Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. ISA Server 2006 sends back an HTTP 502 error if invalid credentials are provided to an FBA Web listener

ISA Server 2006 sends back an HTTP 502 error if invalid credentials are provided to an FBA Web listener

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have a Web server that is published by using Microsoft Internet Security and Acceleration (ISA) Server 2006 with Service Pack 1 (SP1).
  • A Web listener is configured to authenticate by using Forms Based Authentication (FBA).
  • A non-browser client tries to access the Web server. However, it provides an incorrect credential.
In this scenario, the client receives an HTTP 502 error. The client also does not access the Web server. The expected behavior is that the client should receive an HTTP 401 error and be prompted to provide a valid credential.

For example, the following two kinds of clients may encounter this problem under certain conditions:
  • ActiveSync client
    After you change the user password on a computer, an Activesync client tries to use the original password to authenticate. The client will receive an HTTP 502 error from ISA Server, and the client is never prompted to provide new credentials.
  • Outlook Anywhere client that uses the Autodiscovery feature
    By default, Outlook Autodiscovery tries to authenticate by using the Simple Mail Transfer Protocol (SMTP) address of the user first. If this SMTP address does not match the user's user principal name (UPN), ISA Server does not authenticate the client and sends back an HTTP 502 error instead of an HTTP 401 error.

↑ Back to the top

Cause

In the scenario that is described in the "Symptoms" section, ISA Server 2006 falls back to use basic authentication for the non-browser client, such as ActiveSync or Outlook Anywhere Autodiscovery. This problem occurs because ISA 2006 SP1 incorrectly handles the authentication message when FBA switches to basic authentication and the wrong credential is provided by client.

↑ Back to the top

Resolution

To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008

↑ Back to the top

Workaround

To work around this problem, set up a dedicated Web listener for the ActiveSync client or for the Outlook Anywhere client, and then configure the Web listener by using basic authentication instead of FBA.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956192 An Outlook Anywhere client continually uses the wrong credentials every time that it tries to authenticate itself on an Exchange server after you install ISA Server 2006 Service Pack 1
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: KB958952, kbsurveynew, kbfix, kbqfe, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 958952
Revision : 1
Created on : 2/26/2009
Published on : 2/26/2009
Exists online : False
Views : 450