Re: ISA 2004 SSL Bridging and Client Certificate Authentication



Your issue is that ISA can't forward client certificates to the web server,
so you need to uncheck Client Certificate Required on the IIS side, and just
leave it at Integrated Windows Authentication. This is by design to ensure
the integrity of the certificates. So intead what you need to do is employ
Kerberos Constrained Delegation (KCD). You'll find many articles on both
Microsoft and www.isaserver.org about setting this up. KCD will enable you
to pass the users credential from the ISA server to the internal web server
using kerberos, which should logon the user on to the web server using the
credential passed to the ISA server via the client certificate initially
provided by the user.

Miguel

"AspectIT" <AspectIT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CE9ADB6E-A151-4B8D-971A-EBBDE846E424@xxxxxxxxxxxxxxxx
Hi Guys and Gals

This is the setup.

Windows SBS2003 Premium SP2 with ISA 2004 SP2 two Nics

Internal Card 10.0.0.1
External Card 10.0.10.1 - Connected to Router (All ports added to Rules on
router)

This is what we are trying to achieve:

We are trying to setup PDAs to communicate with a website on the SBS
Server
which uses SSL Secure channel communications over an alternative SSL port
of
2121. Along with this is the need to used client certificates, the SSL
certs
have are from a 3rd party and the server has their root CA installed and
the
Certificate for the secure communications installed on the ISA Computer
store
and on the website itself.

We have setup a Secure Web publishing rule using Bridging HTTPS to HTTPS
using port 2121 and created a new listener to listen on SSL port 2121,
HTTP
disabled, and added the Server certificate for the SSL communications onto
the listener, and without the client certificates authentication we have
the
secure communications working fine no problems.

The problem were having is with Client certificate authentication, we have
enabled the Website on IIS6 on the SBS box to require Client Certificates
and
added a Trust list using the ROOT CA from the 3rd Party, they have also
given
us a PFX Cert with Public Key to import on remote users Devices and also
for
anywhere else needed such as the ISA Rules.

We have added the client certificate to the Personal Store of the
Microsoft
Firewall Service so it appears in the Bridging tab in ISA2004, and we have
selected Use a certificate to authenticate to the SSL Web Server, and
selected the Client Cert which is on the remote users device and what they
will be prompted to use. Then we proceeded to edit the listener and take
of
Integrated Auth and add SSL Certificate Only and select Always
Authenticate.

Basically ISA doesn't seem to be forwarding the Client Certificates to the
website in the way it should and is giving a 401 error to the end user in
IE.
Upon inspection of the IIS logs the Website is receiving a 403.7 error
which is Client Cert required. The user is getting the Client Certificate
Prompt when connecting but then they get this error:

Error Code: 401 Unauthorized. The server requires authorization to fulfill
the request. Access to the Web server is denied. Contact the server
administrator. (12209)

Looking at the ISA logs we get the following:

User:


Denied Connection LTE-SBS01 20/10/2009 11:07:04
Log type: Web Proxy (Reverse)
Status: 12229 The server requires authorization to fulfill the request.
Access to the Web server is denied. Contact the server administrator.
Rule:
Source: ( X.X.X.X:0)
Destination: ( 10.0.10.1:2121)
Request: GET http://pda.XXXXXX.com/
Filter information: Req ID: 1ea71f6f
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0;
Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR
3.5.30729; AskTB5.5)
Object source: Processing time: 63
Cache info: 0x0 MIME type:


We have tried the Website internally and the Client certificates worked as
they should, proving it isn't the certificates, it looks like ISA isn't
forwarding the Client certificates on. Also on the ISA logs it says the
destination is 10.0.10.1 which is the external card, shouldn't this be
10.0.0.1 which is the internal Card ?

Can you help, if you need any more info regarding the setup please let me
know.

Thanks



.



Relevant Pages

  • ISA 2004/Remote Client Certificates
    ... We have a non-AD environment where we'd like to use client certificates on ... remote workstations for authentication to a web server behind the ISA ...
    (microsoft.public.isa.publishing)
  • ISA 2004 SSL Bridging and Client Certificate Authentication
    ... We are trying to setup PDAs to communicate with a website on the SBS Server ... Along with this is the need to used client certificates, ... Certificate for the secure communications installed on the ISA Computer store ...
    (microsoft.public.isa.configuration)
  • HttpWebRequest With SSL, Problem while deploying to IIS
    ... other server which is using the SSL Client certificates to authenticate. ... however the request logs an event in the System Event ...
    (microsoft.public.dotnet.security)
  • How enable "Server Certificate..." button on "Directory Security"
    ... I am using Windows 2000 (not Server) as my development machine. ... I found an article in MSDN entitled "Enabling Client Certificates" that ... I can successfully communicate using openssl s_client and our server ... "The remote server has requested SSL client authentication, ...
    (microsoft.public.inetserver.iis.security)
  • How enable "Server Certificate..." button on "Directory Security"
    ... I am using Windows 2000 (not Server) as my development machine. ... I found an article in MSDN entitled "Enabling Client Certificates" that ... I can successfully communicate using openssl s_client and our server ... "The remote server has requested SSL client authentication, ...
    (microsoft.public.inetserver.iis.security)