[isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Wed, 15 Oct 2008 09:29:40 +0100
I assume from the silence that you guys don't believe me or have ran out of
ideas? :-P
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 10 October 2008 21:02
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
I'm cornfussed; if the ISA is not allowed to possess the private key for the
multi-purpose certificate, how is it able to use that cert for server
authentication?
Yes; you could use separate certificates, since CAPI will choose the
certificate best suited to the conversation.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Friday, October 10, 2008 5:25 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on SCCM
Agent
Hi All,
An issue exits with ISA2k6 FBA as follows:
"Client logon is slow and server certificates used for Web publishing are
configured with the default purpose settings "Server Authentication" and
"Client Authentication"
Issue: When Windows Server 2003 detects the default purpose setting of "Client
Authentication", the operating system attempts to perform TLS with mutual
authentication to the domain controller. The mutual authentication process
requires ISA Server to have access to the private key of the server certificate
with the "Client Authentication" setting enabled, and ISA Server does not (and
should not) have this access.
Solution: Ensure that all server certificates do not have the default "Client
Authentication" purpose enabled. You can disable this setting on the property
pages of the relevant server certificate as follows..."
http://technet.microsoft.com/en-us/library/cc514301.aspx
Based upon this solution (which works very well!) I have come up against a
scenario where we have a customer that needs to "manage" ISA using System
Centre Configuration Manager (SCCM) but this requires a certificate to be
installed that supports the Client Authentication purpose in order to meet the
SCCM mutual TLS design.
So, if the client auth purpose is enabled, FBA login is painfully slow; if the
client auth purpose is disabled, the SCCM agent cannot provide mutual TLS and
subsequently cannot communicate with the SCCM server.
Can anyone think of a way around this?
Cheers
JJ
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
