A request fails from a VPN client if the user who is dialed in belongs to a remote domain that has a one-way trust in ISA Server 2006

Consider the following scenario:

• You are running Microsoft Internet Security and Acceleration (ISA) Server 2006, and you enable VPN client access.
• The ISA Server 2006-based computer is a member server of an Active Directory forest that has a one-way trust to another forest in which the VPN user accounts exist.
• You have configured all rules that allow for traffic from the VPN clients to other networks, and these rules are configured without any authentication.

In this scenario, you may notice that the ISA Server blocks traffic to internal network resources and and that ISA Server denies access to other networks. If the VPN clients try to access an internal WSUS server, ISA Server may return an "HTTP 500" error.

This problem occurs because the ISA Server uses different methods for authentication and for the authorization verification. In this particular case, ISA Server still tries to create a security context by using the Authz.dll component. These calls fail with an "Access Denied" error code if you do not configure a two-level trust between the forests.

To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:

Post-hotfix installation information

After you apply this hotfix, you must run the following Microsoft Visual Basic script to enable the hotfix.

Note You must run the script on the server where you have installed the hotfix. For an ISA Server 2006 Enterprise Edition, you must do this on the Array Server and not on the Configuration Storage Server (CSS) if the CSS is installed on a separate server.

1. Click Start, point to Programs, point to Accessories, and then click Notepad.
2. Copy the following code, and then paste the code into the Notepad file.

   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "AnonymousIfUserContextFailed"
   Const SE_VPS_VALUE = true
   
   Sub SetValue()
   
       ' Create the root obect.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       'Declare the other objects needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Get references to the array object
       ' and the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item.
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
       End If
   
       if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   SetValue
   

3. Save this file as AnonymousIfUserContextFailed.vbs.
4. To run the script, double-click the .vbs file that you saved in step 3.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.