Re: How do I require a client certificate when publishing a Web se
- From: Radovan Vojtek <RadovanVojtek@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 7 Nov 2006 04:57:02 -0800
Hi Nathan,
I've exactly the same problem as Bill - ISA returns Error 401 and the HTTP
request does not arrive to the internal IIS.
I've noticed that in "Choose certificate" dialog there is bad name od the
certificate (there is "Users" instead of correct user name). However, on the
ISA server, there is correct name of the certificate in the dialog.
The CA certificate is in "Trusted root" on the ISA and on the client
machine, the CLR is accessible from both as well.
I've no idea what's the issue...
--
R.V.
"Nathan B [MSFT]" wrote:
I can think of two possible issues: A name mismatch between the user and the.
certificate, or a trust issue on the ISA Server - missing root certificate
or ISA Server is not configured to trust the certificate (on the Client
Certificate Trust List tab on the Web listener).
--
Nathan Bigman
ISA Server Product Team
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Bill" <bill.nospam@xxxxxxxxxx> wrote in message
news:u0j4CeX1GHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
We have an internal web server (not running IIS) that we want to publish
to the Internet. We have ISA Server 2004 in our DMZ. The ISA Server is not
part of a domain. We have software assurance on the server and are
planning to upgrade to 2006.
We only want people on trusted computers to be able to connect to the
internal web server from outside. So, we would like to authenticate them
with client certificates.
I have been testing with ISA 2006. ISA 2006 has the advantage that it
allows us to only authenticate client certificates that we issue.
However, I can't seem to get it working. If I set authentication on the
SSL listener to SSL Client Certificate Authentication, the client is
prompted for the certificate and then gets the error: "Error Code: 401
Unauthorized. The server requires authorization to fulfill the request.
Access to the Web server is denied. Contact the server administrator.
(12209)"
If I set authentication to HTML Form Authentication with Authentication
Validation Method set to Windows (Active Directory) and require SSL Client
Certificate in Advanced Authentication Preferences, I get prompted for a
certificate, receive the login form and then get the error: Error Code:
403 Forbidden. Authentication failed. The client certificate used to
establish an SSL connection with the ISA Server computer does not match
the user credentials that you entered. (12253) On the plus side, a machine
without a certificate can't get to the login screen at all. The problem is
that a machine with a certificate can't get passed the login screen. I
know the username and password I type are correct, because I get a
different error if I type an incorrect password.
If I set the Authentication Validation Method to LDAP (Active Directory) I
don't get prompted for a certificate. I can login using AD credentials
from both the PC with a certificate and the one without out. Obviously,
this isn't what we want.
I have tried using an Enterprise CA within the domain and a standalone CA
that's not part of the domain.
So, does anyone know how I can publish a web server and configure ISA to
require a client certificate?
Regards,
Bill
- Prev by Date: No authentication
- Next by Date: Certificate Publishing
- Previous by thread: No authentication
- Next by thread: Certificate Publishing
- Index(es):
Relevant Pages
|
