I've found this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;837350 Does this sound appropriate for this situation? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, July 14, 2005 9:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SSL all the way. with OWA. http://www.ISAserver.org Sometimes its better not to tell them ;) Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, July 14, 2005 4:11 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: SSL all the way. with OWA. > > http://www.ISAserver.org > > He says he's been feeling a bit funny, but didn't realize his > condition... > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, July 14, 2005 12:10 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: SSL all the way. with OWA. > > http://www.ISAserver.org > > There you go. Evidently, your co-worker is a ghost. > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 11:02 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > http://www.ISAserver.org > > > > Yes, we're both logging in as domain admins. > > > > Yes, there is an event log entry (why didn't I think to > look before?): > > > > Source: Microsoft ISA Server Control > > Event: 12260 > > "A fatal error occurred while attempting to access 'Equifax Secure > > Certificate Authority' certificate private key." > > > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, July 13, 2005 5:46 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > http://www.ISAserver.org > > > > Hi Dan, > > Are you both logging on as domain admins when you perform the > > procedure? > > > > Are there any entires in the event viewer, including the > security log, > > that give some hints? > > > > Thanks! > > > > Tom > > www.isaserver.org/shinder > > Tom and Deb Shinder's Configuring ISA Server 2004 > > http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > Sent: Wednesday, July 13, 2005 4:04 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > Yep, pretty much the same as I did, although I didn't go > through the > > > switching back and forth of users as much. My co-worker > > installed it > > > the first time, I went in to modify the listener later and it > > > said there > > > were no certificates installed. We went back on as him, > and it was > > > there. I un-installed it, and re-installed it several > times, and it > > > would work for me, but then not for him, and vice-versa... > > > Frustrating. > > > > > > The details on "how" to install it into the *machine* > > > certificate store > > > seem to be the clincher here. I followed the steps in > > > http://www.isaserver.org/articles/exportsslcert.html, and a > > few other > > > tutorials, which all basically said the same thing. > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Wednesday, July 13, 2005 9:50 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > http://www.ISAserver.org > > > > > > OK, here's what I did to try and replicate this issue: > > > > > > 1. ISA firewall is domain member, running on Windows Server > > 2003 SP1, > > > ISA 2004 SP1 installed. Win2003 func level domain > > > 2. tshinder and administrator are domain admins in the domain > > > 3. Administrator requests a Web site certificate on the OWA > > > server to an > > > online enterprise CA > > > 4. Administrator exports the certificate bound to the OWA > site to a > > > file, including the private key > > > 5. tshinder copies the file to the ISA firewall > > > 6. tshinder imports the certificate, with its private key, > > > into the ISA > > > firewall's *machine* certificate store > > > 7. tshinder exports the CA certificate from the Web site > > certificate, > > > and imports the CA certificate into the ISA firewall's > Trusted Root > > > Certification Authorities *machine* certificate store > > > 8. tshinder logs off the ISA firewall > > > 9. Administrator logs onto the ISA firewall > > > 10. Administrator creates a Web listener for SSL connections > > > 11. Administrator clicks the Select button in the wizard, > > and selects > > > the certificate that *tshinder* imported into the ISA firewall's > > > *machine* certificate store > > > 12. Administrator creates a Web Publishing Rule publishing > > > the OWA site > > > 13. Bozo connects to the OWA site from a Windows XP Service Pack 2 > > > machine via the OWA Web Publishing Rule > > > > > > Conclusion: > > > It doesn't matter who creates or installs the certificate > > > > > > HTH< > > > > > > Tom > > > www.isaserver.org/shinder > > > Tom and Deb Shinder's Configuring ISA Server 2004 > > > http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > > > > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Wednesday, July 13, 2005 8:28 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > Dan, > > > > > > > > Exactly what steps were followed in each installation case? > > > > Are both of you operating on the server simultaneously? > > > > > > > > I've done this dozens of times and have never encountered > > > this problem > > > > *when the certificate is installed in the right location*. > > > > > > > > -----Original