" authentication scheme and of the SecureID authentication scheme.

↑ Back to the top

Workaround

To work around this problem, use either of the following methods.

Method 1

Edit the .xml file that you exported from ISA Server 2004 Enterprise Edition. To do this, follow these steps.

Note Perform this workaround before you import a backup copy of ISA Server 2004 Enterprise Edition.
  1. Open the .xml file in Notepad.
  2. Search for "SecurID." This text is located in a "<fpc4:AuthenticationScheme>" section that resembles the following. 
    	<fpc4:Name dt:dt="string">SecurID</fpc4:Name>
	<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
  3. Change the value of the "<fpc4:Predefined>" node from 0 to 1.
  4. Search for "OWA Forms-Based." This text is located in a "<fpc4:AuthenticationScheme>" section that resembles the following. 
    	<fpc4:Name dt:dt="string">OWA Forms-Based</fpc4:Name>
	<fpc4:Predefined dt:dt="boolean">0</fpc4:Predefined>
  5. Change the value of the "<fpc4:Predefined>" node from 0 to 1.
  6. Save the .xml file, and then exit Notepad.
  7. Import the .xml file into ISA Server 2006.

Method 2

Edit the Active Directory Application Mode (ADAM) instance that is used by ISA Server 2006 Enterprise Edition. To do this, follow these steps.

Note You may perform this workaround regardless of whether you have imported a backup copy of ISA Server 2004 Enterprise Edition.
  1. Click Start, point to All Programs, point to ADAM, and then click ADAM ADSI Edit.
  2. In the console tree, right-click ADAM ADSI Edit, and then click Connect to.
  3. In the Connection Settings dialog box, type any name in the Connection Name box. For example, type ISA Configurations.
  4. In the Server name box, type the name or the IP address of the configuration storage server that ISA Server 2006 uses.
  5. Type 2171 in the Port box.
  6. Click to select the Distinguished name (DN) or naming context option, and then type CN=FPC2 in the Distinguished name (DN) or naming context box.
  7. Click OK.
  8. In the console tree, click the connection that you named in step 3, and then locate the following object:
    CN={AuthSchemeGUID},CN=AuthenticationSchemes,CN=RuleElements,CN={ArrayGUID},CN=Arrays,CN=Array-Root,CN=FPC2
    Note The {ArrayGUID} placeholder represents the GUID that corresponds to the server array. The {AuthSchemeGUID} placeholder represents the GUID that corresponds to the "FBA with AD" authentication scheme and to the SecureID authentication scheme. The {AuthSchemeGUID} item that you locate should have a msFPCName attribute of "FBA with AD" or of SecurID.
  9. Right-click the object that you located in step 8, and then click Properties.
  10. In the Attributes list, select the msPFCPredefined attribute, and then click Edit.
  11. Click to select True for the Value option, and then click OK.
  12. Click OK to exit the Properties dialog box.
  13. In the console tree, right-click the connection that you named in step 3, and then click Update Scheme Now.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

The "FBA with AD" authentication scheme is a predefined authentication scheme that enables forms-based (cookie) authentication by using the Active Directory directory service. The SecurID authentication scheme is a predefined authentication scheme that enables forms-based authentication by using RSA SecurID authentication.

For more information, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms812581.aspx

↑ Back to the top

Keywords: KB935767, kbprb, kbexpertiseinter, kbtshoot

↑ Back to the top

Article Info
Article ID : 935767
Revision : 4
Created on : 7/31/2007
Published on : 7/31/2007
Exists online : False
Views : 310