Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Which type of Microsoft CA should I use?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Which type of Microsoft CA should I use? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Which type of Microsoft CA should I use? - 16.Sep.2008 6:29:23 AM   
daddyt

 

Posts: 2
Joined: 16.Sep.2008
Status: offline 		Hi all
We've installed a standalone CA on a server which is a member of our DMZ domain. Our ISA box is also a member of the domain. I've issued a certificate to enable us to publish a website using SSL, and this is all working fine,
i.e. Client  --(https)-->  ISA Server Ent Edition --(http)--> IIS website
To tie this down and prevent just anyone connecting, we want to issue client-certificates for specific 3rd parties to use.
I've put the issuing CA certificate in the Local Computer "Trusted Root Certification Authorities" on the ISA box. The authentication tab on the weblistener is set to "SSL Client Certificate Authentication" which will then only select the top option, "Windows (Active Directory)"
If I try to connect using IE (or Firefox), I get prompted to choose a certificate, and when I choose a certificate issued by the CA, I get an ISA error page come back with the following:
"Error Code: 500 Internal Server Error. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"
If I review the diagnostics logging on the ISA server, I can see the following:
- GET request,
- ISA is trying to authenticate the connected client using an SSL client certificate,
- Authentication failed because the client did not send an SSL certificate,
- ISA server cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers,
- ISA server rejected the request...
- Authentication failed. Error = 0x00002FB1

We're running ISA 2006 Ent Edition + SP1.
I've tried accessing an IIS site using the server and client certificates and it worked OK so I think they are OK.
This makes me wonder whether the "Active Directory" part of the authentication part is what I'm falling foul of. Does the CA need to be an Enterprise CA within the domain?
Thanks in advance for any advice/help you guys can offer.
Frank
Post #: 1
RE: Which type of Microsoft CA should I use? - 17.Sep.2008 6:02:27 AM   
daddyt

 

Posts: 2
Joined: 16.Sep.2008
Status: offline 		I seem to have fixed this...

Following on from my thoughts about AD, I initially tried just adding the certificate to an account in AD. This didn't work. But then I found the "Name mappings" option which allowed me to associate a standalone certificate with the AD account. Once I'd done that, it worked fine... PHEW!

(in reply to daddyt)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Which type of Microsoft CA should I use? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts