Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Client certificate authentication fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Client certificate authentication fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
Client certificate authentication fails - 31.Aug.2004 4:41:00 PM   
Howto

 

Posts: 17
Joined: 8.Nov.2001
Status: offline 		When trying to connect to a site with SSL certificate authentication, I get following error in Internet Explorer:

Error Code: 500 Internal server error. The certificate is revoked. (although the client cert is still valid)

In the application log on the ISA server I see following message:

The client certificate was revoked due to an invalid or missing Certificate Revocation List (CRL). The CRL may have expired and ISA Server was unable to download a valid CRL. Verify that the CRL download system policy configuration group is enabled and that there is connectivity to the CRL Distribution Points (CDPs).

Setup:

Web listener on 10.10.10.1 (SSL cert authentication).
Web publishing rule info:
Name: Cert auth; Action: Allow; From: Anywhere; To: my.internalsite.net; Traffic: HTTPS;Listener:10.10.10.1;Public name: my.publicname.net; Path: /*;Bridging: Redirect to SSL; Users: All users

I have 2 CDPs defined: an LDAP path and an http path (to my.crl.net)

I can connect to the site with a user cert when swithing of verification of client certs. I can also access the "my.crl.net" site when logged on to the ISA server.
Post #: 1
RE: Client certificate authentication fails - 1.Sep.2004 5:57:00 PM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Howto,

I've seen this and its a CA issue, not an ISA firewall issue. You might try restarting the CA server.

HTH,
Tom

(in reply to Howto)
Post #: 2
RE: Client certificate authentication fails - 2.Sep.2004 11:50:00 AM   
mdagoreau

 

Posts: 3
Joined: 26.Aug.2004
Status: offline 		Hi Howto,

Check that your isa server can access the CRL which must be published on your CA via web. To check this, get the CRL link in the details panel of your server certificate, open ie on the ISA server and enter the url.

If it doesn't work, check in your system policies if your authorized ISA to get CRLs. Check the name resolution too, since the url published might be the private one.

Matthieu

(in reply to Howto)
Post #: 3
RE: Client certificate authentication fails - 2.Sep.2004 3:33:00 PM   
Howto

 

Posts: 17
Joined: 8.Nov.2001
Status: offline 		Hi mdagoreau,

I can access the CRL from ISA server and in the system policy CRL checks have been enabled.

Note: I can use VPN EAP (which also uses cert authentication).

Tom,

Restarting the CA had no effect. Might it have something to do with the fact that the CRL is published on another server than the CA itself?

(in reply to Howto)
Post #: 4
RE: Client certificate authentication fails - 18.Oct.2004 7:54:00 AM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Howto,

The ISA firewall will check based on the URL on the certificate. So as long as that URL is valid, that shouldn't be a problem.

HTH,
Tom

(in reply to Howto)
Post #: 5
RE: Client certificate authentication fails - 9.Nov.2004 2:58:00 PM   
Howto

 

Posts: 17
Joined: 8.Nov.2001
Status: offline 		Hi Tom,

I've received a fix from Microsoft. Apparently their is a problem with wspsrv.exe:

If you don't have a CDP extension included in the ROOT certificate, this causes problems with the way ISA Server calls the CryptoAPI, leading to the "The certificate is revoked" error.

(in reply to Howto)
Post #: 6
RE: Client certificate authentication fails - 8.Dec.2004 5:02:00 PM   
RuiFiske

 

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline 		I am having a very similar issue with an RSA Keon CA. Even if I put the certificates in the Trusted Root store of the ISA server (not good practise - but as a test). If checking the CRL is required then the certificate is rejected because the "CRL is invalid".

Did you ever resolve the issue, HowTo?

Are there extensions in Microsoft's CA certificates that are not present by default in other PKI CA certificates, that need to be added, such as the subjectKeyIdentifier?

Any advice would be much appreciated.

(in reply to Howto)
Post #: 7
RE: Client certificate authentication fails - 12.Jan.2005 2:50:00 PM   
RuiFiske

 

Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline 		I have managed to resolve this issue. As HowTo said, Microsoft (paradoxically) expects the Root CA's certificate to have a CDP [Eek!] . Once this has been done, then the entire certificate chain will be validated.

So it's all working fine with remote CRLs and CRL checking.

I now need to work out how to have strong authentication in an ISA chain, so there'll be another post soon!

(in reply to Howto)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Client certificate authentication fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts