How do I require a client certificate when publishing a Web server?

Hi,

We have an internal web server (not running IIS) that we want to publish to the Internet. We have ISA Server 2004 in our DMZ. The ISA Server is not part of a domain. We have software assurance on the server and are planning to upgrade to 2006.

We only want people on trusted computers to be able to connect to the internal web server from outside. So, we would like to authenticate them with client certificates.

I have been testing with ISA 2006. ISA 2006 has the advantage that it allows us to only authenticate client certificates that we issue.

However, I can't seem to get it working. If I set authentication on the SSL listener to SSL Client Certificate Authentication, the client is prompted for the certificate and then gets the error: "Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)"

If I set authentication to HTML Form Authentication with Authentication Validation Method set to Windows (Active Directory) and require SSL Client Certificate in Advanced Authentication Preferences, I get prompted for a certificate, receive the login form and then get the error: Error Code: 403 Forbidden. Authentication failed. The client certificate used to establish an SSL connection with the ISA Server computer does not match the user credentials that you entered. (12253) On the plus side, a machine without a certificate can't get to the login screen at all. The problem is that a machine with a certificate can't get passed the login screen. I know the username and password I type are correct, because I get a different error if I type an incorrect password.

If I set the Authentication Validation Method to LDAP (Active Directory) I don't get prompted for a certificate. I can login using AD credentials from both the PC with a certificate and the one without out. Obviously, this isn't what we want.

I have tried using an Enterprise CA within the domain and a standalone CA that's not part of the domain.

So, does anyone know how I can publish a web server and configure ISA to require a client certificate?

Regards,

Bill
.

Relevant Pages

  • RE: Form Based Authentication on ISA2k4
    ... we should NOT enable FBA (Form Based Authentication) ... The FBA was already enabled on the Exchange Server once ... Outside users who are not authenticated by the ISA Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Client application cannot connect to server
    ... When I move to an actual device, i.e.,MotorolaQ, every aspect of the application work except for connecting to the server. ... Microsoft Exchange Server 2003 SP2 ... ISA Server as an advanced firewall in a workgroup in perimeter network ... Set up FBA or Basic authentication for Exchange ActiveSync, ...
    (microsoft.public.windowsce.app.development)
  • Re: ISA 2006 & OWA Strange DNS issue
    ... If I change the publishing rule from 'Basic Authentication' to 'No Authentication, but client may authenticate directly' then an external user is able to put their credentials in the html pop-up sign-on box and access their email. ... Included are one exchange server in an inside LAN and an ISA server in a DMZ LAN. ...
    (microsoft.public.isa)
  • Re: Single sign on
    ... the ISA server is not a member server of the AD domain. ... the AD credentials, ... place to check for user authentication instaed of active directory ... Troubleshooting Client Authentication on Access Rules in ISA Server ...
    (microsoft.public.isa)
  • How do I require a client certificate when publishing a Web server?
    ... We have an internal web server that we want to publish to the Internet. ... The ISA Server is not part of a domain. ... If I set authentication on the SSL listener to SSL Client Certificate Authentication, the client is prompted for the certificate and then gets the error: "Error Code: 401 Unauthorized. ...
    (microsoft.public.isa.configuration)
Quantcast