Archive

Archive for the ‘ISA 2006’ Category

TMG 2010 – FBA, troubleshooting the change password feature

When we are publishing OWA, or every web service through TMG and we are willing to make use of FBA we have the chance to change our password through the FBA web form. However this step is not always as straightforward as it seems and there are some possible pitfalls in the configuration on the TMG or on the DC.

One error you might see in a case of an issue in the configuration is the following generic error:

image

In this article we want to provide some guidance how to troubleshoot these problems and also how to identify specific issues that can prevent the FBA changing password from working as it should.

Of course the first point when you see the error message is to check if the “complexity requirements” are really met and if the user who sees the error is the only one affected by this issue.

Hence if we can meet the complexity requirements we should check the following steps:
http://technet.microsoft.com/en-us/library/cc984426.aspx

(Note that both Active Directory and an LDAP server use the LDAP protocol for communication)

· The connection to the LDAP server or Active Directory on the domain controller must be over secure LDAP (LDAPS). To use a secure LDAP connection, a server certificate must be installed on the domain controller. The common name on the certificate must match the fully qualified domain name (FQDN) that you specify for the authentication server.

· The Forefront TMG computer must have the root certificate of the certification authority (CA) that issues the server certificate in the Trusted Root Certification Authorities store for the local computer.

· When using LDAP authentication, you must create an LDAP server set containing the LDAP servers that will be used to authenticate users. Configure the following settings for the LDAP server set:

o Enable connecting to the LDAP server over a secure connection.

o Specify an FQDN for the LDAP server name. Ensure that the FQDN matches the common name specified on the server certificate installed on the LDAP server (domain controller).

o Disable querying of the global catalog (GC).

o Specify the domain in which user accounts can be identified and specify the details of an account that will be used to bind to the LDAP server and to query the credentials of logged-on users.

o An account is required to bind to the authentication server and verify user name and password status. In the case of domain authentication, this must be a domain account with privileges to make changes to Active Directory.

And we must check also if the http://support.microsoft.com/kb/957859 patch has been already installed (included in TMG RTM), and if you might need to run the script provided in this article.

The “Configuring and Troubleshooting the Password Change Feature in ISA 2006” is also a very good place to continue troubleshooting.

If the above steps are fine we should move forward in our analysis and as first thing check if the “root certificate” we are using to establish the LDAPS connection is trusted everywhere (TMGs and DCs).

If this is the case but still we are not able to make it working we have to move forward in our analysis and check for any possible error in the ISA/TMG tracing. Due to the very detailed information which can be found in the tracing, this can only be analyzed by Microsoft personnel.

Recently I was working on a case, where above steps didn’t resolve the issue. In this article I want to share how we resolved the issue, which was caused by a permission error on AD in my case.

When analyzing the TMG tracing we found that TMG tried to gather the account properties and failed:

Info:CUserAccountTask:  User: domain\user, Operation: 1, Error code: 6, Internal (ADSI) error: HRESULT=8000500D

Where the error 8000500D is translated as:

# for hex 0x8000500d / decimal -2147463155
E_ADS_PROPERTY_NOT_FOUND

You can also use the TMG Diagnostic logging to verify if you are facing this issue. More information on how to use diagnostic logging can be found here

When you filter for the specific connection, you should be able to see the error code 2147463155 in the logging. You can of course also just filter for the error code itself, after collecting the diagnostic logging:

image

Under this case it is a good idea having a look at the user permissions, of the account where you cannot change the password. It is necessary to add the permission to read the attribute UserAccountTask to every account which should be able to change the password via ISA/TMG.

This attribute is used to gather information regarding the password as for example if it is expired or if it matches the complexity requirements.

This task can be accomplished simply adding the “authenticated users” group to the security tab if it is missing under AD as per following screenshot with the following attributes enabled as per our default Windows Server 2008 R2 installation:

Read, Read account restrictions, Read exchange information, Read exchange personal information, Read general information, Read Group membership, Read logon information, Read personal information, Read phone and mail options, Read private information, Read public information, Read remote access information, Read RTCPropertySet, Read RTCUserProvisioningPropertySet, Read RTCUserSearchPropertySet, Read Terminal Server license Server, Read web information, Special permissions.

image

Of course we can perform the same action directly on the “users and computers” console (it is the same).

The above guidelines should help in troubleshooting some of the most common issues under FBA when we are willing to implement the changing password feature.
See you next time!

 

Author
Andrea Vescovo
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Philipp Sand
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: authentication, ISA, ISA 2006, ISA Server, TMG Tags:

X-flash-version header can prevent ISA/TMG from compressing contents

December 30th, 2011 No comments

 

In this blog post I want to discuss a solution, which we provided to one of our customers.

The problem was linked to a published web site where specific flash content had not been compressed as expected by TMG/ISA.

The first thing which is important to mention is, that it usually it not necessary to compress flash content. My customer had the need to compress the content because of the client which was accessing the data was connected via a slow satellite link. When analyzing the ISAInfo (http://www.isatools.org/tools/isainfo.zip) output generated by the TMG BPA (http://www.microsoft.com/download/en/details.aspx?id=17730), we could see that ISA-TMG skips the compression for the following contents:

Compression Settings

HTTP headers exempt from compression

x-flash-version:

User-Agents exempt from compression

*BITS*

Hence if we want to compress this kind of content we need to “force” ISA/TMG to do it.

Please be aware that with the following changes I want to demonstrate the things you can do by modifying COM properties through scripting in ISA/TMG. Please be aware that all changes you perform through scripts, bypass all the logic verifiers, which are implemented in the UI. Always make a backup of your configuration before performing any changes with a script. Microsoft cannot guarantee that problems resulting from incorrect use of these scripts can be solved! Even if this solution was applied successfully by my customer and tested for a while in his specific environment, this is something Microsoft didn’t test extensively and hence the implementation of the solution itself is at its own risk!

Let’s have a look at the traces to better understand what we are talking about:

The following is a network trace taken before applying our script to modify the compression settings of our ISA-TMG machine:

Allowed www.contoso.com access (test) x.x.x.x Remote Client x.x.x.x 3000 www.contoso.com POST 200

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Test Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

<update xmlns="test:remoteframework" id="{c095c364-ec83-4cf8-b79b-83601bd1e78e}" version="2011.1.0.22" />

As we can see the response is NOT compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-type:text/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>

<model xmlns="test:remoteframework"><meta><class up="6EDB::2"><attribute up="6EDB::6" type="text" /><attribute up="6EDB::7" type="pointer" /><attribute up="6EDB::75" type="pointer" /><attribute up="6EDB::65" type="pointer" /><attribute up="6EDB::76" type="boolean" /></class><class up="6EDB::1"><attribute up="6EDB::3

….

<object up="91E4C2::6"><value attribute="46A5D6::262">(PAS) rapport</value></object><object up="91E4C2::8"><value attribute="46A5D6::262">(PAS) # en &#8364;</value></object></class><class up="46A5D6::117" /><class up="46A5D6::116" /><class up="46A5D6::118" /><class up="46A5D6::121" /><class up="46A5D6::122" /></data></model>

0

To change the compression behavior, we had to remove the x-flash-version entry from the list of incompressible content in the configuration. As there’s no UI option for this we had to perform these steps by directly modifying the COM properties. Afterwards TMG/ISA did compress the content as requested by the customer.

In the following I want to describe in detail how we can interact with the COM properties.

We can start from the following URL: http://msdn.microsoft.com/en-us/library/ff824938(v=VS.85).aspx

With the following VBScript we can verify which headers are included in the TMG list of non-compressible content:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

Dim httpHeader ‘ A String

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

‘ Display the unsupported HTTP headers.

For Each httpHeader In httpHeaders

WScript.Echo httpHeader

Next

WScript.Echo "done!"

For more information the following link describes the TMG Administration object model:

http://msdn.microsoft.com/en-us/library/ff824018(v=VS.85).aspx

This article gives us an idea which methods and proprieties are supported by the FPCHTTPHeaders collection object:

http://msdn.microsoft.com/en-us/library/ff824942(v=VS.85).aspx

At this point we can start writing the following scripts to remove the x-flash-version entry:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Remove(1)

httpHeaders.Save()

WScript.Echo "done!"

And just in case you want to re-add the header type, you can use this script_:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Add("x-flash-version:")

httpHeaders.Save()

WScript.Echo "done!"

At this point as we can see from the below test we have that the content is correctly compressed by ISA/TMG even if in the header of the packets the client application is still inserting the x-flash-version entry:

Host: www.contoso.com \r\n

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

As we can see the response this time is compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Content-length:56138

Content-type:text/xml;charset=UTF-8

Content-Encoding:gzip

Vary: Accept-Encoding

…..g.N…}k..D….+.>q.@,`…….X..M`..q.iz..pO..Zc0..H=O{.U……..=ju.*_../….e..j7u….."..U.Es\.N.z……?……..q…gW…..gm..iO..V.MW.l…..}…/O……..l…W..w….?d………n|n.d..u……{.=.?…Z7…………….i.U..>.p..mD..D..Q…..R@…….9[.~.Ldi.P*….I}[dv…….^*…C…..k…f..P2..Lf…R._.vqJ…..J………..=-.O..

Author
Andrea Vescovo
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Philipp Sand
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: ISA 2006, TMG Tags:

X-flash-version header can prevent ISA/TMG from compressing contents

December 30th, 2011 No comments

 

In this blog post I want to discuss a solution, which we provided to one of our customers.

The problem was linked to a published web site where specific flash content had not been compressed as expected by TMG/ISA.

The first thing which is important to mention is, that it usually it not necessary to compress flash content. My customer had the need to compress the content because of the client which was accessing the data was connected via a slow satellite link. When analyzing the ISAInfo (http://www.isatools.org/tools/isainfo.zip) output generated by the TMG BPA (http://www.microsoft.com/download/en/details.aspx?id=17730), we could see that ISA-TMG skips the compression for the following contents:

Compression Settings

HTTP headers exempt from compression

x-flash-version:

User-Agents exempt from compression

*BITS*

Hence if we want to compress this kind of content we need to “force” ISA/TMG to do it.

Please be aware that with the following changes I want to demonstrate the things you can do by modifying COM properties through scripting in ISA/TMG. Please be aware that all changes you perform through scripts, bypass all the logic verifiers, which are implemented in the UI. Always make a backup of your configuration before performing any changes with a script. Microsoft cannot guarantee that problems resulting from incorrect use of these scripts can be solved! Even if this solution was applied successfully by my customer and tested for a while in his specific environment, this is something Microsoft didn’t test extensively and hence the implementation of the solution itself is at its own risk!

Let’s have a look at the traces to better understand what we are talking about:

The following is a network trace taken before applying our script to modify the compression settings of our ISA-TMG machine:

Allowed www.contoso.com access (test) x.x.x.x Remote Client x.x.x.x 3000 www.contoso.com POST 200

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Test Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

<update xmlns="test:remoteframework" id="{c095c364-ec83-4cf8-b79b-83601bd1e78e}" version="2011.1.0.22" />

As we can see the response is NOT compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-type:text/xml;charset=UTF-8

<?xml version="1.0" encoding="UTF-8"?>

<model xmlns="test:remoteframework"><meta><class up="6EDB::2"><attribute up="6EDB::6" type="text" /><attribute up="6EDB::7" type="pointer" /><attribute up="6EDB::75" type="pointer" /><attribute up="6EDB::65" type="pointer" /><attribute up="6EDB::76" type="boolean" /></class><class up="6EDB::1"><attribute up="6EDB::3

….

<object up="91E4C2::6"><value attribute="46A5D6::262">(PAS) rapport</value></object><object up="91E4C2::8"><value attribute="46A5D6::262">(PAS) # en &#8364;</value></object></class><class up="46A5D6::117" /><class up="46A5D6::116" /><class up="46A5D6::118" /><class up="46A5D6::121" /><class up="46A5D6::122" /></data></model>

0

To change the compression behavior, we had to remove the x-flash-version entry from the list of incompressible content in the configuration. As there’s no UI option for this we had to perform these steps by directly modifying the COM properties. Afterwards TMG/ISA did compress the content as requested by the customer.

In the following I want to describe in detail how we can interact with the COM properties.

We can start from the following URL: http://msdn.microsoft.com/en-us/library/ff824938(v=VS.85).aspx

With the following VBScript we can verify which headers are included in the TMG list of non-compressible content:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

Dim httpHeader ‘ A String

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

‘ Display the unsupported HTTP headers.

For Each httpHeader In httpHeaders

WScript.Echo httpHeader

Next

WScript.Echo "done!"

For more information the following link describes the TMG Administration object model:

http://msdn.microsoft.com/en-us/library/ff824018(v=VS.85).aspx

This article gives us an idea which methods and proprieties are supported by the FPCHTTPHeaders collection object:

http://msdn.microsoft.com/en-us/library/ff824942(v=VS.85).aspx

At this point we can start writing the following scripts to remove the x-flash-version entry:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Remove(1)

httpHeaders.Save()

WScript.Echo "done!"

And just in case you want to re-add the header type, you can use this script_:

‘ Create the root object.

Dim root ‘ The FPCLib.FPC root object

Set root = CreateObject("FPC.Root")

‘ Declare the other objects needed.

