Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Client authentication via SSL certificate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Client authentication via SSL certificate - 23.Nov.2005 10:30:38 PM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hi,
First of all, is this even possible???
What I'm trying to achieve:
I would like to be able to authenticate the users at the ISA gateway, before they can even reach the secured web site.
I used the Secure Web Publishing wizard to publish an internal IIS (6.0) web site. Using SSL-to-SSL bridging, I have imported the web server certificate on the ISA listener. I have set up an internal stand alone Certification Authority and imported the root CA certificate on both the IIS and the ISA. I would like to use that same PKI to issue SSL certificates to the external users.
I would like to allow only users that have received a certificate from this internal CA to connect to the ISA, then to the web site. I also need this to be transparent to the users once the have installed their client certificate.
I have checked the box for SSL certificate in the Authentication methods of the listener but, if I force all users to authenticate, no one can connect and obviously if I don't force all users to authenticate, every one can connect even those without any certificates.
Is this technically feasible with ISA 2004 (on W2k3SP1), and if so, any help/directions to achieve this would be helpful.
(I'm a newb with ISA, IIS & PKI) but I'm a fast learner ;-) at least I hope.
Any help would be appreciated. Thanks in advance.
Dave.
|
|
|
|
RE: Client authentication via SSL certificate - 23.Nov.2005 11:01:18 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
you can use client certificates (or smartcards) to authenticate against the ISA Web Listener. However, in this case ISA can *not* forward the credentials to the internal web server because ISA has no access to the private key of the client certificate. Therefore, either a second authentication process should be started by the internal web server to authenticate the individual user, or ISA itself can autheniticate as a client with a client certificate to the internal web server. It should be obvious that in the latter case all external users will be known as the user assigned to the ISA itself.
HTH,
Stefaan
|
|
|
|
|
RE: Client authentication via SSL certificate - 23.Nov.2005 11:12:07 PM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hi Spousele, Thanks for the quick reply.
I understand the ISA would not be able to pass the client certificates, but this would not be necessary if I can have them validated at the ISA instead of the IIS. Could you provide me some direction on how to validate the clients certificates on the ISA box? This is the part where I'm totally stuck.
I would need to validate that the client has indeed received a certificate issued by my internal CA. I have no idea how this can be done and have not found any resources on the web discussing this specific topic.
Dave
|
|
|
|
|
RE: Client authentication via SSL certificate - 23.Nov.2005 11:36:49 PM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Thanks a lot, I've printed the article and will go over it this WE. HTH2 ;-)
Dave.
|
|
|
|
|
RE: Client authentication via SSL certificate - 28.Nov.2005 6:12:14 AM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hi,
Although I now managed to get the client prompted to use it certificate, it still gets and access denied from the ??? (ISA or IIS).
Here's what the browser returns:
Error Code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. (12209)
Any idea what this means, where it comes from, and how to resolve it?
Thanks in advance.
Dave.
|
|
|
|
|
RE: Client authentication via SSL certificate - 17.Oct.2007 1:30:21 PM
|
|
|
iliko
Posts: 23
Joined: 23.May2002
Status: offline
|
I am facing the same issue? My ISA is on DMZ with no access to internal CA.
What should I do?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
