He says he's been feeling a bit funny, but didn't realize his condition... -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, July 14, 2005 12:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SSL all the way. with OWA. http://www.ISAserver.org There you go. Evidently, your co-worker is a ghost. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Wednesday, July 13, 2005 11:02 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: SSL all the way. with OWA. > > http://www.ISAserver.org > > Yes, we're both logging in as domain admins. > > Yes, there is an event log entry (why didn't I think to look before?): > > Source: Microsoft ISA Server Control > Event: 12260 > "A fatal error occurred while attempting to access 'Equifax Secure > Certificate Authority' certificate private key." > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, July 13, 2005 5:46 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: SSL all the way. with OWA. > > http://www.ISAserver.org > > Hi Dan, > Are you both logging on as domain admins when you perform the > procedure? > > Are there any entires in the event viewer, including the security log, > that give some hints? > > Thanks! > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 4:04 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > http://www.ISAserver.org > > > > Yep, pretty much the same as I did, although I didn't go through the > > switching back and forth of users as much. My co-worker > installed it > > the first time, I went in to modify the listener later and it > > said there > > were no certificates installed. We went back on as him, and it was > > there. I un-installed it, and re-installed it several times, and it > > would work for me, but then not for him, and vice-versa... > > Frustrating. > > > > The details on "how" to install it into the *machine* > > certificate store > > seem to be the clincher here. I followed the steps in > > http://www.isaserver.org/articles/exportsslcert.html, and a > few other > > tutorials, which all basically said the same thing. > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 9:50 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > http://www.ISAserver.org > > > > OK, here's what I did to try and replicate this issue: > > > > 1. ISA firewall is domain member, running on Windows Server > 2003 SP1, > > ISA 2004 SP1 installed. Win2003 func level domain > > 2. tshinder and administrator are domain admins in the domain > > 3. Administrator requests a Web site certificate on the OWA > > server to an > > online enterprise CA > > 4. Administrator exports the certificate bound to the OWA site to a > > file, including the private key > > 5. tshinder copies the file to the ISA firewall > > 6. tshinder imports the certificate, with its private key, > > into the ISA > > firewall's *machine* certificate store > > 7. tshinder exports the CA certificate from the Web site > certificate, > > and imports the CA certificate into the ISA firewall's Trusted Root > > Certification Authorities *machine* certificate store > > 8. tshinder logs off the ISA firewall > > 9. Administrator logs onto the ISA firewall > > 10. Administrator creates a Web listener for SSL connections > > 11. Administrator clicks the Select button in the wizard, > and selects > > the certificate that *tshinder* imported into the ISA firewall's > > *machine* certificate store > > 12. Administrator creates a Web Publishing Rule publishing > > the OWA site > > 13. Bozo connects to the OWA site from a Windows XP Service Pack 2 > > machine via the OWA Web Publishing Rule > > > > Conclusion: > > It doesn't matter who creates or installs the certificate > > > > HTH< > > > > Tom > > www.isaserver.org/shinder > > Tom and Deb Shinder's Configuring ISA Server 2004 > > http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Wednesday, July 13, 2005 8:28 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Dan, > > > > > > Exactly what steps were followed in each installation case? > > > Are both of you operating on the server simultaneously? > > > > > > I've done this dozens of times and have never encountered > > this problem > > > *when the certificate is installed in the right location*. > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, July 13, 2005 5:12 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Okay, I got a chance to test this out with my co-worker > > this morning. > > > Since "I" installed the certificate the last time, if "he" > > > goes into the > > > web listener and clicks Select, it delays for about 30 > seconds, then > > > tells him that there is no certificate installed on the > > > server. If "I" > > > go in and do the same thing, it brings up a box showing the > > installed > > > certificate. > > > > > > How would you like to test this? > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Monday, July 11, 2005 9:52 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Hi Dan, > > > > > > This location holds a reference to the certificate handed to the > > > upstream server for client authentication of the ISA itself. > > > As stated in the UI selectbox in the "Bridging" tab: > > > "Use a certificate to authenticate to the SSL Web server" > > > > > > This is completely unrelated to the server certificate > > > installed in the > > > web listener. > > > > > > Basically: > > > Listener == server certificate > > > Rule == client certificate > > > > > > Also, if one admin can see it, but another can't, it's > > > installed in the > > > wrong store. > > > - Server certificates must be installed in the "local > > > computer" personal > > > store. > > > - Client certificates must be installed in the firewall > > > service personal > > > store. > > > > > > NeverEverEverEver install the certificate in a "user" > > > personal store if > > > you want ISA to "see" them. > > > > > > All this is covered in the ISA help, Tom's books, articles on > > > www.microsoft.com/isaserver/guidance and www.isaserver.org. > > > > > > Jim > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Monday, July 11, 2005 4:33 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Okay, I was testing it out this morning, to see if it was > > still doing > > > it. > > > > > > I found that if I go into the current web listener, or create > > > a new one, > > > the certificate will show up. If I go into the > "Bridging" menu of a > > > publishing rule, it tells me there are no certificates > > > installed on the > > > server. > > > > > > I still have to test the multiple user aspect we > experienced before, > > > this is just with a single login. > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Thursday, July 07, 2005 9:02 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > It's possible - or even one in ISA. > > > Can you still repro the behavior? > > > If so, would you be willing to run a test script for me? > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Thursday, July 07, 2005 2:29 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Yes, it does act like it is a situation where it is in the "user" > > > personal store. Actually, that does explain a lot of the > > problems. > > > > > > I just know for a fact (I had others verify my steps) that it was > > > installed in the "local computer" store. I've followed the > > > instructions > > > (both from isaserver.org and Microsoft's KB) step-by-step > many times > > > over, reading each and every step closely to make sure it was done > > > "correctly". > > > > > > It is possible there is a bug in 2003 server? > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Thursday, July 07, 2005 9:51 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > What you describe is what happens when you install the > > certificate in > > > the "user" personal store; not the "local computer" > personal store. > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Thursday, July 07, 2005 4:25 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > I ran into this on ISA2004 many times, it appeared (at the > > time) to be > > > partly a permissions problem. > > > > > > We have discussed it before in this forum, I described it > as this: > > > > > > If one person installs a certificate, any other > > > administrators will get > > > that message that there are no certificates installed > (from the ISA > > > console), even though it clearly shows up in the > certificates MMC. > > > > > > If a second administrator installs the same certificate > > > again, the first > > > then gets that message (where he didn't before), and the > > > second one can > > > then see it from the ISA console. > > > > > > I don't think it was ever resolved because I could get the > > certificate > > > installed with the work-around. >