Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. POST requests that do not have a POST body may be sent to a Web server that is published in ISA Server 2006

POST requests that do not have a POST body may be sent to a Web server that is published in ISA Server 2006

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You publish a Web server in Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • The ISA Server Web listener is configured to use Windows Integrated NTLM authentication.
  • A user uses Windows Internet Explorer to access the Web server.
In this scenario, POST requests that do not have a POST body may be sent to the published Web server. This problem may cause unexpected Web-access behavior.

↑ Back to the top

Cause

When Internet Explorer sends a POST request to a Web site that uses NTLM authentication, Internet Explorer reauthenticates with the Web server for each POST request. The POST body is not sent to the Web server in the first authentication handshake.

If Internet Explorer sends a POST request that requires reauthentication on a TCP connection that has already been authenticated, ISA Server continues to use the current authentication context instead of reauthenticating the client. In this situation, the POST request that does not have a POST body is sent to the published Web server.

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    942639 Description of the ISA Server 2006 hotfix package: September 24, 2007
  2. Start Notepad.
  3. Copy the following code, and then paste it into Notepad.

    Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. 
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnablePOSTReauthentication"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and to the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item.
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
  4. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, use the following name to save the file:
    EnablePOSTReauthentication.vbs
  5. Start a command prompt, change to the location at which you saved the EnablePOSTReauthentication.vbs file, and then run the following command:
    cscript EnablePOSTReauthentication.vbs
Note To revert to the default setting, edit the script by changing "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false." Save the script, and then run it again.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: KB942638, kbexpertiseinter, kbqfe

↑ Back to the top

Article Info
Article ID : 942638
Revision : 2
Created on : 10/19/2007
Published on : 10/19/2007
Exists online : False
Views : 419