• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article Configuring ISA Firewalls (ISA... - 11.Jul.2006 8:59:20 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Authentication using Constrained Delegation (Part 1) at http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article Configuring ISA Firewalls ... - 18.Jul.2006 6:36:00 PM   
davedowson2

 

Posts: 2
Joined: 15.May2006
Status: offline
Hi Tom,

I must say, this is a great article - I knew that constrained delegation was a part of 2006 - and the article shows exactly how to use it.

I have a question regarding one of the assumptions in part-1 of the article.... The domain must set at the Windows Server 2003 Functional Level

I have a large domain structure (120 domain controllers in 5 domains) and am in the process of upgrading all 2000 DCs to 2003 - but am not their yet ... 4 domains are 2000 mode and one is 2003 functional level (this 2003 domain has the front end servers in). However I want to take advantage of certs to prevent non-managed machines from attempting to connect to the front end servers.

Is there anything I can do to take advantage of "user-certificates" to lock out non-managed machines? i.e. how steadfast is the assumption of the domain been in 2003 functional? (I realise this may be an AD question and not ISA - Sorry!)

Thanks

Dave






(in reply to tshinder)
Post #: 2
RE: Discussion about article Configuring ISA Firewalls ... - 19.Jul.2006 10:42:15 AM   
denizyalcin

 

Posts: 122
Joined: 19.Jan.2005
From: Turkey
Status: offline
Hi Mr. Shinder,

The title has a typo : "Eack-end".

(in reply to davedowson2)
Post #: 3
RE: Discussion about article Configuring ISA Firewalls ... - 19.Jul.2006 4:36:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Deniz,

Thanks! Fixed.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to denizyalcin)
Post #: 4
RE: Discussion about article Configuring ISA Firewalls ... - 19.Jul.2006 5:31:31 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: davedowson2

Hi Tom,

I must say, this is a great article - I knew that constrained delegation was a part of 2006 - and the article shows exactly how to use it.

I have a question regarding one of the assumptions in part-1 of the article.... The domain must set at the Windows Server 2003 Functional Level

I have a large domain structure (120 domain controllers in 5 domains) and am in the process of upgrading all 2000 DCs to 2003 - but am not their yet ... 4 domains are 2000 mode and one is 2003 functional level (this 2003 domain has the front end servers in). However I want to take advantage of certs to prevent non-managed machines from attempting to connect to the front end servers.

Is there anything I can do to take advantage of "user-certificates" to lock out non-managed machines? i.e. how steadfast is the assumption of the domain been in 2003 functional? (I realise this may be an AD question and not ISA - Sorry!)

Thanks

Dave








Hi Dave,

Thanks for the kind words about the article!

Yes, you will need to use Windows 2003 functional level for KCD to work :*(

However, you will be able to use User Certificates to control what devices can connect. Read on to part 2 that was published this week to see how!

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to davedowson2)
Post #: 5
RE: Discussion about article Configuring ISA Firewalls ... - 21.Aug.2006 8:26:20 AM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
Great article! It helped me alot bringing OWA to life with user certificates.
Now I still have a problem:
I set the configuration like you described it in Part II (Figures 23, 24 and 25).
ISA2006 asks me for the user certificate and then brings me to the HTML Form. I then enter my user credentials (domain\user) and my passwort.
After submitting the login page, it takes a long time when nothing happens and then I get the following error:

"Error Code: 500 Internal Server Error. The number of HTTP requests per minute exceeded the configured limit. Contact the server administrator. (12219)"

What could be wrong? All other configurations you described do work except this one which I need most.

I hope you can tell me what this error means and how i can avoid it.

Thx.
Tom
[SGGHET]

(in reply to tshinder)
Post #: 6
RE: Discussion about article Configuring ISA Firewalls ... - 21.Aug.2006 12:35:25 PM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
OK this was a "Too many http requests per minute" issue. I have added my network to the exception list.
Now after I entered my user credentials the status in my browser stays at "Opening https://owa.m-s.ch/CookieAuth.dll?Logon" and nothing happens...

(in reply to SGGHET)
Post #: 7
RE: Discussion about article Configuring ISA Firewalls ... - 21.Aug.2006 4:24:06 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tom,

Are you using the FE/BE configuration as discussed in the article?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SGGHET)
Post #: 8
RE: Discussion about article Configuring ISA Firewalls ... - 21.Aug.2006 4:32:19 PM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
Yep. It's the exact configuration as you described it.
Everything works fine except the HTML Form Authentication. It does not matter if with or without user certificates.
The funny thing is: When I enter wrong user credentials or a false password, It recognises it and gives me the login form again with the error message.
But if I enter the correct credentials with the correct password it looks like it loops through the logon process. I get masses of https login events in the monitor window.

(in reply to tshinder)
Post #: 9
RE: Discussion about article Configuring ISA Firewalls ... - 21.Aug.2006 4:35:23 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tom,

It could be that the BE Exchange Server isn't configured correctly, or maybe the Kerberos delegations weren't set up right? There a hundreds of moving parts here and a single error will whack it.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SGGHET)
Post #: 10
RE: Discussion about article Configuring ISA Firewalls ... - 22.Aug.2006 1:42:58 PM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
I have checked the Delegation from ISA2006 -> FE -> BE. It looks OK.
What are the requirements on the FE or BE so that the HTML Authentication Form works?

Do I have to configure the IIS of the FE (and BE) in a different way? -> Authentication?

Any help is appreciated.

Tom

(in reply to tshinder)
Post #: 11
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 4:25:33 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tom,

I did have to change the authentication support on the FE and BE Exchange Servers, so as to support Integrated authentication. I think I mentioned that in the article, since I had to point out that this isn't official supported by the Exchange product group (yet).

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SGGHET)
Post #: 12
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 8:58:15 AM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
Tom

I have change the "Document Security" in the IIS on the FE and BE to support integrated security.
It's funny that if I enter the wrong user credentials in the HTML Form, an error appears immediately. But if I enter the correct credentials it stays at loading...
I also already checked ISA Monitor. Maybe I should check the whole network traffic between the ISA, FE and BE and have a look what is going on during this hanging after logon.

Tom

(in reply to tshinder)
Post #: 13
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 10:32:38 AM   
kks

 

Posts: 5
Joined: 23.Aug.2006
Status: offline
Hello Tom,

You state that "With KCD, you donít have to bind that [user] certificate to the user account."

I'm still a bit puzzled about which component in this scenario actually makes the mapping from certificate to user account?

I realize that with KCD you eliminate the need for re-authenticating at the Exchange server, but how does it simplify the initial process of authenticating the user at the ISA firewall?

I've been trying to set up OWA with user certificates (currently running Exchange with back-end servers only), but without proper name mappings in AD users are unable to authenticate (with or without KCD).

Regards,
Krisse

(in reply to SGGHET)
Post #: 14
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 2:48:43 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: SGGHET

Tom

I have change the "Document Security" in the IIS on the FE and BE to support integrated security.
It's funny that if I enter the wrong user credentials in the HTML Form, an error appears immediately. But if I enter the correct credentials it stays at loading...
I also already checked ISA Monitor. Maybe I should check the whole network traffic between the ISA, FE and BE and have a look what is going on during this hanging after logon.

Tom


Hi Tom,

When I was troubleshooting the design (you don't think I get these to work the first time, do you? I often takes me 10+ tries to get some of these things to work, and then I have to got back and do all the steps again and record my actions!) I found the Event Viewer logs were very helpful on the ISA firewall, and the FE and the BE Exchange Servers.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SGGHET)
Post #: 15
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 2:50:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: kks

Hello Tom,

You state that "With KCD, you don't have to bind that [user] certificate to the user account."

I'm still a bit puzzled about which component in this scenario actually makes the mapping from certificate to user account?

I realize that with KCD you eliminate the need for re-authenticating at the Exchange server, but how does it simplify the initial process of authenticating the user at the ISA firewall?

I've been trying to set up OWA with user certificates (currently running Exchange with back-end servers only), but without proper name mappings in AD users are unable to authenticate (with or without KCD).

Regards,
Krisse



Hi Krisse,

That's the beauty of KCD -- you don't need to perform the user certificate mapping you had to do with ISA 2004 (which didn't support KCD).

The key is that the servers are trusted for delegation.

HTH,
Tom 

_____________________________

Thomas W Shinder, M.D.

