MS09-031: ISA Server 2006 FBA and RADIUS OTP Bulletin

Passing along some information regarding a vulnerability in the ISA firewall that exists when you use FBA and RADIUS One Time Passwords (OTP).

If you have a Web Publishing Rule that meets the following specs:

  • The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
  • The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
  • ISA is configured to allow fallback to HTTP-Basic authentication.

Then you need to get your head up and apply MS09-031 update.

For more information, check on Jim Harrison’s  article over at:



Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top