Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion for article on Supporting Forms-based auth and Basic Auth with one IP
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion for article on Supporting Forms-based a... - 6.Nov.2007 12:53:31 PM
|
|
|
iwatkins
Posts: 4
Joined: 26.May2005
From: Peterborough, UK
Status: offline
|
Still using ISA2004 here :-)
We do not have the Certificate Service installed on any internal machines (it is unnecessary and complicates things!) so is there anyway to get a certificate created that we can use in this method?
If not, I think we may have to splash on another external certificate and use a second external IP address.
Thanks.
Ian Watkins
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 22.Apr.2008 12:01:29 PM
|
|
|
plysaker
Posts: 8
Joined: 7.May2006
Status: offline
|
All,
I hope that taking the time to post on a 2 year old stale fourm post is worthwhile. If it saves some shmuck the 8 hours of hell I just went thru, great.'
Tom's tutorial is incorrect! The cert request procedure for local host DOES NOT produce a PFX type cert. .CER, .P7B etc are produced, but the cert i snot visible / seen by ISA when attaching to the listener. You see it in the store allright, but you surely do not in the listener properties config.
I was fianly able to create the localhost cert via another computers IIS, and generating a cert req. The IIS was independant, and was stand alone. The key element is to get a PFX cert, with exportable key.
LOCALHOST Certificate listener computer store PFX not P7B not CER ISA FBA
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 22.May2008 7:30:49 PM
|
|
|
pete_h
Posts: 5
Joined: 11.Dec.2006
Status: offline
|
plysaker:
Thanks for posting this - I've been pulling my hair out too. All was working for ages, but after a disk failure on the firewall, I restored from backup, and everything worked fine except the mobile phones now no longer authenticated properly, even though they did before. So ActiveSync was, and still is, screwed. Turns out the "localhost" certificate has become "detached" from the listener. However, when trying to reattach it, it doesn't show up in the list of certificates, despite it appearing fine in the local machine's certificate store, via the MMC's certificate console.
I'll try your suggestion, and post back my experience.
The ISA2004 firewall's been doing a fine job for what we need it for, so don't see the point of moving to ISA2006 for the sake of it, so would prefer to fix this one problem.
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 27.May2008 8:45:47 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Pete,
Make sure that the certificate you're binding to the Local Host Web Listener has a private key. That's the most common reason for it not showing up in the list in the ISA Firewall console.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 28.May2008 1:30:55 AM
|
|
|
pete_h
Posts: 5
Joined: 11.Dec.2006
Status: offline
|
Thanks for the reply Tom :)
Seems odd that it would recognize it before, but not now after a backup restoration. Anyways, seems like the way to go is to create another LocalHost certificate, but I'm not sure about this:
Both the external and localhost listener certificates were originally created using a CA installed on my SBS2003 server. The CA services have since been de-installed, and when I go now to reinstall them, the installation wizard tells me that the server "mailserver" (my SBS server's name and the name I used when first installing the CA service to create the initial certificates) has an existing private key, and "do I want to overwrite it with a new one?". If I say yes to this, does it make the existing external certificate invalid and unuseable? If so, this would cause me to have to update all the phones that use ActiveSync (that's broken now anyway), and the external web clients with new certificates, so that's not the prefered path.
ISA2004 is on a separate Win2000sp4 Advanced Server box (joined to the domain), and Exhange is on a SBS2003sp2 box.
So how do you suggest I proceed to create a new localhost certificate?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 28.May2008 1:37:12 AM
|
|
|
pete_h
Posts: 5
Joined: 11.Dec.2006
Status: offline
|
BTW, I do have a copy of ISA2006 sitting here, so there is the option of upgrading if you advise it strongly enough. Is the process of an inplace upgrade a smooth one? i.e. will it keep all my existing rules, or will I have to set it all up again?
|
|
|
|
|
RE: Discussion for article on Supporting Forms-based a... - 28.May2008 9:21:15 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I would recommend just upgrading to ISA 2006, then you don't even need to deal with the "local host" Web Listener.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
