Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Clients blocked as "Anonymous"
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Clients blocked as "Anonymous" - 6.Dec.2005 4:12:26 PM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hello,
Believe it or not, I'm still trying to have clients authenticate via SSL Certificates. Unfortunately, I'm not very successful at it. Until now, all clients connection attempts end up blocked as anonymous connection attempts.
The client has been issued a certificate, from an internal CA (stand-alone). I've used this same CA to issue a user certificate too the ISA Administrator account, added the client certificate to the Administrator personal store as well as the computer store and even the Firewall service store. None of these actions seem to help in the client authentication.
I've configured the listener to require authentication for all users, and check the box for SSL Certificates authentication only.
The client does get prompted to chose a certificate while trying too connect to the published secure site, but then it receives an error 401: Unauthorized. The ISA logs a denied connection to anonymous user.
What am I missing here??? Any suggestions? Thanks in advance.
Dave.
|
|
|
|
RE: Clients blocked as "Anonymous" - 6.Dec.2005 9:09:32 PM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hi Stefaan,
I already did use that very good article you referred me to before. Unfortunately, my production (thus test) environment is rather different than the case described in the article. In other words, my ISA (Std ed.) is a stand-alone server, as well as my PKI setup. Because I must issue certificates to clients outside of my network, I did not want to add them in AD (good or bad?).
If you tell me that this (AD + Enterprise CA) is the only way to achieve client certificate authentication, then that is a different story and I might be able to work toward that. But if it is feasible with a stand-alone setup, I'd rather do it like that to make the least changes to my production environment.
Thanks for your help.
Dave.
|
|
|
|
|
RE: Clients blocked as "Anonymous" - 6.Dec.2005 9:14:17 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dave,
I've just tried it on a OWA publishing rule: client cert to the OWA listener and basic auth to the OWA web server. It works out of the box though I used an AD integrated CA.
HTH,
Stefaan
|
|
|
|
|
RE: Clients blocked as "Anonymous" - 7.Dec.2005 1:38:08 AM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
I'm going to rebuild my lab environment and the ISA server from scratch and try once more. If that still doesn't work, I'll move the ISA to AD domain and try with an Enterprise CA. We'll see. Wish me luck ;-)
Dave.
|
|
|
|
|
RE: Clients blocked as "Anonymous" - 7.Dec.2005 2:09:29 AM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dave,
You'll need to join the ISA firewall to the domain in order for this to work. There is no security issue here as long as you correctly configure the ISA firewall and don't allow connections to the Local Host Network from untrusted hosts.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Clients blocked as "Anonymous" - 9.Feb.2006 3:41:05 AM
|
|
|
dragoonn
Posts: 5
Joined: 9.Feb.2006
Status: offline
|
Hello DaveG
Just wondering how are you getting on with the client authentication certificate, as I have strike the exact same problem:
I have the standalone ISA using the server certificate, enable the SSL bridging (https -> http), and it works with other kinds of authentication method (digest, basic etc).
When I choose to use the client certicate on the client machine, the browser returned an unauthorised user message, and the ISA log shows the client as anonymous.
In an OWA scenerio the client certificate needs to be authenticated against a domain controller, but I too prefers using a standalone CA. Now how do I control the client authentication process? Do I need to install the client certificate on the ISA server somewhere?
Any help will be much appreciated!!!
|
|
|
|
|
RE: Clients blocked as "Anonymous" - 16.Feb.2006 2:09:29 AM
|
|
|
DaveG
Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline
|
Hi Dragoonn,
In the end, after trying all possible scenarios, including adding a Radius servers (useless in this case), I finally decided to go ahead a create a new separate domain for the ISA. It will be member of a new domain, therefore there will be an additional DC, that will act as the CA at the same time. After enough testing, I'm confident that this will meet my needs.
I do wish it was easier, but apparently it's not. So, that's my final solution.
Good luck.
Dave.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