Message----- > > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > > Sent: Wednesday, July 13, 2005 5:12 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > Okay, I got a chance to test this out with my co-worker > > > this morning. > > > > Since "I" installed the certificate the last time, if "he" > > > > goes into the > > > > web listener and clicks Select, it delays for about 30 > > seconds, then > > > > tells him that there is no certificate installed on the > > > > server. If "I" > > > > go in and do the same thing, it brings up a box showing the > > > installed > > > > certificate. > > > > > > > > How would you like to test this? > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Monday, July 11, 2005 9:52 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi Dan, > > > > > > > > This location holds a reference to the certificate handed to the > > > > upstream server for client authentication of the ISA itself. > > > > As stated in the UI selectbox in the "Bridging" tab: > > > > "Use a certificate to authenticate to the SSL Web server" > > > > > > > > This is completely unrelated to the server certificate > > > > installed in the > > > > web listener. > > > > > > > > Basically: > > > > Listener == server certificate > > > > Rule == client certificate > > > > > > > > Also, if one admin can see it, but another can't, it's > > > > installed in the > > > > wrong store. > > > > - Server certificates must be installed in the "local > > > > computer" personal > > > > store. > > > > - Client certificates must be installed in the firewall > > > > service personal > > > > store. > > > > > > > > NeverEverEverEver install the certificate in a "user" > > > > personal store if > > > > you want ISA to "see" them. > > > > > > > > All this is covered in the ISA help, Tom's books, articles on > > > > www.microsoft.com/isaserver/guidance and www.isaserver.org. > > > > > > > > Jim > > > > > > > > -----Original Message----- > > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > > Sent: Monday, July 11, 2005 4:33 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > Okay, I was testing it out this morning, to see if it was > > > still doing > > > > it. > > > > > > > > I found that if I go into the current web listener, or create > > > > a new one, > > > > the certificate will show up. If I go into the > > "Bridging" menu of a > > > > publishing rule, it tells me there are no certificates > > > > installed on the > > > > server. > > > > > > > > I still have to test the multiple user aspect we > > experienced before, > > > > this is just with a single login. > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Thursday, July 07, 2005 9:02 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > It's possible - or even one in ISA. > > > > Can you still repro the behavior? > > > > If so, would you be willing to run a test script for me? > > > > > > > > -----Original Message----- > > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > > Sent: Thursday, July 07, 2005 2:29 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > Yes, it does act like it is a situation where it is in > the "user" > > > > personal store. Actually, that does explain a lot of the > > > problems. > > > > > > > > I just know for a fact (I had others verify my steps) > that it was > > > > installed in the "local computer" store. I've followed the > > > > instructions > > > > (both from isaserver.org and Microsoft's KB) step-by-step > > many times > > > > over, reading each and every step closely to make sure > it was done > > > > "correctly". > > > > > > > > It is possible there is a bug in 2003 server? > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Thursday, July 07, 2005 9:51 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > What you describe is what happens when you install the > > > certificate in > > > > the "user" personal store; not the "local computer" > > personal store. > > > > > > > > -----Original Message----- > > > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > > > Sent: Thursday, July 07, 2005 4:25 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: SSL all the way. with OWA. > > > > > > > > http://www.ISAserver.org > > > > > > > > I ran into this on ISA2004 many times, it appeared (at the > > > time) to be > > > > partly a permissions problem. > > > > > > > > We have discussed it before in this forum, I described it > > as this: > > > > > > > > If one person installs a certificate, any other > > > > administrators will get > > > > that message that there are no certificates installed > > (from the ISA > > > > console), even though it clearly shows up in the > > certificates MMC. > > > > > > > > If a second administrator installs the same certificate > > > > again, the first > > > > then gets that message (where he didn't before), and the > > > > second one can > > > > then see it from the ISA console. > > > > > > > > I don't think it was ever resolved because I could get the > > > certificate > > > > installed with the work-around. > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx