“The token supplied to the function is invalid” alert was logged on Forefront TMG 2010 RTM doing Outbound HTTPS Inspection when a user tried to access a secure web site behind it

I’ve noticed on a customer’s Forefront TMG 2010 RTM machine that the The token supplied to the function is invalid alert was logged, probably when someone tried to access a secure web site while the Outbound HTTPS Inspection was enabled on TMG.

I went myself to the address found on that alert in my lab, and the same alert was raised:

tmg_failed_http_501_resp_1

My request has failed:

tmg_failed_http_501_resp_2

I took a Wireshark capture and saw that the web site responded to TMG’s Client Hello message with a HTML web page containing a 501 Method Not Implemented message (!).

TLS 1.0 RFC says something like: After sending the client hello message, the client waits for a server hello message. Any other handshake message returned by the server except for a hello request is treated as a fatal error.).
In this case the client was TMG(due to the Outbound HTTPS Inspection). And it received an unrecognized(more correctly said invalid message) from the server.

If we dig a little deeper(google search), we will see that this domain does not exist anymore(apparently expired some time ago), and used to accept SSL/TLS connections(the public SSL Database available on SSL Labs still has a record with a grade for it).
I’ve noticed the log on the customer’s TMG machine and went to investigate this issue. Turns out I was chasing ghosts.

If the client behind TMG was a web proxy client, it might have displayed the error message returned to it by TMG(not all the browsers seem capable of displaying these messages):

tmg_failed_http_501_resp_3

Comments are closed