none
Configuring ISA 2006 cookies / SSO problem RRS feed

  • Question

  • Is it possible to control the 'set-cookie' response that ISA sends back to clients logging onto a site published via a web listener?  I have a web listener that is used to publish a number of websites.  One site is the root of our namespace and is used by Exchange OWA, the others are subdomains of this domain: (obviously these are not the actual domain names)

     

    https://domain.com

    https://sharepoint.domain.com

    https://mysite.domain.com

     

    The problem we have is that if a Firefox or Safari client logs on to Domain.com and then goes to sharepoint.domain.com, they have to reauthenticate.  If they log onto SharePoint.domain.com and then go to domain.com they don't have to reauthenticate.  IE clients are OK whichever site they logon to first. The problem seems to be the way ISA presents the cookie.  The domain for the cookie is set to 'domain.com'.  If you log on to the site using the URL https://domain.com this is the set-cookie response:

     

    Set-Cookie: COOKIE=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

     

    If you logon to a site using a subdomain, ie https://sharepoint.domain.com, this is the set-cookie response:

     

    Set-Cookie: COOKIE=; Domain=.domain.com; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

     

    The 'Domain=.domain.com' field is the crucial one, for Firefox and Safari anyway.  Without it they mark the cookie as being host only, rather than domain, and will not send it when logging onto a subdomain.  When it is there they will pass it to sibling sites or the parent site.  IE doesn't care and will use the cookie whether the field is there or not. 

     

    I had thought this was just the way ISA worked, there is no configuration option in the GUI that I can find.  But I saw this article: http://support.microsoft.com/kb/940242 which talks about setting the 'domain=.domain.com' field to deal with a cookie load balancing problem.  It didn't work, but then isn't addressing quite the problem we are having.  Has anyone used the SDK to set cookie properties? 

    Thanks

    Daryl

     

    Thursday, February 10, 2011 3:05 PM

Answers

  • Daryl,

    I have researched this and there is not a current way to do this with the default configuration. You may be able to do this by creating a custom web filter.  If you would like to have the default behavior changed, then you would have to open a support case and we could pursue it from there.

    Thanks,


    Brennan Crowe
    • Marked as answer by Daryl T Friday, April 15, 2011 8:28 AM
    Tuesday, April 12, 2011 2:19 PM
    Answerer

All replies

  • Did you try to use the SSO domain setting on the listener? This is exactly what it should do.

    Thanks,


    Alex Zvansky TMG Product Group
    Thursday, February 10, 2011 3:34 PM
  • Hi Alex,

    Yes, the SSO domain setting is there and SSO is working in most circumstances.  For IE clients there is no problem.  It is just the scenario in which a Firefox or Safari client logs onto the root website (ie the one that corresponds to the SSO domain settings) and then goes to a subdomain, SSO then doesn't work.  You can see from the http headers that ISA is presenting the cookie differently if you log onto the root site or a sub-site, see above.  I'm fairly sure this is the cause of the problem. You can see in Firefox that it has marked the cookie as 'host' if you have logged onto the root site and as 'domain' if you log onto a subsite.  My question is whether there is anyway to force ISA to include the 'domain=....' bit in the cookie when you log onto the root site.

    Thanks

    Daryl

    Thursday, February 10, 2011 3:58 PM
  • Daryl,

    I have researched this and there is not a current way to do this with the default configuration. You may be able to do this by creating a custom web filter.  If you would like to have the default behavior changed, then you would have to open a support case and we could pursue it from there.

    Thanks,


    Brennan Crowe
    • Marked as answer by Daryl T Friday, April 15, 2011 8:28 AM
    Tuesday, April 12, 2011 2:19 PM
    Answerer
  • Hi Brennan,

    Thanks for looking into this.  At least I know I'm not just missing something.

    Daryl

    • Marked as answer by Daryl T Friday, April 15, 2011 8:28 AM
    • Unmarked as answer by Daryl T Friday, April 15, 2011 8:28 AM
    Friday, April 15, 2011 8:27 AM