Welcome to ISAserver.org

OWA mapping client certificates

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> OWA mapping client certificates

Page: [1]

Message

<< Older Topic Newer Topic >>

OWA mapping client certificates - 19.Jul.2006 11:46:11 PM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

Worked great yesterday (and the day before that, and the day before that...), under SBS 2003 Standard.

So naturally, we upgraded to SBS Premium, and ISA 2004. ;)

I'm '' this close to getting my head wrapped around the issue, thanks to this site, and I apologize for having to ask.

Dual homed server, only OWA is published to the outside world. Client certificates are required, and are mapped to user accounts.

Now when outside users use the same url that worked yesterday, they get "The page requires a client certificate" error.

ISA 2004 was set up via CEICW and the ISA defaults were kept for the OWA publishing rule that was created.

Inside, locally, OWA still works (and still prompts for a personal certificate to use), but externally (where it is needed) there is never even a prompt for the personal cert - it just goes straight to "The page requires a client certificate."

I'm sorry, I know should provide more details, but I'm a little groggy so I must be leaving things out that you'll need to help. Or to openly mock me. :-D

Mmmmm... sleep...

Thanks,

Keith

< Message edited by keithupson -- 19.Jul.2006 11:56:56 PM >

Post #: 1

Featured Links*

RE: OWA mapping client certificates - 22.Jul.2006 4:35:47 AM

garconer

Posts: 75
Joined: 4.Jan.2006
Status: offline

Keith,

You need to provide us with more information.

- DNS
- IIS
- Network Topology.

Tks

Garcone

(in reply to keithupson)

Post #: 2

RE: OWA mapping client certificates - 22.Jul.2006 5:33:19 PM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

Thank you, Garcone -

The SBS2003 box is 'all in one' - the cable modem connects directly to NIC1 (External), NIC2 (Internal) connects to an 8 port switch into which our four workstation computers connect.

SBS handles DHCP and DNS for the four internal workstations. IIS 6 has the standard SBS sites, default and sharepoint and the configuration sites, all of which work fine.

Only OWA has been made deliberately accessible to the outside world, using CEICW, with client certificates required and mapped to user accounts. Under SBS2003 standard, this worked just as expected.

Since installing SBS Premium, specifically ISA 2004 using its default settings via CEICW for publishing OWA to remote clients, OWA is not available to remote clients. Instead, only the error "The page requires a client certificate" appears.

OWA is still accessible internally, and asks for a personal certificate just like it always did, and just like intended. Which makes sense, since internal machines don't go through the ISA 2004 OWA publishing rule (right?). It seems to me, then, that something about the OWA publishing rule in ISA 2004 is not configured correctly. I have been through the publishing rule and the listener probably 1,000 times, and have exhausted my capacity to figure out what to do differently.

When I change “require client certificate” to “accept client certificate” and disable “map to user account” in the directory security properties of IIS for /exchange, the remote client can connect to OWA as expected.

The objective is to be able to map the client certificates to user accounts with ISA 2004 installed, just like we did pre-ISA 2004.

Thank you for your time,
Keith

(in reply to garconer)

Post #: 3

RE: OWA mapping client certificates - 23.Jul.2006 9:59:47 PM

garconer

Posts: 75
Joined: 4.Jan.2006
Status: offline

Let's try get it work by HTTP only. If it works, then I will guide you through all steps to get it works by HTTPS.

1. Disable HTTP Form Authentication on Exchange System Manager (ESM -> Protocols -> HTTP)
2. Disable SSL on IIS (Default Web Site, Exchange and ExchWeb)
3. Create a new web publishing rule to publish OWA via HTTP only.
4. From outside, try to get connected to OWA using HTTP:// and the published FQDN
5. From inside, try to get connected to OWA using /exchange">HTTP://<servername>/exchange

Tell me what works.

Garcone

- Have you enable HTTPS port on your OWA Listerner? If n

(in reply to keithupson)

Post #: 4

RE: OWA mapping client certificates - 23.Jul.2006 11:27:54 PM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

Thank you, Garcone, but it currently works using https. It only stops working when I require client certificates in the directory security properties of IIS for /exchange, and map them to user accounts.

(in reply to garconer)

Post #: 5

RE: OWA mapping client certificates - 25.Jul.2006 1:21:17 AM

Jim Harrison

Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline

You can't use client cert auth on web sites that are accessed via web publishing rules; period.
Check the ISA logs to see what ISA thinks of your attempts to access this site.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to keithupson)

Post #: 6

RE: OWA mapping client certificates - 25.Jul.2006 1:34:30 AM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

quote:

ORIGINAL: Jim Harrison

You can't use client cert auth on web sites that are accessed via web publishing rules; period.

Thanks, Jim!

Keith

(in reply to Jim Harrison)

Post #: 7

RE: OWA mapping client certificates - 25.Jul.2006 2:08:15 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:

ORIGINAL: Jim Harrison

You can't use client cert auth on web sites that are accessed via web publishing rules; period.
Check the ISA logs to see what ISA thinks of your attempts to access this site.

Sure you can. That's why the ISA firewall's Web Publishing Rule allows you to configure it to provide a User Certificate to the published Web site!

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jim Harrison)

Post #: 8

RE: OWA mapping client certificates - 25.Jul.2006 2:19:28 AM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

Hey, thanks Dr. S - now I'm REALLY confused.

I've tweaked the publishing rule to require 128 bit encryption, the listener
authenticates via certificate, and port 80 is deselected.

We also changed “require client certificate” to “accept client certificate”
and left “map to user account” selected in the directory security properties
of IIS for /exchange. Remote clients can again connect to OWA as expected:
they are prompted for a user certificate to use, then they do so and are then
forwarded to the FBA logon page for OWA and are able to log on.

So: since the ISA publishing rule requires SSL, the listener authenticates
via certificate, and this works with client cert mapping enabled in IIS so
long as client certs are set to "accept" instead of "require" in IIS, is all of
this by design? Has ISA 2004 taken over the role of requiring the client
certificate for IIS, and once provided, passes the user on to IIS?

Or is there a way to still require client certificates in the Directory
Security tab in IIS for "/exchange" with ISA's publishing rule?

Or should I just go quietly?

Thank you,
Keith

(in reply to tshinder)

Post #: 9

RE: OWA mapping client certificates - 25.Jul.2006 2:36:50 AM

Jim Harrison

Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline

..now, Tom - you're just going to confuse the poor boy.
Yes, you can configure the web publishing rule to offer up a client auth cert to teh web site, but it will have nothing whatsoever to do with the client cert offered to the ISA by the external client...

Poor Keith - he didn't see Tom's "winky", but then maybe he's not "that way"...

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to tshinder)

Post #: 10

RE: OWA mapping client certificates - 25.Jul.2006 2:55:09 AM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

I saw it, that's why I added the

Spot on about the confused, though - no way to hide that!

(in reply to Jim Harrison)

Post #: 11

RE: OWA mapping client certificates - 26.Jul.2006 4:09:03 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Keith,

LOL!

As Jim said, you can't have the ISA firewall pass the User Certificate to the back-end Web site. However, you can enable User Certificate authentication on the Web listener. Of course, you'll need to reauth with the Web site UNLESS you're using ISA 2006, which does Kerberos Constrained Delegation!

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to keithupson)

Post #: 12

RE: OWA mapping client certificates - 26.Jul.2006 4:20:16 PM

keithupson

Posts: 7
Joined: 19.Jul.2006
Status: offline

Thank you, very much!

Don't you think that "Kerberos Constrained Delegation" would be a great name for a rock band? KCD for short. I call dibbs. :D

Keith

(in reply to tshinder)

Post #: 13