Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Client Certificate Authentication with Symbian S60 3.0
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Client Certificate Authentication with Symbian S60 3.0 - 22.Nov.2007 10:58:01 PM
|
|
|
BBooth
Posts: 9
Joined: 22.Nov.2007
Status: offline
|
Hi all, long time reader, first time poster..
I'm currently setting up an ISA 2004 published OMA/active-sync solution for my company. I can get everything to work fine with standard FBA or Basic authentication, however being the security people that we are these days, I'm required to set up two-factor authentication. The option we've chosen, and currently the only likely one (if anyone can suggest another option please let me know!), is to first require a client certificate followed by basic authentication containing their username and password.
The Client certificate authentication is handled via the ISA server and then the OWA server is requesting basic authentication.
Currently I've tested on a desktop machine running Windows XP and IE7, a Palm Treo, which runs windows mobile 5, and a Nokia 6120 Classic which runs Symbian s60 3rd edition.
The desktop PC and the Palm Treo both work fine with the two factor authentication, but the Nokia fails when the certificate is requested. It attempts to access the page, and I can see it on the ISA log, but then it seems to time out with "Web: Unable to perform operation". I can disable the client certificate requirement and everything works fine on the nokia.
I found a comment at a blog on a nokia site that states that IIS 6 and Symbian s60 do not get along when certificate authentication is used until a setting in the IIS metabase is changed.
---Extract from site---
This was happening because IIS 5.1 and 6.0 as default starts with normal handshake and then they send "hello request" to start another handshake that includes asking client certificate. This is not supported by S60 3.0. But It is possible to configure IIS 6.0 so that it won't send hello request. This can be configured by adding the following link to Metabase.xml
SSLAlwaysNegocClientCert="TRUE"
----
What I'm wondering (as you'll see by my comment at the bottom of the linked page) is, is there a similar problem with ISA and the s60 browser? Is there a similar setting on ISA that I can "enable"? Or can anyone suggest more troubleshooting I could attempt?
I realise there's an ISA2006 problem with a misspelled agent string relating to Symbian however I'm running ISA 2004.
Any help would be GREATLY appreciated as it's driving me insane...
Oh, and suggesting we purchase all Palm Treos instead of the Nokia's doesn't count 
Regards,
Brendon
< Message edited by BBooth -- 22.Nov.2007 11:03:41 PM >
|
|
|
|
|
RE: Client Certificate Authentication with Symbian S60 3.0 - 28.Nov.2007 7:07:20 PM
|
|
|
BBooth
Posts: 9
Joined: 22.Nov.2007
Status: offline
|
Well I've FINALLY got things working to a satisfactory level. So I thought I'd post my findings so far in case anyone else experiences the same troubles.
So to start off, this problem ultimately belonged in the Nokia forums, but since i've started it here I might as well post my reply.
The Nokia 6120 Classic is a nice phone, and for standard users this phone is great. But for anything tricky, such as using certificates for authentication, they seem to be lacking some functionality.
I say this because we purchased a Nokia E51 to test with (in case it was just the 6120) and it worked really well basically straight away. The E and N series phones are slated as Business models so I can only assume that they have slightly different operation specs, despite being the same operating system version and feature pack. So it's a little bit of a shame we've already purchased a number of 6120s.
So, long story short, the problems I experienced with the 6120 were: Unable to browse a website published via ISA 2004 with certificate authentication required. I managed to get the phone to prompt me about which certificate to use (by selecting "Require All Users to Authenticate" on the listener), however after entering the key store password 3 times it just timed out. This key store password cannot be removed as far as I could see. If you have a private key for a certificate, the password needs to be set and used everytime the certificate is used.
On the E51, there are more Certificate Stores. Namely the device certificate store, which allows a certificate to be installed and it's private key. This does not require a key store password to be entered every time it's accessed, and since this setup is to be used for Active-sync, this is a good thing. So ultimately I've had everything set up the way I've wanted for months now, it's just the damn 6120 isn't really compatible.
Anyway, thanks to all those who read this post. And if anyone else has similar issues... good luck! feel free to post here and i'll come see if I can help out..
Cheers,
Brendon
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
