ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, and Windows Essential Business Server 2008 do not reject weakly encrypted authentication requests for access to an SSL Web site

In Microsoft Internet Security and Acceleration (ISA) Server 2006, in ISA Server 2004, in Microsoft Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008, you configure a Web publishing rule that has the following characteristics:

• The Web listener accepts HTTPS traffic.
• The Web publishing rule or the Web listener requires that all users be authenticated.
• The authentication method transfers credentials without encryption. The following authentication methods all transfer credentials without encryption:
  • Basic
  • HTML Forms
  • RADIUS
  • Lightweight Directory Access Protocol (LDAP)
• The Require 128-bit encryption for HTTPS traffic check box is selected on the Traffic tab of the Web publishing rule.

In this case, if you use encryption that is weaker than 128-bit encryption to try to access the Secure Sockets Layer (SSL) Web site, ISA Server accepts the connection attempt. Then, ISA Server prompts you for the credentials to access the Web site. You expect ISA Server to reject the connection attempt because your connection does not use 128-bit encryption.

This issue occurs because of how ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, and Windows Essential Business Server 2008 process SSL requests. ISA Server performs the user authentication operation first. Then, ISA Server verifies the strength of the encrypted connection.

Therefore, if you try to connect to the SSL Web site by using encryption that is weaker than 128-bit encryption, the following behavior occurs when ISA Server processes the SSL request:

1. ISA Server prompts you for credentials, and then ISA Server uses the weakly encrypted connection to submit the credentials.
2. After you are authenticated successfully, ISA Server verifies the encryption strength of the client connection.
3. Because the client connection uses encryption that is weaker than ISA Server requires, ISA Server rejects the connection, and you receive the following error message:
   Error Code: 403 Forbidden.
   The page requires 128-bit encryption, an enhanced security mechanism. To view the page contents, use a browser that supports this enhanced encryption. (12212)

To work around this issue, disable all ciphers that have encryption that is weaker than 128-bit encryption. This configuration prevents ISA Server from forming encrypted connections that are weaker than what you have configured. For more information, click the following article number to view the article in the Microsoft Knowledge Base: Note After you restrict all encryption mechanisms that are weaker than 128-bit encryption, you will not receive an "Error Code 40" error message. Instead, if you try to connect to the Web site by using encryption that is weaker than 128-bit encryption, you receive the following error message: