ISA 2004 does 502s rather than 407s if you're already authenticated

  • Article

Update: Also works for ISA 2006 and TMG.

There were a couple of newsgroup questions on ISA 2004 authentication that prompted me to go digging through the SDK.

Edit: A little more background so this makes more sense: When an HTTP request is submitted by a client (also called a "user agent", because not all user agents are browsers), it's submitted anonymously in the first instance. The proxy will then work out whether the client is allowed to do whatever it is asking to do anonymously, and if not, sends the client an HTTP 407 message and proxy-authenticate headers that indicate supported authentication methods (eg, "407 - Who Are You? I speak NTLM and fluent Dutch..."). Then, this connection is authenticated and the user gets whatever the user's permissions are.

A little background: possibly as a side-effect of the way rules were processed in ISA 2000, the default behaviour for the Web Proxy was that if access were denied and the user was already authenticated, the user would be prompted for alternate credentials (because ISA 2000 responded with another "407 Proxy Authentication Required", rather than a 502 "get bent").

With ISA 2004, if a user has already authenticated and has been denied access by a rule, ISA 2004 returns a 502 Bad Gateway, and IE doesn't ask again. So, we have the opposite of the old behaviour.

For ISA 2000, the behaviour was made optional with the ReturnDeniedIfAuthenticated setting (see https://support.microsoft.com/?id=297324), included in SP1 and beyond. In ISA 2004, there's a scripty method of getting to the setting, which is in the example below.

The script sets this for ISA 2004, in a Proxy scenario - it applies to a listener associated with a Network object rather than an externally defined Web listener (an interesting distinction, but one I'm going to leave well alone for now).

As I mentioned in my newsgroup post, you might need to double-check your rule ordering assumptions after doing this.

The usual disclaimers apply - in short, don't sue me, it's your fault. Back up your configuration before playing.

ISA2004-neverdeny.vbs

' Standard Disclaimer:

' This script is purely for example purposes

' and should not be used by anyone, ever.

' It's designed for use with CSCRIPT, not WSCRIPT. So don't just double-click it unless you

' really enjoy being bombarded with dialog boxen.

' TristanK

TheOnlyOneOfInterest = "Internal" ' we want to reset the internal network listener

setting = True ' True = Enabled, False = Disabled (default)

found = 0

set root = CreateObject("FPC.Root")

set firewall = root.GetContainingArray

set networks = firewall.NetworkConfiguration.Networks

for each network in networks

      'Wscript.echo network.name

      if TheOnlyOneOfInterest = network.name then

            found = found + 1

            Wscript.echo "Found network: " + network.name

            network.WebListenerProperties.ReturnAuthRequiredIfAuthUserDenied = setting

            ' this is pure bumf- feel free to comment it out if you don't want to be prompted

            ' the Wscript.stdin.readline line requires the latest version of the VBScript/WSH components

            Wscript.echo "Property Set - press Enter to Save the change."

            Wscript.stdin.readline

            Wscript.echo "Please wait..."

            ' Commit the configuration change

            network.WebListenerProperties.Save

      end if

next

if found = 0 then

      Wscript.echo "Target network was not found."

else

      Wscript.echo "Done."

end if