Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

X.509 name mapping fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> X.509 name mapping fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
X.509 name mapping fails - 2.Feb.2007 6:07:44 AM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		We have setup ISA 2006 as a web publisher:
The web listener requests client certificate and authenticates by Windows (Active Directory)
The associated firewall policy uses Kerberos constrained delegation to authenticate the user to the web service.

The mapping of a client certificate to a user account relies on a Name Mapping configured (ldap attribute altSecurityIdentities) in Active Directory.

This works perfect in our test environment, but for some reason the user account mapping fails in the production environment.
The client certificate is not mapped to a user account and ISA authenticates to the web application as "anonymous".

In the working test environment various traces can be observed, eg a security event "678 - Account Mapped for Logon" can be observed on the AD server.
In production no traces or logs can be seen.
Does anybody know how to trace / troubleshoot the name mapping mechanism of ISA / Active Directory?

/peter
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> X.509 name mapping fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts