Re: ISA 2004 SSL Bridging and Client Certificate Authentication

Your issue is that ISA can't forward client certificates to the web server,
so you need to uncheck Client Certificate Required on the IIS side, and just
leave it at Integrated Windows Authentication. This is by design to ensure
the integrity of the certificates. So intead what you need to do is employ
Kerberos Constrained Delegation (KCD). You'll find many articles on both
Microsoft and about setting this up. KCD will enable you
to pass the users credential from the ISA server to the internal web server
using kerberos, which should logon the user on to the web server using the
credential passed to the ISA server via the client certificate initially
provided by the user.


"AspectIT" <AspectIT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hi Guys and Gals

This is the setup.

Windows SBS2003 Premium SP2 with ISA 2004 SP2 two Nics

Internal Card
External Card - Connected to Router (All ports added to Rules on

This is what we are trying to achieve:

We are trying to setup PDAs to communicate with a website on the SBS
which uses SSL Secure channel communications over an alternative SSL port
2121. Along with this is the need to used client certificates, the SSL
have are from a 3rd party and the server has their root CA installed and
Certificate for the secure communications installed on the ISA Computer
and on the website itself.

We have setup a Secure Web publishing rule using Bridging HTTPS to HTTPS
using port 2121 and created a new listener to listen on SSL port 2121,
disabled, and added the Server certificate for the SSL communications onto
the listener, and without the client certificates authentication we have
secure communications working fine no problems.

The problem were having is with Client certificate authentication, we have
enabled the Website on IIS6 on the SBS box to require Client Certificates
added a Trust list using the ROOT CA from the 3rd Party, they have also
us a PFX Cert with Public Key to import on remote users Devices and also
anywhere else needed such as the ISA Rules.

We have added the client certificate to the Personal Store of the
Firewall Service so it appears in the Bridging tab in ISA2004, and we have
selected Use a certificate to authenticate to the SSL Web Server, and
selected the Client Cert which is on the remote users device and what they
will be prompted to use. Then we proceeded to edit the listener and take
Integrated Auth and add SSL Certificate Only and select Always

Basically ISA doesn't seem to be forwarding the Client Certificates to the
website in the way it should and is giving a 401 error to the end user in
Upon inspection of the IIS logs the Website is receiving a 403.7 error
which is Client Cert required. The user is getting the Client Certificate
Prompt when connecting but then they get this error:

Error Code: 401 Unauthorized. The server requires authorization to fulfill
the request. Access to the Web server is denied. Contact the server
administrator. (12209)

Looking at the ISA logs we get the following:


Denied Connection LTE-SBS01 20/10/2009 11:07:04
Log type: Web Proxy (Reverse)
Status: 12229 The server requires authorization to fulfill the request.
Access to the Web server is denied. Contact the server administrator.
Source: ( X.X.X.X:0)
Destination: (
Request: GET
Filter information: Req ID: 1ea71f6f
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0;
Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR
3.5.30729; AskTB5.5)
Object source: Processing time: 63
Cache info: 0x0 MIME type:

We have tried the Website internally and the Client certificates worked as
they should, proving it isn't the certificates, it looks like ISA isn't
forwarding the Client certificates on. Also on the ISA logs it says the
destination is which is the external card, shouldn't this be which is the internal Card ?

Can you help, if you need any more info regarding the setup please let me