Error message when an application connects to a Web listener that is published by using ISA Server 2004 or by using ISA Server 2006: "Error Code: 403 Forbidden The page requires 128-bit encryption, an enhanced security mechanism"

Consider the following scenario:

• In Microsoft Internet Security and Acceleration (ISA) Server 2004 or in ISA Server 2006, you configure a Web listener to accept Secure Sockets Layer (SSL) connections.
• You configure the Web Publishing rule as "Require 128-bit encryption for HTTPS traffic."
• The client application connects to the Web listener by using 40-bit encryption.

In this scenario, the client is authenticated, and then you receive the following error message from the ISA server:

This issue occurs because the ISA Server rules engine evaluates authentication requirements before it evaluates encryption level requirements.

To work around this issue, disable any algorithm that has a cipher strength that is lower than 128 bits at the operating system level on the ISA server. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
Note After you change the encryption settings by using the method that is mentioned in Microsoft Knowledge Base article 245030, a client that does not use 128-bit encryption will not receive the error message that is mentioned in the "Symptoms" section. Instead, the client will encounter a generic failure of the SSL connection.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.