(in reply to kks)
Post #: 16
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 3:06:41 PM   
SGGHET

 

Posts: 6
Joined: 21.Aug.2006
Status: offline
quote:

ORIGINAL: tshinder

quote:

ORIGINAL: kks

Hello Tom,

You state that "With KCD, you don't have to bind that [user] certificate to the user account."

I'm still a bit puzzled about which component in this scenario actually makes the mapping from certificate to user account?

I realize that with KCD you eliminate the need for re-authenticating at the Exchange server, but how does it simplify the initial process of authenticating the user at the ISA firewall?

I've been trying to set up OWA with user certificates (currently running Exchange with back-end servers only), but without proper name mappings in AD users are unable to authenticate (with or without KCD).

Regards,
Krisse



Hi Krisse,

That's the beauty of KCD -- you don't need to perform the user certificate mapping you had to do with ISA 2004 (which didn't support KCD).

The key is that the servers are trusted for delegation.

HTH,
Tom 


Could you please tell me what you both talking about? Do you mean the function where ISA2006 compares the user in the certificate and the user entered in the HTML Authentication form?
You mean the function in the policy rule under the tab "Traffic" -> "Require SSL client certificates", right?
In the listener, under "authentication" there is an authentication method "SSL Client Certificate Authentication" and under "Advanced" there is also an option "Require SLL client certificates".
I am getting more and more confused. 
What is the difference between these three options?

At the moment, I have activated "SSL Client Certificate Authentication" as the authentication method with KCD. When a user connects, he first has to select his certificate (CA is restricted) and then the OWA logon form appears.


Is it possible to directly logon to OWA only with the certificate?

Thank you very much for taking the time to answer my questions.
Tom

(in reply to tshinder)
Post #: 17
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 3:20:36 PM   
kks

 

Posts: 5
Joined: 23.Aug.2006
Status: offline
Hello Tom,

Thanks for replying.

However, I still don't understand how the ISA firewall can forward credentials if it doesn't somehow authenticate the user itself first.

At present, if I don't explicitly map the user certificate to its corresponding account in AD,the ISA firewall is unable to validate any requests made using that certificate and defaults to anonymous access (which is correctly denied as unauthenticated). I don't see how KCD can simplify the process of mapping certificates to accounts.

What am I missing here?

Regards,
Krisse

(in reply to tshinder)
Post #: 18
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 3:27:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Krisse,

The ISA firewall DOES authenticate the user.

http://www.microsoft.com/technet/prodtechnol/isa/2006/authentication.mspx

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kks)
Post #: 19
RE: Discussion about article Configuring ISA Firewalls ... - 23.Aug.2006 3:36:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: SGGHET

quote:

ORIGINAL: tshinder

quote:

ORIGINAL: kks

Hello Tom,

You state that "With KCD, you don't have to bind that [user] certificate to the user account."

I'm still a bit puzzled about which component in this scenario actually makes the mapping from certificate to user account?

I realize that with KCD you eliminate the need for re-authenticating at the Exchange server, but how does it simplify the initial process of authenticating the user at the ISA firewall?

I've been trying to set up OWA with user certificates (currently running Exchange with back-end servers only), but without proper name mappings in AD users are unable to authenticate (with or without KCD).

Regards,
Krisse



Hi Krisse,

That's the beauty of KCD -- you don't need to perform the user certificate mapping you had to do with ISA 2004 (which didn't support KCD).

The key is that the servers are trusted for delegation.

HTH,
Tom 


Could you please tell me what you both talking about? Do you mean the function where ISA2006 compares the user in the certificate and the user entered in the HTML Authentication form?
You mean the function in the policy rule under the tab "Traffic" -> "Require SSL client certificates", right?
In the listener, under "authentication" there is an authentication method "SSL Client Certificate Authentication" and under "Advanced" there is also an option "Require SLL client certificates".
I am getting more and more confused. 
What is the difference between these three options?

At the moment, I have activated "SSL Client Certificate Authentication" as the authentication method with KCD. When a user connects, he first has to select his certificate (CA is restricted) and then the OWA logon form appears.


Is it possible to directly logon to OWA only with the certificate?

Thank you very much for taking the time to answer my questions.
Tom


Hi Tom,

The user certificate is used to authenticate with the ISA firewall. The OWA form shouldn't appear. However, you can require a user certificate if you want along with FBA.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SGGHET)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts