Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. "ISA Server failed to load the firewall policy configuration" error in ISA Server 2006

"ISA Server failed to load the firewall policy configuration" error in ISA Server 2006

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You configure a firewall policy rule in Internet Security and Acceleration (ISA) Server 2006. An Active Directory user authentication is required in this firewall policy rule.
  • You add many entries to the User Sets list on the User tab in this rule. Each entry contains many individual Active Directory users and several Active Directory groups.
  • You try to change the configuration of the rule. For example, you try to add a user to the User Set list on the User tab.
In this scenario, you cannot apply the changes. Additionally, you receive the following error message:
Event Type: Error
Event Source: Microsoft Firewall
Event ID: 14019
Description:
ISA Server failed to load the firewall policy configuration. The failure occurred while loading the policy rule "policy rule name here".

Data:
0000: 80070057

↑ Back to the top

Cause

ISA Server collects all the Windows security elements that are on the Users tab. Then, ISA Server puts these security elements into a single security descriptor. However, Windows has a size limit for a discretionary access control list (DACL). The maximum size of a DACL is 0xFFFF (65535 bytes). Each access control entry (ACE) in a DACL has a size of about 0x24 (36 bytes). Therefore, Windows returns the error that is described in the �Symptoms� section to the ISA Management Microsoft Management Console (MMC) snap-in when the list that is in this security descriptor exceeds the size limit.

For example, assume that the number of entries in the User Sets list for an access rule is more than 100 and that each entry contains many individual Active Directory users. Additionally, assume that the total number of access control entries in the security descriptor is 1821 after ISA Server merges all the users and groups in the User Sets list into a single security descriptor. In this scenario, the DACL size (1821*36 + 8) is greater than the maximum size limit of 65535 bytes. Therefore, ISA Server 2006 cannot synchronize the configuration, and you receive the error message.

Note
  • This scenario that is used as an example does not follow the Windows access controls best practices. Therefore, we do not recommend it.
  • The DACL header size is 8 bytes.

↑ Back to the top

Workaround

To work around this issue, use one of the following methods:
  • Use nested users and groups.
  • In an ISA Server 2006 policy rule, make sure that you have only a few Active Directory users and groups in the User Sets list.

↑ Back to the top

References

For more information about nested groups, visit the following Microsoft Web site:
How to create a hierarchy of nested security groups
For more information about Active Directory users, computers, and groups, visit the following Microsoft Web site:
General information about Active Directory users, computers, and groups
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684� Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: KB981745, kbqfe, kbsurveynew, kbfix, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 981745
Revision : 2
Created on : 4/19/2010
Published on : 4/19/2010
Exists online : False
Views : 298