Error message when you send an HTTP TRACE command to a Web server that is published by an ISA Server 2004 SP2-based computer: "HTTP 401 Unauthorized" (914532)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 2, when used with:
    • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 2, when used with:
    • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

When you send an HTTP TRACE command to a Web server that is published by a Microsoft Internet Security and Acceleration (ISA) Server 2004 Service Pack 2 (SP2)-based computer, you receive the following error message.
HTTP 401 Unauthorized

CAUSE

This behavior occurs because ISA Server 2004 SP2 disables the HTTP TRACE functionality to prevent a remote attacker from accessing sensitive information, such as authentication information, that is available in the HTTP headers.

WORKAROUND

To work around this behavior, you can enable the HTTP TRACE functionality for all Web publishing rules. To do this, follow these steps.

Warning If you enable HTTP TRACE functionality, you increase the security risk to the computer.
  1. Paste the following code into a text editor such as Notepad:

    -----------------

' This script adds a new VendorParametersSets under the array root.
' add a new VendorParametersSet and add a value called "AllowTRACEForPublishing" set to 1.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Sub AddAllowTRACEForPublishing()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( "{143F5698-103B-12D4-FF34-1F34767DEabc}" )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value("AllowTRACEForPublishing")
    End If

    if VendorSet.Value("AllowTRACEForPublishing") <> 1 Then

        Err.Clear
        VendorSet.Value("AllowTRACEForPublishing") = 1

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done, saved!"
            End If
        End If
    Else
        WScript.Echo "Done, no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

AddAllowTRACEForPublishing

==============================

  2. Save the file by using the following file name: "AllowISATrace.vbs."
  3. Type the following command at a command prompt to run the script:

    cscript.exe AllowISATrace.vbs

    Note You must run this script from the same location at which you saved the script in step 2.
Modification Type:MajorLast Reviewed:4/13/2006
Keywords:kbtshoot kbprb KB914532 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.