• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article Configuring ISA Firewalls ... - 24.Aug.2006 9:30:01 AM   
kks

 

Posts: 5
Joined: 23.Aug.2006
Status: offline
Hi Tom,

I don't know what I have configured wrong, but my ISA firewall is not capable of authenticating users with the certificates I have issued, _unless_ they are explicitly mapped to the corresponding user accounts in AD.

If I use HTML form authentication, things work, of course, but then I don't get the added security from the user certificate.

Also, it would seem that the "request SSL client certificate" setting (for HTML form authentication) is indeed just a request, not a requirement, as one can log on with or without the user certificate, anyway. Or so it seems...

Am I hitting bugs in the beta or what is going on here?

Regards,
Krisse

(in reply to tshinder)
Post #: 21
RE: Discussion about article Configuring ISA Firewalls ... - 24.Aug.2006 2:00:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Krisse,

Have you configured the appropriate machines to be trusted for delegation?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kks)
Post #: 22
RE: Discussion about article Configuring ISA Firewalls ... - 25.Aug.2006 4:25:23 PM   
kks

 

Posts: 5
Joined: 23.Aug.2006
Status: offline
Hi Tom,

Yes, delegation was configured correctly right from the start.

The problem, it turned out, was with our certificate template.

Although a direct copy of the pre-installed "Client Authentication" template, our template was apparently not suited for mapping certificates to accounts. Using the original template, things started working right away.

Anyway, thanks for your effort!

Regards,
Krisse

(in reply to tshinder)
Post #: 23
RE: Discussion about article Configuring ISA Firewalls ... - 28.Aug.2006 3:20:44 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Krisse,

Great! Good to hear you got it working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kks)
Post #: 24
RE: Discussion about article Configuring ISA Firewalls ... - 31.Aug.2006 3:38:11 PM   
kks

 

Posts: 5
Joined: 23.Aug.2006
Status: offline
Hi again,

Unfortunately, it would seem my post was somewhat premature.

I actually _had_ a name mapping in AD for that certificate, so I'm back to square one. If I use another (unmapped) certificate from my CA, ISA just authenticates "anonymous", which naturally doesn't grant me any rights.

I've since figured out that IIS can do an automatic mapping using something that is called the "Windows directory service mapper". Unfortunately, the ISA 2006 RC seems to be unable to do this.

Tom: Going through your guide, I see that your "Exch Farm SSL Listener" is configured to fall back to "Basic" authentication right from the start (at least according to the screenshot). Could you please verify (once more) that your setup _really_ does user certificate authentication, _without_ having those certificates manually mapped in AD?

I'm sorry for repeating my question, but I just want to make sure there isn't anything else you may have done to your setup that is missing from the guide.

Regards,
Krisse

(in reply to tshinder)
Post #: 25
RE: Discussion about article Configuring ISA Firewalls ... - 1.Sep.2006 1:30:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Krisse,

Yes, it really does use User Certificate Authentication, which was confirmed in the Event Viewers on the ISA FIREWALL, FE and BE Exchange Server.

I haven't tried it yet  on the RTM version of the ISA FIREWALL, but I'll give it a shot when I get a chance.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kks)
Post #: 26
RE: Discussion about article Configuring ISA Firewalls ... - 5.Oct.2006 9:24:21 PM   
sekure

 

Posts: 2
Joined: 5.Oct.2006
Status: offline
Hi Tom,

Great article.  It's exactly like you mentioned, there is very few references to how one actually makes Kerberos constrained delegation work, so I was very happy to find your articles.

I am trying something similar.  I want to use RSA SecurID authentication, but make it so that the user doesn't have to log in twice (once with his token and then the second time with his AD credentials).  I believe this can also be done through Kerberos constrained delegation, in a similar matter.  Any thoughts on the idea?  Essentially i want to require user to authenticate to ISA through RSA and then pass that on to FE Exchange.

Currently I am running ISA 2004 servers, and they are not members of my AD domain.  I am 99% sure that i need to upgrade to 2006 AND join them to the domain to make this work.  Is this correct according to your understanding?

I really appreciate this resource and all your help

Thank you.

(in reply to kks)
Post #: 27
RE: Discussion about article Configuring ISA Firewalls ... - 8.Oct.2006 12:15:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sekure,

I've never had the chance to work with SecureID. Maybe someday RSA will lone me their server and tokens so that I can do some testing.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sekure)
Post #: 28
RE: Discussion about article Configuring ISA Firewalls ... - 28.Nov.2006 4:15:26 PM   
jayshaw91

 

Posts: 34
Joined: 5.Oct.2006
From: Livonia, Michigan
Status: offline
Sorry for a cross-post of sorts, but ultimately I think my question on certs/auth belongs here.

Is it possible to authenticate simply with a cert?  I.e. you have the cert ISA is looking for and you can access a web page (not OWA - another one).  No cert and no soup for you.

That's all I want to do.  If that's possible, then I have more questions, but I want to verify that you can do this before I ask anything else.

(in reply to tshinder)
Post #: 29
RE: Discussion about article Configuring ISA Firewalls ... - 30.Nov.2006 9:01:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jay,

Are you asking if you can use User Certificate authentication with the ISA Firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jayshaw91)
Post #: 30
RE: Discussion about article Configuring ISA Firewalls ... - 20.Nov.2007 3:24:45 AM   
tzar

 

Posts: 3
Joined: 11.May2006
Status: offline
Hi Tom,

Thank you for great article!
Could you explain why "All machines must be members of the same Active Directory domain."? For example, I've got ISA Server in child domain and Exchange server in parent domain. So need I to re-join ISA Server into parent domain if I want to use Kerberos delegation?

(in reply to tshinder)
Post #: 31
RE: Discussion about article Configuring ISA Firewalls ... - 20.Nov.2007 10:51:53 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tzar)
Post #: 32

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> RE: Discussion about article Configuring ISA Firewalls (ISA 2006 RC) to Support User Certificate Auth Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts