• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

TS Gateway and pre-auth with client certs?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> TS Gateway and pre-auth with client certs? Page: [1]
Login
Message << Older Topic   Newer Topic >>
TS Gateway and pre-auth with client certs? - 26.Jan.2009 3:59:58 PM   
jayshaw91

 

Posts: 34
Joined: 5.Oct.2006
From: Livonia, Michigan
Status: offline
Is this possible?  What we want to do is have ISA check for either a machine or user certificate and only allow authentication to TSG if they have the cert installed.

The ISA server is on the domain and we have a PKI infrastructure set up and working fine. 

So far we have not been able to get this to work.  Straight SSL with no authentication on the listener, only authentiction at the TSG, works just fine.  So the basics are covered.  We want to bolster the security from here.

Anyone able to help a brotha out?
Post #: 1
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 10:36:42 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Hi,

It wouldn't be a good idea to only check the certificates and then give access. SSL cert authentication should be used in conjunction with a another authentication (either on ISA or backend Server). On the weblistener you need to select the SSL client cert Authentication and in advanced > under client certuificate trust list, select the Root CA of your organization which you want to test it against.

Remember ISA should be a part of domain in order to do it. You cannot have a cert authentication if ISA is in workgroup.

Check http://technet.microsoft.com/en-us/library/cc731353.aspx 


Let us know a little more about the configuration and your setup.

< Message edited by inderjeet -- 28.Jan.2009 10:38:46 AM >


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jayshaw91)
Post #: 2
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 10:51:51 AM   
jayshaw91

 

Posts: 34
Joined: 5.Oct.2006
From: Livonia, Michigan
Status: offline
I appreciate the assistance.  Like I said in my original post, the ISA server is on the domain and we do have our own PKI.  The ISA server has the root CA installed.  Any more info you need about our configuration?

The plan is to check for the certificates, and if it is present, then offer up authentication from the TS Gateway server.

Also, I followed that link to get TS Gateway and ISA set up initially.  That works fine.  It's the certificate portion I can't seem to get to work right.

< Message edited by jayshaw91 -- 28.Jan.2009 12:51:14 PM >

(in reply to inderjeet)
Post #: 3
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 3:53:14 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
As i said earlier you can do it but this is not the most secure way of doing it.

On the weblistener you need to select the SSL client cert Authentication and in advanced > under client certuificate trust list, select the Root CA of your organization which you want to test it against.

Each user should have a user certificate with private and public key in their User personal store.

When they access a published website, they will get a prompt which asked them to select the certificate which they want to use. Then accordingly ISA can check the certificate

On ISA publishing rule select "All Authenticated Users" under the users tab and under Authentication Delegation select "No Delegation, users may authenticate directly"

Users will be prompted one more time as the TS Gateway also requires authentication. For not having them to authenticate the second time you will have to select Kerberos Constraint Delegation under Authentication delegation but you need to have that setup first and that's not the easiest to do (as far as with me)

Check http://technet.microsoft.com/hi-in/library/bb794858(en-us).aspx

Hope that helps

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jayshaw91)
Post #: 4
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 5:02:26 PM   
jayshaw91

 

Posts: 34
Joined: 5.Oct.2006
From: Livonia, Michigan
Status: offline
Interesting.  I'm not getting prompted to present a certificate.  I did have it set for SSL auth and select my root CA.  It just passed me straight through to authenticate against the TS server.  What did I miss?

Also, why is this not the most secure way?  What do you recommend?  It's the best thing we could come up with that's close to two factor authentication.  RSA does not work since the users are connecting via RDP and not HTTP.  There is no way to prompt for the RSA token this way, which is unfortunate.

(in reply to inderjeet)
Post #: 5
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 5:16:41 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
OOPS !!!! my fault and i am sorry for that

I dint realize that TS Gateway can be accessed through RDP client. I had the web based login and Web based TS in mind all the time.....let me re-think the scenario



< Message edited by inderjeet -- 28.Jan.2009 6:13:51 PM >


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jayshaw91)
Post #: 6
RE: TS Gateway and pre-auth with client certs? - 28.Jan.2009 6:34:24 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
So, after checking further it seems SSL client cert authentication is not possible as it's a limitation with RDP client. But the same can be done if you are using the TS Web Access. You can login into the website and create RDP sessions from within the browser

check
http://www.techotopia.com/index.php/Configuring_Windows_Server_2008_TS_Web_Access

Sorry for the confusion

< Message edited by inderjeet -- 28.Jan.2009 6:44:17 PM >


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jayshaw91)
Post #: 7
RE: TS Gateway and pre-auth with client certs? - 29.Jan.2009 10:44:04 AM   
jayshaw91

 

Posts: 34
Joined: 5.Oct.2006
From: Livonia, Michigan
Status: offline
Hey, no worries on confusion, man.  I appreciate the assistance.  We're going to look in to this as an option.  I'll let you know how it works out for us.

(in reply to inderjeet)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> TS Gateway and pre-auth with client certs? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts