FIX: SecurID does not redirect to the requested page after a successful logon (832168)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2000 SP1

SYMPTOMS

When you use SecurID authentication to request a Web page that is published by a Web publishing rule in Microsoft ISA Server 2000, you are not redirected to the requested URL after you enter the correct credentials on the SecurID logon page. Instead, ISA Server responds with the SecurID logon page and prompts you to enter your SecurID credentials again.

This problem occurs if all the following conditions are true:
  • You have installed ISA Server Feature Pack 1 and SecurID authentication on your system, and you have enabled the SecurID authentication Webfilter.
  • You have two Web publishing rules. The initial Web page request is served by the first Web publishing rule. This rule has no SecurID authentication enabled. The page that is published by the first Web publishing rule links to another URL that is published by the second Web publishing rule. The second Web publishing rule has SecurID authentication enabled.
  • The second Web publishing rule processes the redirection. The second rule applies the same host name as the first Web publishing rule.

For more information about how to install ISA Server Feature Pack 1 and configure SecurID authentication, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en.

For more information about how to setup SecurID authentication in ISA Server 2000, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en.

The problem does not occur if the initial request is immediately processed by the second Web publishing rule. For example, if the client first requests http://www.example.com, the page that is published by the first Web publishing rule redirects to http://www.example.com/securefolder/default.html. The second Web publishing rule processes this request, and the request is denied. If the client first requests http://www.example.com/securefolder/default.html, this problem does not occur.

CAUSE

This is a problem in the SecurID filter in ISA Server 2000. This filter does not send the correct redirection URL in response to a successful SecurID logon.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Internet Security and Acceleration Server 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Prerequisites

ISA Server 2000 Service Pack 1 and ISA Server Feature Pack 1 are required to install this hotfix.

For additional information about how to obtain ISA Server SP1 and ISA Server Feature Pack 1, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313139 How to obtain the latest Internet Security and Acceleration Server 2000 service pack

319380 ISA Server 2000 Feature Pack 1 overview

Hotfix replacement information

This hotfix does not replace any other hotfixes.

Restart requirement

You must restart your computer after installing the hotfix.
   Date         Time   Version      Size  File name
   --------------------------------------------------
   22-Feb-2004 17:02 3.0.1200.305 178,448 Mspadmin.exe 
   22-Feb-2004 17:02 3.0.1200.305 103,184 Msphlpr.dll 
   22-Feb-2004 17:01 3.0.1200.305 393,488 W3proxy.exe 
   22-Feb-2004 17:02 3.0.1200.305 299,280 Wspsrv.exe
   22-Feb-2004 17:01 3.0.1200.305  81,680 Sdisa.dll
The Hotfix applies to all ISA Server languages.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION


ISA Server 2000 implements RSA authentication as follows:
  1. If a client requests a Web site that is published by ISA Server, and SecurID is enabled on the Web publishing rule, the SecurID Web filter first responds with the SecurID logon page.
  2. After the client has successfully entered the SecurID credentials and submitted the page, the SecurID Web filter redirects to the page that was originally requested.


To enable or to disable the SecurID authentication Webfilter, follow these steps:
  1. In the ISA Microsoft Management Console (MMC), expand Servers and Arrays and the server name node.
  2. Expand Extensions, and then click Web Filters.
  3. Right-Click the Web Filter for RSA SecurID Webfilter.
  4. Click enable or disable.

To set SecurID authentication for your Web publishing rule, follow these steps:
  1. In the ISA MMC, expand Servers and Arrays and the server name node.
  2. Expand Access Policy, and then click Web Publishing Rules.
  3. Create a new Web Publishing Rule, or select an existing rule that you want to configure. Right-click the rule, and then click Properties.
  4. Click the RSA SecurID tab, and then click to select or to clear the Enable RSA Web Authentication Feature Set for this rule check box.


To troubleshoot this problem, use Microsoft Network Monitor to analyze the HTTP traffic. After the client submits the SecurID credentials, the HTTP response from the ISA Server may include a response that is similar to the following: 
HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK
	HTTP: Protocol Version =HTTP/1.1
	HTTP: Status Code = OK
	HTTP: Reason =OK
	HTTP: Connection =close
	HTTP: Content-Length =733
	HTTP: Refresh = 1; URL=
Because the URL= field is empty, the client is not redirected to the original URL. After you install this hotfix, the response will look similar to the following:
HTTP: Response to Client; HTTP/1.1; Status Code = 200 - OK
	HTTP: Protocol Version =HTTP/1.1
	HTTP: Status Code = OK
	HTTP: Reason =OK
	HTTP: Connection =close
	HTTP: Content-Length =733
	HTTP: Refresh = 1; URL=/securefolder/default.html

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 How to install Network Monitor in Windows 2000

Modification Type:MajorLast Reviewed:4/7/2006
Keywords:kbQFE KBHotfixServer kbdownload kbISAServ2000preSP2fix kbfix kbbug KB832168
©2004 Microsoft Corporation. All rights reserved.