I assume from the silence that you guys don't believe me or have ran out of ideas? :-P -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 10 October 2008 21:02 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent I'm cornfussed; if the ISA is not allowed to possess the private key for the multi-purpose certificate, how is it able to use that cert for server authentication? Yes; you could use separate certificates, since CAPI will choose the certificate best suited to the conversation. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, October 10, 2008 5:25 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent Hi All, An issue exits with ISA2k6 FBA as follows: "Client logon is slow and server certificates used for Web publishing are configured with the default purpose settings "Server Authentication" and "Client Authentication" Issue: When Windows Server 2003 detects the default purpose setting of "Client Authentication", the operating system attempts to perform TLS with mutual authentication to the domain controller. The mutual authentication process requires ISA Server to have access to the private key of the server certificate with the "Client Authentication" setting enabled, and ISA Server does not (and should not) have this access. Solution: Ensure that all server certificates do not have the default "Client Authentication" purpose enabled. You can disable this setting on the property pages of the relevant server certificate as follows..." http://technet.microsoft.com/en-us/library/cc514301.aspx Based upon this solution (which works very well!) I have come up against a scenario where we have a customer that needs to "manage" ISA using System Centre Configuration Manager (SCCM) but this requires a certificate to be installed that supports the Client Authentication purpose in order to meet the SCCM mutual TLS design. So, if the client auth purpose is enabled, FBA login is painfully slow; if the client auth purpose is disabled, the SCCM agent cannot provide mutual TLS and subsequently cannot communicate with the SCCM server. Can anyone think of a way around this? Cheers JJ ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.