Passing along some information regarding a vulnerability in the ISA firewall that exists when you use FBA and RADIUS One Time Passwords (OTP).
If you have a Web Publishing Rule that meets the following specs:
- The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
- The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
- ISA is configured to allow fallback to HTTP-Basic authentication.
Then you need to get your head up and apply MS09-031 update.
For more information, check on Jim Harrison’s article over at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer