Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing Web Sites using Client Certificate Authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing Web Sites using Client Certificate Authentic... - 29.Oct.2002 4:41:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This topic is dedicated to the "Publishing Web Sites using Client Certificate Authentication" article.
Thanks!
Tom
[ October 29, 2002, 04:43 PM: Message edited by: tshinder ]
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 12.Mar.2003 11:50:00 AM
|
|
|
sonia
Posts: 2
Joined: 12.Mar.2003
From: Madrid
Status: offline
|
Hi Thomas,
in this article, is ISA integrated in AD?.
How must I select the authentication if ISA is installed in a workgroup?.
Thanks in advanced.
Best Regards,
Sonia.
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 12.Mar.2003 1:39:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Sonia,
AD is required for client certificate mapping.
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 12.Mar.2003 5:25:00 PM
|
|
|
whisperedlies
Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
|
Thomas,
It would seem one would be unable to map certificates unless the CA being used is an enterprise CA. Does this sound correct? If not, how would one map a certificate, when the CA services being used are not enterprise CAs?
Mike
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 2.Jun.2003 2:27:00 AM
|
|
|
invinceble13
Posts: 56
Joined: 21.Aug.2001
Status: offline
|
hi to all,
just wondering if anyone got a true pki solution to work. especially with smartcards. my scenario is we have an application that we want to publish and we want to secure it using pki so we need to do it using ssl. well i cant seem to get the server <isa> to pass the certificate that the client has. does anybody have their certificates running properly?
if so please message me
thanks!
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 31.Jul.2003 8:48:00 PM
|
|
|
Barryh
Posts: 44
Joined: 20.Mar.2002
From: Kirkland, WA
Status: offline
|
Hi Tom, surprised there are not more posts o this topic!
I have this working but my question is about exporting personal certificates.
This works fine for laptop users who are able to request a certificate on our network, and then take there laptops on the road. But how do home PC users get a certificate? I tried exporting my personal cert so that I could copy it via diskette to my home PC. It would not allow me to export it with the private key, and when I imported it via IE, it does not show up, even though the import was "successful."
I would rather not publish our cert website to the Internet either. I must be missing something rather simple here, but have not yet figured it out.
Thanks,
Barry
[ July 31, 2003, 08:48 PM: Message edited by: Barryh ]
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 6.Sep.2003 4:54:00 PM
|
|
|
Guest
|
Hi
I published OWA using a Server certificate issued by an internal Stand Alone Certification Authorith. It¦s working fine. Then I followed the article "Publishing Web Sites using Client Certificate Authentication" to make my ISA server require a Client Certificate before stablishing a connection. It¦s also working fine. The problem is how my company employees could manage to install the client certificate on their home machines. Is it safe to publish my internal CA web page on the internet so they can request a certificate themselves? Is there a way I could generate a client certificate myself, export it to a floppy disk and install on the client machine?
Thanks
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 6.Sep.2003 7:22:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Mike G.:
Thomas,
It would seem one would be unable to map certificates unless the CA being used is an enterprise CA. Does this sound correct? If not, how would one map a certificate, when the CA services being used are not enterprise CAs?
Mike
Hi Mike,
I don't believe it makes a difference, since you just map the certificate to an account, but I can't say for sure. There are a lot of advantages to using an enterprise CA, so unless you have a compelling reason not to use an enterprise CA, I would use one.
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 6.Sep.2003 7:24:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by invinceble13:
hi to all,
just wondering if anyone got a true pki solution to work. especially with smartcards. my scenario is we have an application that we want to publish and we want to secure it using pki so we need to do it using ssl. well i cant seem to get the server <isa> to pass the certificate that the client has. does anybody have their certificates running properly?
if so please message me
thanks!
Hi Vince,
What's not "true" about client certificate authentication? We use it in a number of shops, and it works great!
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 6.Sep.2003 7:26:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Barryh:
Hi Tom, surprised there are not more posts o this topic!
I have this working but my question is about exporting personal certificates.
This works fine for laptop users who are able to request a certificate on our network, and then take there laptops on the road. But how do home PC users get a certificate? I tried exporting my personal cert so that I could copy it via diskette to my home PC. It would not allow me to export it with the private key, and when I imported it via IE, it does not show up, even though the import was "successful."
I would rather not publish our cert website to the Internet either. I must be missing something rather simple here, but have not yet figured it out.
Thanks,
Barry
Hi Barry,
Remember that PKI is a *security* solution, not an *easy access* solution. Therefore, you need to have the machines with user certificates under your tight administrative control. Home machines filled with worms, viruses, trojans and keyloggers aren't in that category.
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 6.Sep.2003 7:28:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by <Marcos>:
Hi
I published OWA using a Server certificate issued by an internal Stand Alone Certification Authorith. It¦s working fine. Then I followed the article "Publishing Web Sites using Client Certificate Authentication" to make my ISA server require a Client Certificate before stablishing a connection. It¦s also working fine. The problem is how my company employees could manage to install the client certificate on their home machines. Is it safe to publish my internal CA web page on the internet so they can request a certificate themselves? Is there a way I could generate a client certificate myself, export it to a floppy disk and install on the client machine?
Thanks
Hi Marcos,
You should manage the client certificates tightly. You do not want to install them on machines that are not under your tight administrative control. You do not want to install a client certificate on a machine with viruses, trojans, worms and keyloggers on it. That defeats the point of a PKI security solution.
HTH,
Tom
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 8.Sep.2003 4:28:00 PM
|
|
|
Guest
|
Hi Tom
Thanks for your reply.
I have tho questions:
1) I understand the point of maintaining security on the network. Suppose a client user with trojans or keyloggers on his machine installs a client certificate to access OWA. As I¦m using many-to-one mapping, they are required to type their password after connecting. If someone captures his password with a keylogger, can this malicious intruder access OWA without having the client certificate?
2) How can I generate a client certificate myself, export it to a floppy disk and install on the client machine?
Thanks
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 8.Sep.2003 7:42:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marcos,
1. If the machine has a trojan, the remote attacker can steal the certificate and the user credentials. Very easy to do if you allow users to request their own certificates.
2. The user needs to log in from a machine UNDER YOUR ADMINISTRATIVE CONTROL such as a laptop that belongs to the domain, is controlled by domain policy, has the corproate approved AV, spyware and other security software installed.
However, if you're using a many to one mapping, all users are using the same certificate to access the site. In that case, just export the user certificate and then import it into the user's certificate store.
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 11.Sep.2003 2:50:00 PM
|
|
|
Rowan
Posts: 2
Joined: 11.Sep.2003
From: Namibia
Status: offline
|
Hi there,
I've run through the article but I've got a problem logging into the site externally.
Exchange 2003 is on a Windows Server 2003 box behind the ISA box (also on Server 2003). I can access OWA internally (via SSL) and I can trace a route to the site via the Internet (the IP is correct and everything, an ISP is hosting the DNS for us).
However, when I try to access the site from outside, or even from an internal client using our internet connection, it seems that ISA isn't passing the authentication through to the OWA Exchange box. I try to log in three times, then it kicks me out.
It is Exchange 2003 eval version, but since I can access OWA internally, I don't think the issue is there.
Any help, please?
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 11.Sep.2003 4:57:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rowan,
Are you trying to use client certificate authentication? If so, you should subscribe to the ISAServer.org mailing list -- I'll announce a new article on how to make client certificate authentication work with OWA publishing.
Its REALLY cool!
Thanks!
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 18.Nov.2003 8:45:00 PM
|
|
|
ahardesty
Posts: 34
Joined: 12.Nov.2003
From: Burlington, VT
Status: offline
|
Is it possible to show a few network diagrams when using ISA, published Enterprise CA, client certs, and the ultimate server that has the application running on it?
So, if I'm not mistaken, an external user initially gets an individual client cert by following this:
Ext. User -> ISA -> Enterprise CA
Once installed, the user can now access the web site and authenicate with that client cert by following this:
Ext. User -> ISA -> Application Server
In our case, our Appliction Server (BEA WLS on AIX) is NOT the same as our Enterprise CA (MS IIS). Does this matter once the ext. user installs their client cert?
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 19.Nov.2003 2:49:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi A,
You have the network topology correct. Good idea regarding the diagrams. I was sort of under the gun to get the kit finished, but I'll update it with network diagrams with the next version on ISA2004.
The client certificate can be used to authenticate the user after it is installed. After the ISA firewall accepts the cert, then the user can send username/password credentials to the non-MS server.
HTH,
Tom
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 15.Apr.2004 2:33:00 AM
|
|
|
Guest
|
Hi Tom,
Just wondering whether you knew of any specific reasons why client certificate authentication will not work when the valid certificate has been mapped to an account in a trusted domain? (as opposed to an account within the local domain of which the ISA server is a member)
The trust is working fine, as regular authentication works OK using accounts in the trusted domain.
Thanks in advance.
Regards,
James.
|
|
|
|
|
RE: Publishing Web Sites using Client Certificate Authe... - 4.May2004 5:38:00 PM
|
|
|
gla
Posts: 1
Joined: 4.May2004
Status: offline
|
Hi to all
Please I install a Stand-alone ISA cache (a reverse proxy so). Is it possible to exploit Client certificate configuration on ISA for reinforcing the authentication at the level of my internal web server ?
If OK. How can I do it ?
I want to insist my ISA cache isn't member of any domain ; it's a stand-alone server.
However, I try to configure ISA by following the article's steps ("Publishing Web Sites using Client Certificate Authentication"). But certificate client authentication is unaware of. An exterior client without certificate can access to my web pages. I want to notice that I don't use Client Certificate Mapping.
Is it necessary to configure certificate mapping to permit or refuse access to web pages ?
Please I need HELP !
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
