RE: SSL all the way. with OWA.
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 13 Jul 2005 16:59:16 -0400
I went back through my old mail, and we discussed this problem on
3/21/2005 (I had to look them up to refresh my memory on what I did
do...) I followed the steps listed in
http://www.isaserver.org/articles/exportsslcert.html step-by-step,
matching the text and the pictures of the menus to make sure I was doing
it exactly as recommended.
No, both users were not logged in simultaneously.
It does act like it's in the wrong location, but I've done everything I
could to make sure it was installed in the "right" location. If it
isn't in the correct place, there must me some other thing I'm missing.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, July 13, 2005 9:28 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
Dan,
Exactly what steps were followed in each installation case?
Are both of you operating on the server simultaneously?
I've done this dozens of times and have never encountered this problem
*when the certificate is installed in the right location*.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, July 13, 2005 5:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
Okay, I got a chance to test this out with my co-worker this morning.
Since "I" installed the certificate the last time, if "he" goes into the
web listener and clicks Select, it delays for about 30 seconds, then
tells him that there is no certificate installed on the server. If "I"
go in and do the same thing, it brings up a box showing the installed
certificate.
How would you like to test this?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, July 11, 2005 9:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
Hi Dan,
This location holds a reference to the certificate handed to the
upstream server for client authentication of the ISA itself.
As stated in the UI selectbox in the "Bridging" tab:
"Use a certificate to authenticate to the SSL Web server"
This is completely unrelated to the server certificate installed in the
web listener.
Basically:
Listener == server certificate
Rule == client certificate
Also, if one admin can see it, but another can't, it's installed in the
wrong store.
- Server certificates must be installed in the "local computer" personal
store.
- Client certificates must be installed in the firewall service personal
store.
NeverEverEverEver install the certificate in a "user" personal store if
you want ISA to "see" them.
All this is covered in the ISA help, Tom's books, articles on
www.microsoft.com/isaserver/guidance and www.isaserver.org.
Jim
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Monday, July 11, 2005 4:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
Okay, I was testing it out this morning, to see if it was still doing
it.
I found that if I go into the current web listener, or create a new one,
the certificate will show up. If I go into the "Bridging" menu of a
publishing rule, it tells me there are no certificates installed on the
server.
I still have to test the multiple user aspect we experienced before,
this is just with a single login.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, July 07, 2005 9:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
It's possible - or even one in ISA.
Can you still repro the behavior?
If so, would you be willing to run a test script for me?
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, July 07, 2005 2:29 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
Yes, it does act like it is a situation where it is in the "user"
personal store. Actually, that does explain a lot of the problems.
I just know for a fact (I had others verify my steps) that it was
installed in the "local computer" store. I've followed the instructions
(both from isaserver.org and Microsoft's KB) step-by-step many times
over, reading each and every step closely to make sure it was done
"correctly".
It is possible there is a bug in 2003 server?
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, July 07, 2005 9:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
What you describe is what happens when you install the certificate in
the "user" personal store; not the "local computer" personal store.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, July 07, 2005 4:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.
http://www.ISAserver.org
I ran into this on ISA2004 many times, it appeared (at the time) to be
partly a permissions problem.
We have discussed it before in this forum, I described it as this:
If one person installs a certificate, any other administrators will get
that message that there are no certificates installed (from the ISA
console), even though it clearly shows up in the certificates MMC.
If a second administrator installs the same certificate again, the first
then gets that message (where he didn't before), and the second one can
then see it from the ISA console.
I don't think it was ever resolved because I could get the certificate
installed with the work-around.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
