• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Authentication using client certificates

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Authentication using client certificates Page: [1]
Login
Message << Older Topic   Newer Topic >>
Authentication using client certificates - 13.Dec.2002 2:26:00 PM   
SKruese

 

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline
Hello,

THe situation: I want to publish an internal web server using ISA server. The authentication on the ISA server is done using client certificates on USB tokens. The ISA server is part of the AD which also includes a Enterprise root CA. I don't want the certificate authentication on the www server, only on the ISA server.

I am having problems setting this up. I would like to know if it is possible to allow and disallow on a per user base. I used the ISAserver.org article and used the many-to-one mapping strategy. This works but not it is not flexible. Because every user with a certificate issued from the same CA which i used to make the many-to-one mapping is allowed according to the article. I don't want this. Even a user that doesn't belong to the group that i assigned to the web publishin group is able to make a connection to the www server. This doesn't make sense.

Can anybody tell me how to let only a few users from the AD connect through the ISA to the internal www server using USB tokens.

Regards and thanks in advance,

Sander
Post #: 1
RE: Authentication using client certificates - 14.Dec.2002 6:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sander,

You should be able to configure one to one mappings in the AD. This information is contained on your TechNet CD and probably on the MS Web site as well. Here are some short instructions on one to one mappings that I found on the CD:

Using the Active Directory for One-to-One Mapping

If you have set IIS to do directory mapping by following the instructions above, IIS automatically does UPN mapping for certificates from a trusted enterprise CA. You can proceed directly to the section, Testing the Mapping below to see UPN mapping. The default administrator account does not have a UPN and does not map. You must create a new account and use its certificate to see UPN mapping.
To configure Active Directory one-to-one mapping
1. Click Start, click Programs, click Administrative Tools, and click Active Directory Users and Computers.
2. Expand the domain name node (HQ-RES-DC-01), and click the Users folder. In the right pane, right-click the Administrator account and click Name Mappings.
3. On the X.509 Certificates tab, click the Add button. Select the user certificate from the .cer file saved in the Exporting a certificate section.
4. The Use Issuer for alternate security identity will be selected and appear gray by default because you need to use this for both one-to-one mapping and many-to-one mapping. Select the Use Subject for alternate security identity option to do one-to-one mapping. By unchecking this option, you will be doing many-to-one mapping. Click OK.
5. Go to the section, Testing the Mapping, to verify that this works.

HTH,
Tom

(in reply to SKruese)
Post #: 2
RE: Authentication using client certificates - 16.Dec.2002 8:02:00 AM   
SKruese

 

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline
Tom,

Thanks for the reply, but there is still one question. When i use one-to-one mapping, do i need to import and use "name mapping" to map a certificate to a user account, when i am already using a Enterprise CA that integrates with AD. It would be more logical to only request a certificate from the Enterprise CA and put it on a smartcard. At this point the AD should have my certificate, at least the public part and my smartcard contains the private part.

This also leads to another question. Is the user account (on the certificate) authenticated or is the certificate itself authenticated based only on it's status and the fact that i can prove it's mine. As i told in my first post, users are granted access to the www server even though they are not a member of the user group that is "applied" on the ISA web publishing rule. That looks like the certificate is authenticated and not the account itself.

Regards,

Sander

(in reply to SKruese)
Post #: 3
RE: Authentication using client certificates - 16.Dec.2002 7:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sander,

I have not tried to implement one to one certificate mapping with ISA Server yet, so I can't tell you from experinece whether it works or not. As with all things, the only way to know if something works it to test it. Have you tried the one to one mapping yet? I'll get around to it in the future, but typically a many to one is the only method required, and then you can use integrated authentication to communicate with the Web Server itself.

If you do implement it, let us know your procedure and how it worked!

Thanks!
Tom

(in reply to SKruese)
Post #: 4
RE: Authentication using client certificates - 16.Dec.2002 7:58:00 PM   
SKruese

 

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline
Hi Tom,

The group membership is working after all. The problem is that ISA takes some time to update it's changes (many...many...many minutes). So after stopping and starting the web proxy service the changes were applied immediately.

Ok so it looks like it's working. I have used your article and use a many-to-one mapping to map a certificate to a AD user (althoug i don't think it is used) and placed it in a group. The group is applied to the web publishing rule. Now when i create a new user, i place the certificate on the USB token. Because i use the Enterprise CA i don't have to import the certificate in the AD. After connecting the browser popups with the correct certificate and i use it to authenticate. If the user is not a member of the group i get the Unauthorized error. If there is something wrong with the certificate i get a unauthenticated error. When the user is a member i can connect to the internal web server. Two tips: I have had some problems with the reverse caching that ISA uses so i turned it off. Turn on auditing of logon events on the ISA, IIS and AD servers to see where a user is logged on and where it is not granted access. Don't be surprised to see a success login in the ISA security log and a access denied in the web browser.

Regards,

Sander

(in reply to SKruese)
Post #: 5
RE: Authentication using client certificates - 16.Dec.2002 8:15:00 PM   
SKruese

 

Posts: 11
Joined: 13.Dec.2002
From: The Netherlands
Status: offline
In addition to my previous post:

The "Smart card logon white paper" explains the use of UPN on certificates. On a certificate issued by a Enterprise CA the UPN is added in the form of username@domain. When a SSL/ TLS session is started the secure channel provider first queries the AD for this UPN. If it doesn't exist it checks the AD for an account whose alternate security identities attribute contains an explicit mapping to the certificate.

Regards,

Sander

(in reply to SKruese)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Authentication using client certificates Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts