I have today discovered an issue with ISA 2006 SP1 using forms based authentication to log into MOSS 2007.
The issue is that if you log into MOSS successfully (using the ISA form) and lets say you accidently select ‘Sign in as Different User’ then realise you didn’t actually want to logout, then log back in as the same user you experience an issue where ISA will reply to state ‘Access Denied’. However if you strip the url and enter the url without the ISA string it will log you straight back in without prompting. I don’t see this as a security issue however it could be misleading for users.
I have tested this issue with ISA connected to the domain and ISA in its own workgroup using LDAPS and both have the same behaviour.
I’m in the process of raising this with Microsoft and will post the update here…
MS have confirmed they can reproduce the error I am experiencing, however I need to produce a business case as to why it should be fixed.
Ongoing..... Will keep you posted.
Having spent many an hour working with Microsoft providing various diagnostic logs the issue has been identified and a hotfix is currently being produced I will post the link once the hotfix has been published.
Microsoft have sent me the hotfix for testing and I can confirm this fixes the issue. It still takes 3 attempts to logon however this is SharePoint functionality (feature :)) and not ISA related.
The KB for the article / hotfix is KB973737 and can now be downloaded from here.