I don't know what I have configured wrong, but my ISA firewall is not capable of authenticating users with the certificates I have issued, _unless_ they are explicitly mapped to the corresponding user accounts in AD.
If I use HTML form authentication, things work, of course, but then I don't get the added security from the user certificate.
Also, it would seem that the "request SSL client certificate" setting (for HTML form authentication) is indeed just a request, not a requirement, as one can log on with or without the user certificate, anyway. Or so it seems...
Am I hitting bugs in the beta or what is going on here?
Yes, delegation was configured correctly right from the start.
The problem, it turned out, was with our certificate template.
Although a direct copy of the pre-installed "Client Authentication" template, our template was apparently not suited for mapping certificates to accounts. Using the original template, things started working right away.
Unfortunately, it would seem my post was somewhat premature.
I actually _had_ a name mapping in AD for that certificate, so I'm back to square one. If I use another (unmapped) certificate from my CA, ISA just authenticates "anonymous", which naturally doesn't grant me any rights.
I've since figured out that IIS can do an automatic mapping using something that is called the "Windows directory service mapper". Unfortunately, the ISA 2006 RC seems to be unable to do this.
Tom: Going through your guide, I see that your "Exch Farm SSL Listener" is configured to fall back to "Basic" authentication right from the start (at least according to the screenshot). Could you please verify (once more) that your setup _really_ does user certificate authentication, _without_ having those certificates manually mapped in AD?
I'm sorry for repeating my question, but I just want to make sure there isn't anything else you may have done to your setup that is missing from the guide.
Great article. It's exactly like you mentioned, there is very few references to how one actually makes Kerberos constrained delegation work, so I was very happy to find your articles.
I am trying something similar. I want to use RSA SecurID authentication, but make it so that the user doesn't have to log in twice (once with his token and then the second time with his AD credentials). I believe this can also be done through Kerberos constrained delegation, in a similar matter. Any thoughts on the idea? Essentially i want to require user to authenticate to ISA through RSA and then pass that on to FE Exchange.
Currently I am running ISA 2004 servers, and they are not members of my AD domain. I am 99% sure that i need to upgrade to 2006 AND join them to the domain to make this work. Is this correct according to your understanding?
I really appreciate this resource and all your help
Thank you for great article! Could you explain why "All machines must be members of the same Active Directory domain."? For example, I've got ISA Server in child domain and Exchange server in parent domain. So need I to re-join ISA Server into parent domain if I want to use Kerberos delegation?