[isapros] Re: ISA 2006 SP1 - Support for client certificate authentication in a workgroup deployment
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Tue, 30 Sep 2008 13:56:54 +0100
Thanks Tom.
I assume this was changed to meet a particular common Microsoft scenario - any
idea what?
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: 30 September 2008 13:33
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
Hi Jason,
From the ISA Team Blog:
Secondary client certificate validation without mapping to Active Directory
Client certificates used as the secondary authentication method to Forms-Based
authentication in ISA Server do not need to be validated against an Active
Directory(r) user account. Previously in this scenario, ISA Was required to be
a domain member. The administrator would have to ensure that each client
certificate mapped to a user account in Active Directory. Such authentication
was available only for ISA Server in the domain and when FBA with Active
Directory was configured as the primary authentication method. With the new
option, ISA Server in the workgroup can accept client certificates issued from
any CA for which a certificate is included in the local machine Trusted Root
store. If you limit the trusted roots only to your enterprise CA, then ISA
Server will accept only users who were granted a client certification by your
organization.
Note Client certificate mapping to Active Directory user account is still
possible and functions as it did prior to SP1. With SP1, you also have the
option to authenticate client certificates without mapping.
Note This new feature is limited to scenarios where client certificate
authentication is used as a secondary authentication mehod with Forms-Based
authentication (FBA). If client certificates are used as the primary
authentication method, ISA must still be a domain member to satisfy this
authentication method.
I thought it was a miracle drug when I first read about User Certificate auth
support. While it's a nice add-on feature, it's not the magic bullet many are
looking for.
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting www.prowessconsulting.com
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
MVP -- Microsoft Forefront Edge Security
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Tuesday, September 30, 2008 4:03 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA 2006 SP1 - Support for client certificate authentication
in a workgroup deployment
Hi,
I noticed this element of ISA 2006 SP1:
"Support for client certificate authentication in a workgroup deployment. This
removes the requirement to map each client certificate to an Active
Directory(r) directory user account when forms-based authentication is used as
the primary authentication method and client certificates are used as the
secondary method."
Sorry if I am being a dumbass, but can someone explain this feature a little
and ideally provide a scenario or example where it is valid?
Would this change have an impact on publishing non-domain joined SCCM IBCM
clients for example?
Thanks
JJ
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
