• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Certificate auth - 403.7 error

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Certificate auth - 403.7 error Page: [1]
Login
Message << Older Topic   Newer Topic >>
Certificate auth - 403.7 error - 17.Dec.2006 6:16:46 PM   
mcfly9

 

Posts: 21
Joined: 10.Apr.2004
Status: offline
Hi there
 
I have been trying to figure this out for a while now, but without success... :(
 
I have a win2k3 sp1 server running iis and also isa2k6 on the same box. I have a virtual directory on iis (let's call it /dir1) which is configured for certificate based authentication (integrated auth only, require ssl, require 128, require user cert, enable cert mapping).
All works fine when I am trying to access the server locally (through LAN). Cert popup, I choose the cert and then I get access to dir1.
 
I have created a web publishing rule in ISA for this directory, and am publishing it on the external interface of the isa as mydomain.com/dir1. The listener is on HTTPS, but no authentication is required ("require all users to authenticate" is not checked, users tab: all users). On the Authentication tab of the listener I chose "No Authentication", on the Authentication Delegation tab: "no delegation but allow client to authenticate directly".
 
If I try to access mydomain.com/dir1 from outside, I don't get the certificate popup, but get a standard IIS 403.7 Client certificate required error. The ISA logs are clean, the ISA allows through the connection as expected and closes it gracefully after some time (I guess when the TCP connection is closed).
 
UPDATE: In the IIS logs I only see one 403 attempt, and nothing else... while for the successful attempts (from the LAN) I see one 403, one 302 (redirect from .../dir1 to .../dir1/) and then the 200 ok.
 
Any ideas what might be the problem here? Why does it not work from outside when it works from inside and ISA just reverse NATs it though?

< Message edited by mcfly9 -- 17.Dec.2006 6:20:09 PM >
Post #: 1
RE: Certificate auth - 403.7 error - 27.Dec.2006 12:10:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Move the Web site OFF the ISA Firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mcfly9)
Post #: 2
RE: Certificate auth - 403.7 error - 27.Dec.2006 2:37:12 PM   
mcfly9

 

Posts: 21
Joined: 10.Apr.2004
Status: offline
Hi Tom,
 
Thanks for the reply.
 
Sad to hear though that this seems to be an unsupported config... :(

(in reply to tshinder)
Post #: 3
RE: Certificate auth - 403.7 error - 28.Dec.2006 12:43:07 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
We don't put Web sites on Check Point, Pix, or Netscreen firewalls, and we don't put Web sites on ISA Firewalls.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mcfly9)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Certificate auth - 403.7 error Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts