Understand duplicate authentication prompts ISA 2006 publishing MOSS using FBA

When you're publishing your MOSS/Sharepoint server with ISA 2006 using the ISA Form Based Authentication (FBA), you may see that your users are complaining about duplicate authentication prompts. This may happen when your users are opening Office documents.

This behavior can be explained on how ISA Server authenticates clients when you're using ISA FBA.

ISA server generates a cookie to authenticate the web request which is send to the client. For improved security the default cookie setting is 'never use persistent cookies' (screenshot below). However, with this configuration the cookie that was send to the client can only be used by the process which requested the cookie!

When the user clicks on a link within your MOSS/Sharepoint page and want to open an Office document, your Client will automatically start the application associated with the file type extension in a new process.

This process will then send a request using the Hyperlink in the MOSS/Sharepoint, in order to access/open the file.

As mentioned before the cookie the client uses to authenticate each request, may only be used by the process which requested it. Therefore the process which sends the request to the ISA server is not able to use this cookie, and the request send to the ISA server will not contain the cookie and therefore ISA Server will not be able to associate this client request to the connection on which the authentication cookie was send. As a result ISA server will prompt the user to authenticate (again).

The only solution to change this behavior in this scenario is to change the cookie type ISA server uses to authenticate the client to 'persistent'.

Before changing this setting you should understand the following security issues related to persistent cookies:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers or by adding authentication features like one time passwords.
  • Spyware may be able to access the cookie as well.

To change the cookie behavior, please open the Web Listener connected to the MOSS/Sharepoint publishing rule and navigate to the 'Forms' tab. Now select 'Advanced...'.

clip_image002

In the case you decide that you have to use persistent cookies, we recommend to use the 'Only on private computers' setting and ask your users not to use the 'private computers' setting on computers not matching your company policy.

After changing this setting to use persistent cookies, each cookie aware application on the client PC is able to access this cookie and to use it to authenticate with the ISA server. Therefore you should not see any duplicate authentication prompts caused by this cookie type.

However we've heard from customers, still having issues with duplicate authentication prompts, although ISA is configured to use persistent cookies, and your users are using Vista or Win7 to access the MOSS/Sharepoint. This issue is described in detail in KB932118.

In order to resolve the duplicate authentication prompts, you have to add the published MOSS/Sharepoint site to the Trusted Sites zone and make sure, that the Protected Mode is disabled for the Trusted Sites zone.

Author

Philipp Sand
Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Thomas Detzner

Escalation Engineer - Microsoft CSS Forefront Edge Team