Error accessing uncompiled pages using ISA Server 2006 SP1

Question

We are in the processing of configuring a portal to use ISA Server as our front end security provider.
So we are using ISA Server 2006 SP1.

Unfortunately when we access .net applications through ISA Server, the first time they are accessed.
i.e. They are not compiled yet, the following error appears:
Error Code: 500 Internal Server Error. The parameter is incorrect. (87)

In the ISA Monitoring logs, this shows:

Failed Connection Attempt
Log type: Web Proxy (Reverse)
Status: 87 The parameter is incorrect.

Once the application is compiled, the error never appears.
Does anyone know how to resolve this, so the site works correctly the first time?

Some additional information:

• The websites accessed are running on windows server 2008 64 bit - standard edition, and occurs for Sharepoint as well as standard .net websites.
• ISA Server is running on Windows server 2003 R2 SP2 Standard eidtion
• The firewall on the windows server 2008 box allows all access. (To rule this out.)
• Nothing odd appears in the IIS logs or firewall logs.

Answer 1

You could pre-complie the web site. That's more of a work around.

Have you tried clearing out compilation output directory for ASP.NET? You might have some conflict there.

%SystemRoot%\Microsoft.NET\Framework\versionNumber\Temporary ASP.NET Files

Answer 2

This problem was caused by the Authentication Delegation value in ISA Server being set to NTLM while IIS was setup to accept Windows Authentication. This combination appears to be a problem in my environment.

Changing it to basic authentication, or any other valid combination works correctly, thus I'm going with a different authentication delegation setting.

Answer 3

I had the same problem today (ISA 2006/sp1 publishing SharePoint via ISA HTML Form Auth, passing through NTLM auth) and spent several hours debugging it. You are right, it's the neccessity to compile the page that triggers it and only an IISRESET causes the problem; App pool recycling does not. Basic authentication works, but NTLM does not. Read on for the fix.

If you look in your IIS log, you'll see that there is something odd there, namely a 401 reply from IIS for the particular HTTP request with a little hint:

... GET /auth.aspx - 80 - ... Mozilla/4.0+(compatible;...) 401 1 2148074254 734

Note the error code 2148074254 ( 0x8009030e SEC_E_NO_CREDENTIALS ). In a regular challenge/response exchange this should be "5."

This led me down some more winding debugging paths and eventually I discovered the problem is down to IIS 7's kernel-mode authentication being enabled by default. If you turn it off:

%windir%\system32\inetsrv\appcmd set config -section:windowsAuthentication -useKernelMode:false

...the problem goes away. There's enough information in this post for anyone to dig up the technical reasons for this, so I'll not bother regurgitating it here.

-Oisin