To configure settings for forms-based authentication

1. In the console tree of ISA Server Management, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Expand Web Listeners and double-click the applicable Web listener to open its properties.
4. On the Forms tab, click Advanced.
5. Under Cookie Settings, you can provide a name for the cookie that ISA Server provides to the client after forms-based authentication has succeeded. From the drop-down list you can select whether the cookies are persistent (continue to exist on the client after the session ends) on all computers, only on private computers, or never.
6. Under Client Security Settings, select:
7. • Treat as maximum idle time, to set a time-out based on the amount of time that the client is idle.
   • Treat as maximum session duration, to set a time-out based on the session length. Then provide time-outs for public and private computers, which will be used to establish the maximum idle time or maximum session length.
   • Log off when the user leaves site if you want the user to be automatically logged off when he navigates away from the site to which he has logged on.

Notes

• For more information about authentication in ISA Server, see Authentication Concepts in ISA Server 2006 at the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).
• For information on customizing forms, see Form Preferences.
• To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
• For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
• For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

Important

• When a session reaches the time-out threshold, clients are required to log on to the session using their user credentials.
• When you configure a time-out for forms-based authentication, we recommend that the time-out be shorter than that imposed by the published server. If the published server times out before ISA Server, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by ISA Server as configured on the form setting.
• Use persistent cookies to allow opening documents from Microsoft Windows SharePoint Services without the need to reauthenticate.
• Note the following security issues related to persistent cookies:
  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.

Related Topics

---

Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/). Send feedback about this page.

• English-to-Russian translation