Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Problems using Client Certificates through ISA proxy
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Problems using Client Certificates through ISA proxy - 13.Oct.2006 5:44:43 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Hi!
I'm trying to access a web portal using SSL and a Client certificate. This normally works just fine, but when I'm using a ISA2004 as a proxy for the client, the Authentication request where i must choose what certificate to use keeps popping up. After i once again chooce my certificate, the page continues to load.
If I then try to navigate within the site, the authentication pops up almost everytime i click something. did some sniffing, and the ISA reports some SSL-tunnel denied when these errors appear, but also som SSL Tunnel Allowed. (I guess that's why the authentication sceen reappears).
The web portal I'm trying to access is supposed to use certificates as a pre-authentication only (It's behind an ISA 2004 and published as a secure website), but the webpage itself does not require any client certificate.
As I said earlier, the problem only shows when behind a ISA 2004 proxy with my client. If i bypass it, everything works fine.
Is there any setting to "keep-alive" the connection through the proxy, so i don't have to reauthenticate all the time? Is there a IE setting or something?
Regards
Patric
|
|
|
|
|
RE: Problems using Client Certificates through ISA proxy - 16.Oct.2006 5:32:51 PM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Never mind found out what the problem was.
The site was published with a DNS round robin host name (ie www.site.com pointed to two different IP's).
Each IP pointed to an ISA2004 Std ed who published the site. The ISA servers had each a unique certificate even though the same infoin them (Name, company aso).
When trying to access directly from a client, the DNS cache of the client held on to a specific IP resolved, making a non-proxy client use the same ISA server for each request, not requiring more authentications.
When accessing the site through a proxy, the proxy chose ISA server 1 for the first request, and then when clicking anything, used the other ISA, just as defined by the DNS host record (round robin). This resulted in a re-authentication request each time towards the two different certificates.
In short, exporting a certificate and installing the same identical certificate on both ISA servers solved the problem. The client recognized the certificate and automatically authenticated towards the ISA servers.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
