RE: SSL all the way. with OWA.

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Jul 2005 20:38:18 -0500

Sometimes its better not to tell them ;)

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> Sent: Thursday, July 14, 2005 4:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
> 
> http://www.ISAserver.org
> 
> He says he's been feeling a bit funny, but didn't realize his
> condition...
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, July 14, 2005 12:10 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: SSL all the way. with OWA.
> 
> http://www.ISAserver.org
> 
> There you go. Evidently, your co-worker is a ghost.
> 
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > Sent: Wednesday, July 13, 2005 11:02 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: SSL all the way. with OWA.
> > 
> > http://www.ISAserver.org
> > 
> > Yes, we're both logging in as domain admins.
> > 
> > Yes, there is an event log entry (why didn't I think to 
> look before?):
> > 
> > Source: Microsoft ISA Server Control
> > Event: 12260
> > "A fatal error occurred while attempting to access 'Equifax Secure
> > Certificate Authority' certificate private key."
> > 
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Wednesday, July 13, 2005 5:46 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: SSL all the way. with OWA.
> > 
> > http://www.ISAserver.org
> > 
> > Hi Dan,
> > Are you both logging on as domain admins when you perform the 
> > procedure?
> > 
> > Are there any entires in the event viewer, including the 
> security log,
> > that give some hints?
> > 
> > Thanks!
> > 
> > Tom
> > www.isaserver.org/shinder
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > Sent: Wednesday, July 13, 2005 4:04 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Yep, pretty much the same as I did, although I didn't go 
> through the
> > > switching back and forth of users as much.  My co-worker 
> > installed it
> > > the first time, I went in to modify the listener later and it 
> > > said there
> > > were no certificates installed.  We went back on as him, 
> and it was
> > > there.  I un-installed it, and re-installed it several 
> times, and it
> > > would work for me, but then not for him, and vice-versa...  
> > > Frustrating.
> > > 
> > > The details on "how" to install it into the *machine* 
> > > certificate store
> > > seem to be the clincher here.  I followed the steps in
> > > http://www.isaserver.org/articles/exportsslcert.html, and a 
> > few other
> > > tutorials, which all basically said the same thing.  
> > > 
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > > Sent: Wednesday, July 13, 2005 9:50 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > 
> > > http://www.ISAserver.org
> > > 
> > > OK, here's what I did to try and replicate this issue:
> > > 
> > > 1. ISA firewall is domain member, running on Windows Server 
> > 2003 SP1,
> > > ISA 2004 SP1 installed. Win2003 func level domain
> > > 2. tshinder and administrator are domain admins in the domain
> > > 3. Administrator requests a Web site certificate on the OWA 
> > > server to an
> > > online enterprise CA
> > > 4. Administrator exports the certificate bound to the OWA 
> site to a
> > > file, including the private key
> > > 5. tshinder copies the file to the ISA firewall
> > > 6. tshinder imports the certificate, with its private key, 
> > > into the ISA
> > > firewall's *machine* certificate store
> > > 7. tshinder exports the CA certificate from the Web site 
> > certificate,
> > > and imports the CA certificate into the ISA firewall's 
> Trusted Root
> > > Certification Authorities *machine* certificate store
> > > 8. tshinder logs off the ISA firewall
> > > 9. Administrator logs onto the ISA firewall
> > > 10. Administrator creates a Web listener for SSL connections
> > > 11. Administrator clicks the Select button in the wizard, 
> > and selects
> > > the certificate that *tshinder* imported into the ISA firewall's
> > > *machine* certificate store
> > > 12. Administrator creates a Web Publishing Rule publishing 
> > > the OWA site
> > > 13. Bozo connects to the OWA site from a Windows XP Service Pack 2
> > > machine via the OWA Web Publishing Rule
> > > 
> > > Conclusion:
> > > It doesn't matter who creates or installs the certificate
> > > 
> > > HTH<
> > > 
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > 
> > >  
> > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Wednesday, July 13, 2005 8:28 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Dan,
> > > > 
> > > > Exactly what steps were followed in each installation case?
> > > > Are both of you operating on the server simultaneously?
> > > > 
> > > > I've done this dozens of times and have never encountered 
> > > this problem
> > > > *when the certificate is installed in the right location*.
> > > > 
> > > > -----Original Message-----
> > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > > Sent: Wednesday, July 13, 2005 5:12 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Okay, I got a chance to test this out with my co-worker 