Dim isaArray ‘ An FPCArray object

Dim httpHeaders ‘ An FPCHTTPHeaders collection

‘ Get references to the array object

‘ and the HTTP headers collection.

Set isaArray = root.GetContainingArray()

With isaArray.ArrayPolicy.WebProxy.HTTPCompressionConfiguration

Set httpHeaders = .UnsupportedHeaders

End With

httpHeaders.Add("x-flash-version:")

httpHeaders.Save()

WScript.Echo "done!"

At this point as we can see from the below test we have that the content is correctly compressed by ISA/TMG even if in the header of the packets the client application is still inserting the x-flash-version entry:

Host: www.contoso.com \r\n

POST /xmlservice/RemoteFramework/http/update HTTP/1.1

Referer: app:/core.html

Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5

x-flash-version: 10,3,181,34

Content-Type: text/xml

Content-Length: 110

Accept-Encoding: gzip,deflate

User-Agent: Remote Client

Host: www.contoso.com

Connection: Keep-Alive

Cache-Control: no-cache

As we can see the response this time is compressed:

HTTP/1.1 200 OK

Connection: Keep-Alive

Content-length:56138

Content-type:text/xml;charset=UTF-8

Content-Encoding:gzip

Vary: Accept-Encoding

…..g.N…}k..D….+.>q.@,`…….X..M`..q.iz..pO..Zc0..H=O{.U……..=ju.*_../….e..j7u….."..U.Es\.N.z……?……..q…gW…..gm..iO..V.MW.l…..}…/O……..l…W..w….?d………n|n.d..u……{.=.?…Z7…………….i.U..>.p..mD..D..Q…..R@…….9[.~.Ldi.P*….I}[dv…….^*…C…..k…f..P2..Lf…R._.vqJ…..J………..=-.O..

Author
Andrea Vescovo
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Philipp Sand
Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Categories: compression, ISA 2006, TMG Tags:

Random authentication prompts while accessing internet through ISA Server followed by ISA Server becoming unresponsive

January 13th, 2011 Comments off

Introduction

Consider a scenario where users behind ISA Server (internal network) start to receive random prompts for authentication while trying to access internet using ISA Server as proxy. The authentication prompt persists even after entering the credentials. To resolve the issue it is necessary to restart Firewall Service.

Although you probably heard or read about this scenario many times, the goal of this post is to give you a compiled version of the action plan and what to look for while analyzing the data.

Data Collection

Start by following the plan from this post (basics section), along with that make sure that binding order is also correct i.e. internal NIC is higher in order then the external. Wrong binding order can cause issues such as the one mentioned here. In addition to the data gathering specified previously, also collect the following data:

1. Use ISA Data Packager while doing repro of the issue.
2. Enable netLogon logging on the ISA server nodes, using command nltest /dbflag:0x2080ffff in the command prompt as per KB109626.
2. Set the Performance counters as specified in this post.

Data analysis

When start reviewing the perfmon data you want to check the counter ISA Server Firewall Packet Engine\Backlogged Packets. You will notice a trend similar to the perfmon screenshot showed in this post. This can happen due name resolution issue as explained in this TechNet Article.

Next data to analyze is the netlogon.log, which also can be done using the same approach as the following post. In other words, look for the following pattern:

08/21 12:00:00 [DOMAIN] Contoso: Domain thread started 08/21 12:00:00 [DOMAIN] Contoso: Domain thread started doing API timeout 08/21 12:00:00 [SESSION] Contoso: Contoso: NlTimeoutApiClientSession: Unbind from server \\ab-cd.Contoso.local (TCP) 0.

From above data it appeared we can conclude that the Domain Controller to which ISA server had the secure channel established with, did not responded in time manner, which triggered the NlTimeoutApiClientSession in the netlogon logging. After that ISA Server resets the secure channel and tries to make secure channel with another DC.

Resolution for this Particular Case

In this particular case the clients were using WPAD (automatic detection), which by default returns the IP address of the ISA Server rather than the name. This forced the client to use NTLM authentication rather than Kerberos (supported in IE7 or higher).

Note: The advantages to use Kerberos instead of NTLM are documented in this article.

In order to force WPAD to use FQDN instead of IP address we ran the script described in this post. After running the script, all the web proxy clients using WPAD started getting FQDN of the ISA server nodes and use Kerberos for authentication, which enhance the authentication traffic and decrease the number of authentication request.

Author
Suraj Singh
Security Support Engineer
Microsoft CSS Forefront Security Edge Team

Technical Reviewer
Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team