Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
LDAP and SSL client certificate together
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
LDAP and SSL client certificate together - 6.May2008 5:30:37 AM
|
|
|
tijlhaghebaert
Posts: 9
Joined: 6.May2008
Status: offline
|
Hello we are working on an webapplication(ASP.NET) for a company. In the domain of the network there's a WebServer with IIS and a Server with the Active Directory.
We have an ISA server 2006 in the DMZ. Now we want to get on the webapplication with authentication. When we take LDAP only, it works perfectly. It checks the account in our internal active Directory.
Our purpose is to use a second device and that's the Belgian eID card. These cards have certificates on it. So we take choose Form-based authentication via LDAP. We mark the option require SSL Client Certificate. When we check this, the browser doesn't ask to choose a certificate and directly comes on the form to log in. When we use the account user and password, we can directly log on.
When we choose Windows AD in stead of LDAP it does ask to choose a specific certificate.
Anyone who knows a solution for this problem? Or maybe another way to combine the two methods?
We allready tried to put the client certificate authentication on IIS, but I think the ISA server can't pass the certificate to that web server.
Hope to hear something soon
_____________________________
Grtz Tyler
|
|
|
|
|
RE: LDAP and SSL client certificate together - 6.May2008 10:21:34 AM
|
|
|
IanC
Posts: 233
Joined: 11.Jul.2007
From: UK
Status: offline
|
I'm afraid two-factor authentication is not supported when ISA is in a workgroup.
Ian
_____________________________
Ian Currie
http://www.curriecomputing.com
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 2:08:54 AM
|
|
|
tijlhaghebaert
Posts: 9
Joined: 6.May2008
Status: offline
|
So what we are trying to do is impossible?
Isn't it possible with client certificate authentication on IIS? Is there a way to pass the the client certificates to the internal webserver?
grtz
_____________________________
Grtz Tyler
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 6:36:34 AM
|
|
|
IanC
Posts: 233
Joined: 11.Jul.2007
From: UK
Status: offline
|
ISA can't pass certificates it receives from clients to the Web server.
The standard way to handle this is to implement Kerberos Constrained Delegartion. This enables ISA to accept a client certificate and then impersonate the client in order to authenticate (Windows integrated) to the Web server. However, the ISA server needs to use Active Directory validation method (not LDAP) so needs to be joined to your domain.
Ian
_____________________________
Ian Currie
http://www.curriecomputing.com
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 9:12:17 AM
|
|
|
tijlhaghebaert
Posts: 9
Joined: 6.May2008
Status: offline
|
Thanks for your info Ian.
We did put the ISA server in our domain. Now everything works fine, but that brings us to a next question.
The website is an ASP.NET page. Now we have to do a query in a database. This isn't the problem but we've got tocheck on the login name. So we have to get the username that was used to authenticate on isa.
grtz Tyler
_____________________________
Grtz Tyler
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 9:40:03 AM
|
|
|
IanC
Posts: 233
Joined: 11.Jul.2007
From: UK
Status: offline
|
Grtz,
If the user was able to authenticate with IIS as integrated, would your app work?
Ian
_____________________________
Ian Currie
http://www.curriecomputing.com
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 9:56:21 AM
|
|
|
tijlhaghebaert
Posts: 9
Joined: 6.May2008
Status: offline
|
Hmm, I don't know what you mean. But I'll give an explanation of my setup:
3 Windows 2003 Servers in 1 Domain. They all have anothe function:
- ISA Server 2006
- Active Directory
- IIS 6.0 with web application
So when a user goes to a specific link he has to authenticate himself on the ISA. First of all a client certificate is asked. We used the eid-card to do this. Then it asks for a username and password. ISA checkes this in the active directory. The client certificate is mapped to the user account in the Active Directory.
After the authentication we have to go to the website on IIS.
We want personize this page so we have to know which user is logged on. We also have a database with the userinfo and his rights etc. So we just want to know who has logged on.
Hope this is a bit clear
thx
tyler
|
|
|
|
|
RE: LDAP and SSL client certificate together - 7.May2008 12:14:16 PM
|
|
|
IanC
Posts: 233
Joined: 11.Jul.2007
From: UK
Status: offline
|
Yes that does help, thanks. Because you are using forms as well as certificates, you don't need to bother about KCD. Simply configure your Web site to require authentication and set the appropriate delegation method on the Authentication Delegation tab for the publishing rule.
Ian
_____________________________
Ian Currie
http://www.curriecomputing.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
