Hi, I have a website published with ISA 2006. The web listener requires all users to authenticate with client certificate in the Active Directory. The remote clients are successfully authenticated and can get access to the website. After working for some time, which varies from 5 seconds to about a minute authentication is suddenly lost. This happens during a page load, can happen right during loading images, so that half of the images on the page are loaded, half is not. After that the user is no longer authenticated and when he tries to switch a page of the website, he gets an error: Error Code: 500 Internal Server Error. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) For several seconds before this message everything works fine, the user is authenticated in ISA logs, but suddenly he becomes anonymous and denied connection. Any suggestions are appreciated!
(ISA Server 2006, SP1 on W2003 SP1; Domain controller - W2003 R2 SP2, Web server - W2003 R2 SP2, .NET FW 3.5, calling a WCF service on W2003 R2 SP2 via netTcp)
An update. If I switch to insafe HTML Forms authentication in plain HTTP with no security - it works fine, the client does not get unauthenticated in observable period of time (5-10 minutes of work - no problems). I move forward, enable SSL but do not require client certificates with HTML Forms Authentication still on. Again, here the clients can work without problems. Next step is I enable an option "Require SSL client certificate". Here is where the problems start. I get a slightly different error message: Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) The eToken is still inserted, I did not remove it as the message suggests. ISA offers an option of customizing SSL client certificate timeout, which is 300 seconds or 5 mins by default. I played with it, even disabled this timeout. Apparently, this option has nothing to do with the problem. Looks like the client certificate is being cashed and validated every request so, that only valid users get access. But somehow this cache is cleared and not updated. I am not sure whether it is important, but the website has a lot of design features... i.e. small images, building rich environment. This leads to a very large amount of requests to the web server on every page load (about a hundred images per page, not large in size though). If it is important, is it possible to enlarge the amount of available requests to a web server (per second, may be, or in total)?