ISA server 2006 RTM, Supportability Update, Service Pack 1 that are configured as follows:
- The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
- The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
- ISA is configured to allow fallback to HTTP-Basic authentication
If you do not use RADIUS OTP with KCD, or you have disabled HTTP-Basic fallback for RADIUS OTP, you are not subject to this vulnerability.
Non-Affected Products
- ISA Server 2000
- ISA Server 2004
- Forefront TMG