RE: SSL all the way. with OWA.

• From: "Ball, Dan" <DBall@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Jul 2005 00:45:13 -0400

Cool! Wait until I tell him!  Might explain some of the strange things
he does...

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, July 14, 2005 12:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL all the way. with OWA.

http://www.ISAserver.org

There you go. Evidently, your co-worker is a ghost.

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> Sent: Wednesday, July 13, 2005 11:02 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
> 
> http://www.ISAserver.org
> 
> Yes, we're both logging in as domain admins.
> 
> Yes, there is an event log entry (why didn't I think to look before?):
> 
> Source: Microsoft ISA Server Control
> Event: 12260
> "A fatal error occurred while attempting to access 'Equifax Secure
> Certificate Authority' certificate private key."
> 
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Wednesday, July 13, 2005 5:46 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
> 
> http://www.ISAserver.org
> 
> Hi Dan,
> Are you both logging on as domain admins when you perform the 
> procedure?
> 
> Are there any entires in the event viewer, including the security log,
> that give some hints?
> 
> Thanks!
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > Sent: Wednesday, July 13, 2005 4:04 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: SSL all the way. with OWA.
> > 
> > http://www.ISAserver.org
> > 
> > Yep, pretty much the same as I did, although I didn't go through the
> > switching back and forth of users as much.  My co-worker 
> installed it
> > the first time, I went in to modify the listener later and it 
> > said there
> > were no certificates installed.  We went back on as him, and it was
> > there.  I un-installed it, and re-installed it several times, and it
> > would work for me, but then not for him, and vice-versa...  
> > Frustrating.
> > 
> > The details on "how" to install it into the *machine* 
> > certificate store
> > seem to be the clincher here.  I followed the steps in
> > http://www.isaserver.org/articles/exportsslcert.html, and a 
> few other
> > tutorials, which all basically said the same thing.  
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Wednesday, July 13, 2005 9:50 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: SSL all the way. with OWA.
> > 
> > http://www.ISAserver.org
> > 
> > OK, here's what I did to try and replicate this issue:
> > 
> > 1. ISA firewall is domain member, running on Windows Server 
> 2003 SP1,
> > ISA 2004 SP1 installed. Win2003 func level domain
> > 2. tshinder and administrator are domain admins in the domain
> > 3. Administrator requests a Web site certificate on the OWA 
> > server to an
> > online enterprise CA
> > 4. Administrator exports the certificate bound to the OWA site to a
> > file, including the private key
> > 5. tshinder copies the file to the ISA firewall
> > 6. tshinder imports the certificate, with its private key, 
> > into the ISA
> > firewall's *machine* certificate store
> > 7. tshinder exports the CA certificate from the Web site 
> certificate,
> > and imports the CA certificate into the ISA firewall's Trusted Root
> > Certification Authorities *machine* certificate store
> > 8. tshinder logs off the ISA firewall
> > 9. Administrator logs onto the ISA firewall
> > 10. Administrator creates a Web listener for SSL connections
> > 11. Administrator clicks the Select button in the wizard, 
> and selects
> > the certificate that *tshinder* imported into the ISA firewall's
> > *machine* certificate store
> > 12. Administrator creates a Web Publishing Rule publishing 
> > the OWA site
> > 13. Bozo connects to the OWA site from a Windows XP Service Pack 2
> > machine via the OWA Web Publishing Rule
> > 
> > Conclusion:
> > It doesn't matter who creates or installs the certificate
> > 
> > HTH<
> > 
> > Tom
> > www.isaserver.org/shinder
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Wednesday, July 13, 2005 8:28 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Dan,
> > > 
> > > Exactly what steps were followed in each installation case?
> > > Are both of you operating on the server simultaneously?
> > > 
> > > I've done this dozens of times and have never encountered 
> > this problem
> > > *when the certificate is installed in the right location*.
> > > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > Sent: Wednesday, July 13, 2005 5:12 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Okay, I got a chance to test this out with my co-worker 
> > this morning.
> > > Since "I" installed the certificate the last time, if "he" 
> > > goes into the
> > > web listener and clicks Select, it delays for about 30 
> seconds, then
> > > tells him that there is no certificate installed on the 
> > > server.  If "I"
> > > go in and do the same thing, it brings up a box showing the 
> > installed
> > > certificate.
> > > 
> > > How would you like to test this?
> > > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Monday, July 11, 2005 9:52 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Hi Dan,
> > > 
> > > This location holds a reference to the certificate handed to the
> > > upstream server for client authentication of the ISA itself.
> > > As stated in the UI selectbox in the "Bridging" tab:
> > > "Use a certificate to authenticate to the SSL Web server"
> > > 
> > > This is completely unrelated to the server certificate 
> > > installed in the
> > > web listener.
> > > 
> > > Basically:
> > > Listener == server certificate
> > > Rule == client certificate
> > > 
> > > Also, if one admin can see it, but another can't, it's 
> > > installed in the
> > > wrong store.  
> > > - Server certificates must be installed in the "local 
> > > computer" personal
> > > store.
> > > - Client certificates must be installed in the firewall 
> > > service personal
> > > store.
> > > 
> > > NeverEverEverEver install the certificate in a "user" 
> > > personal store if
> > > you want ISA to "see" them.
> > > 
> > > All this is covered in the ISA help, Tom's books, articles on
> > > www.microsoft.com/isaserver/guidance and www.isaserver.org.
> > > 
> > > Jim
> > > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > Sent: Monday, July 11, 2005 4:33 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Okay, I was testing it out this morning, to see if it was 
> > still doing
> > > it.  
> > > 
> > > I found that if I go into the current web listener, or create 
> > > a new one,
> > > the certificate will show up.  If I go into the 
> "Bridging" menu of a
> > > publishing rule, it tells me there are no certificates 
> > > installed on the
> > > server.
> > > 
> > > I still have to test the multiple user aspect we 
> experienced before,
> > > this is just with a single login.
> > > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Thursday, July 07, 2005 9:02 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > It's possible - or even one in ISA.
> > > Can you still repro the behavior?
> > > If so, would you be willing to run a test script for me?
> > > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > Sent: Thursday, July 07, 2005 2:29 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Yes, it does act like it is a situation where it is in the "user"
> > > personal store.  Actually, that does explain a lot of the 
> > problems.  
> > > 
> > > I just know for a fact (I had others verify my steps) that it was
> > > installed in the "local computer" store.  I've followed the 
> > > instructions
> > > (both from isaserver.org and Microsoft's KB) step-by-step 
> many times
> > > over, reading each and every step closely to make sure it was done
> > > "correctly".  
> > > 
> > > It is possible there is a bug in 2003 server?
> > > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Thursday, July 07, 2005 9:51 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > What you describe is what happens when you install the 
> > certificate in
> > > the "user" personal store; not the "local computer" 
> personal store.
> > > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > Sent: Thursday, July 07, 2005 4:25 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > I ran into this on ISA2004 many times, it appeared (at the 
> > time) to be
> > > partly a permissions problem.  
> > > 
> > > We have discussed it before in this forum, I described it 
> as this: 
> > > 
> > > If one person installs a certificate, any other 
> > > administrators will get
> > > that message that there are no certificates installed 
> (from the ISA
> > > console), even though it clearly shows up in the 
> certificates MMC.  
> > > 
> > > If a second administrator installs the same certificate 
> > > again, the first
> > > then gets that message (where he didn't before), and the 
> > > second one can
> > > then see it from the ISA console.
> > > 
> > > I don't think it was ever resolved because I could get the 
> > certificate
> > > installed with the work-around.
> 

Other related posts:

• » SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---