Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Web Publishing SSL Error Code 401
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Web Publishing SSL Error Code 401 - 6.Mar.2007 8:40:48 AM
|
|
|
curleyj
Posts: 7
Joined: 5.Mar.2007
Status: offline
|
I have established an ISA 2006 server with 2 firewall policies for web publishing, a root page that is non-SSL and a sub-folder page that is SSL. Access to the non-SSL page is fine. Access to the SSL page returns Error Code 401: Unauthorized. I am using SSL Client Authentication in addition to the server certificate for my IIS server. After installing the server certificate on the IIS server, I exported it to a .PFX file and imported it to the ISA server. The ISA Server now sits in our DMZ. With the firewall tracing turned on our firewall appliance, I can see the traffic from ISA server using port 443 when I issue a command from the command prompt "Telnet x.x.x.x 443", but cannot see any 443 traffic when I access the ISA server requesting the SSL page. I access the SSL page from my workstations using https://<isa IP address>:443/<ssl page> . I get prompted to select my certificate and enter my PIN, then I receive the Error Code: 401 Unauthorized message.
This is the final stage of our implementation test - that is, putting the ISA server in the firewall and the test IIS server on the production network inside the firewall appliance. Before this final stage, I had conducted a series of tests in an offline enclave that was not connected to the production network or internet. When I requested the SSL page through the ISA server in the enclave, I would get prompted to select my certificate, enter my PIN, and eventually I would receive the error "Certificate is revoked." That I understood to mean that the certificate revocation list could not be downloaded from the CA (since I had no connection to the internet). I then installed the Microsoft ADAM to act as a LDAP server and moved the ISA server into the DMZ so that it could access the CA's CRLs. I have used ADAM's utilities to download the CRL's successfully.
Can you recommend a document that might reveal where I am going wrong?
thanks,
John
|
|
|
|
|
RE: Web Publishing SSL Error Code 401 - 9.Mar.2007 8:18:48 AM
|
|
|
curleyj
Posts: 7
Joined: 5.Mar.2007
Status: offline
|
After some investigation, I decided to change from the Single Network Adapter model to the Edge Firewall model using two NICs. One NIC serves as my internal network and one NIC serves as my external network. We have a DMZ Public and a DMZ Private network for these purposes. I have TCPDumps running on the DMZ interfaces to watch the traffic as well as the ISA monitor logging. When I request the SSL page via the ISA server, I see the HTTPS communications between my workstation and my ISA server. I then see the LDAP processing to the CA for the CRL's. However, the request ultimately fails with an error on the web browser Error Code 500 The Certificate is Revoked. When I examine the Application Event Log on the ISA server, I see an error for Event ID 21198, which states that the client certificate is revoked or has a missing Certificate Revocation List. Verify the CRL download system policy configuration group is enabled.
I have checked the system policy and it is enabled. I have also cleared the Active Directory group policy checkbox for strict RPC enforcement. We are required to follow the DOD security policies, so this error may be related to some of the changes that we have made for that purpose.
Has anyone seen this error? Any suggestions would be greatly appreciated.
thanks,
John
|
|
|
|
|
RE: Web Publishing SSL Error Code 401 - 13.Mar.2007 5:33:56 PM
|
|
|
mylo
Posts: 138
Joined: 26.Mar.2002
Status: offline
|
John,
Are you sure you're publishing the CRL correctly? Have you tested the CDP in the issued cert using certutil to ensure that it can access the CRL successfully?
Regards,
Mylo
|
|
|
|
|
RE: Web Publishing SSL Error Code 401 - 19.Mar.2007 4:47:41 PM
|
|
|
curleyj
Posts: 7
Joined: 5.Mar.2007
Status: offline
|
Mylo,
I'm not sure I have the answers to your questions, but I appreciate the offer.... Let me say first, that we decided to change our web publishing rule for the HTTPS to a server publishing rule for HTTPS and have the IIS server check the user certificate. We also enabled the CRL checking on the IIS server. When we watched the TCPDump on the Firewall, we saw the HTTPS traffic from the workstation to the ISA server and back. We also saw the HTTPS traffic from the ISA server to the IIS server and back. The workstation can now pull up the SSL page. Yeah!
So, to answer your questions... The CA is one of the DoD CA's and they publish the CRL. I have not tested the CDP using the certutil, but I think I will look into it.
We were pulling our hair out trying to get the ISA server to check the certificates and could not make it work. One of our team members suggested that without using the Active Directory account mapping, we could not pass the certificate into the IIS server using the Web Publishing Rule. So, we decided to set up this HTTPS tunnel to the application server. Is there a better way to do this?
Thanks for your help...
John
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