> > > this morning.
> > > > Since "I" installed the certificate the last time, if "he" 
> > > > goes into the
> > > > web listener and clicks Select, it delays for about 30 
> > seconds, then
> > > > tells him that there is no certificate installed on the 
> > > > server.  If "I"
> > > > go in and do the same thing, it brings up a box showing the 
> > > installed
> > > > certificate.
> > > > 
> > > > How would you like to test this?
> > > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Monday, July 11, 2005 9:52 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Hi Dan,
> > > > 
> > > > This location holds a reference to the certificate handed to the
> > > > upstream server for client authentication of the ISA itself.
> > > > As stated in the UI selectbox in the "Bridging" tab:
> > > > "Use a certificate to authenticate to the SSL Web server"
> > > > 
> > > > This is completely unrelated to the server certificate 
> > > > installed in the
> > > > web listener.
> > > > 
> > > > Basically:
> > > > Listener == server certificate
> > > > Rule == client certificate
> > > > 
> > > > Also, if one admin can see it, but another can't, it's 
> > > > installed in the
> > > > wrong store.  
> > > > - Server certificates must be installed in the "local 
> > > > computer" personal
> > > > store.
> > > > - Client certificates must be installed in the firewall 
> > > > service personal
> > > > store.
> > > > 
> > > > NeverEverEverEver install the certificate in a "user" 
> > > > personal store if
> > > > you want ISA to "see" them.
> > > > 
> > > > All this is covered in the ISA help, Tom's books, articles on
> > > > www.microsoft.com/isaserver/guidance and www.isaserver.org.
> > > > 
> > > > Jim
> > > > 
> > > > -----Original Message-----
> > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > > Sent: Monday, July 11, 2005 4:33 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Okay, I was testing it out this morning, to see if it was 
> > > still doing
> > > > it.  
> > > > 
> > > > I found that if I go into the current web listener, or create 
> > > > a new one,
> > > > the certificate will show up.  If I go into the 
> > "Bridging" menu of a
> > > > publishing rule, it tells me there are no certificates 
> > > > installed on the
> > > > server.
> > > > 
> > > > I still have to test the multiple user aspect we 
> > experienced before,
> > > > this is just with a single login.
> > > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Thursday, July 07, 2005 9:02 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > It's possible - or even one in ISA.
> > > > Can you still repro the behavior?
> > > > If so, would you be willing to run a test script for me?
> > > > 
> > > > -----Original Message-----
> > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > > Sent: Thursday, July 07, 2005 2:29 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Yes, it does act like it is a situation where it is in 
> the "user"
> > > > personal store.  Actually, that does explain a lot of the 
> > > problems.  
> > > > 
> > > > I just know for a fact (I had others verify my steps) 
> that it was
> > > > installed in the "local computer" store.  I've followed the 
> > > > instructions
> > > > (both from isaserver.org and Microsoft's KB) step-by-step 
> > many times
> > > > over, reading each and every step closely to make sure 
> it was done
> > > > "correctly".  
> > > > 
> > > > It is possible there is a bug in 2003 server?
> > > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Thursday, July 07, 2005 9:51 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > What you describe is what happens when you install the 
> > > certificate in
> > > > the "user" personal store; not the "local computer" 
> > personal store.
> > > > 
> > > > -----Original Message-----
> > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > > > Sent: Thursday, July 07, 2005 4:25 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: SSL all the way. with OWA.
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > I ran into this on ISA2004 many times, it appeared (at the 
> > > time) to be
> > > > partly a permissions problem.  
> > > > 
> > > > We have discussed it before in this forum, I described it 
> > as this: 
> > > > 
> > > > If one person installs a certificate, any other 
> > > > administrators will get
> > > > that message that there are no certificates installed 
> > (from the ISA
> > > > console), even though it clearly shows up in the 
> > certificates MMC.  
> > > > 
> > > > If a second administrator installs the same certificate 
> > > > again, the first
> > > > then gets that message (where he didn't before), and the 
> > > > second one can
> > > > then see it from the ISA console.
> > > > 
> > > > I don't think it was ever resolved because I could get the 
> > > certificate
> > > > installed with the work-around.
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.
• » RE: SSL all the way. with OWA.

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---