[isapros] Re: ISA 2006 SP1 - Support for client certificate authentication in a workgroup deployment
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 30 Sep 2008 09:38:02 -0500
Will it work for ICBM connections? :)
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting www.prowessconsulting.com
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
MVP -- Microsoft Forefront Edge Security
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, September 30, 2008 9:03 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
Nope; it was a change request from a big customer that wanted non-AD
cert auth for FBA listeners.
Essentially, the functionality allows ISA to perform "cert auth" without
actually authenticating the user account specified in the certificate.
Instead, it treats the cert as IPSec does; "if I trust the issuer, it's
ok". Of course, you can still apply the more granular cert validation
factors that you could before. The key to this is that this
functionality is only available when ISA uses FBA as the primary auth
mechanism.
So no; you can't use this for IBCM connections, since they can't satisfy
FBA.
Jim
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, September 30, 2008 6:12 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
My guess is that they added this to give an additional level of security
to the FBA scenario. Maybe a customer wanted User Certificate
authentication support, but also wanted to use FBA. ?
Thomas W. Shinder, M.D., MCSE || Sr. Consultant / Technical Writer
shinder@xxxxxxxxxxxxxxxxxxxxx || www.prowessconsulting.com
<blocked::http://www.prowessconsulting.com/>
Phone: (206) 443.1117 || Fax (206) 443.1119
Blog: http://blogs.isaserver.org/shinder || Books:
http://tinyurl.com/2gpoo8
PROWESS CONSULTING || documentation || integration ||
virtualization
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Tuesday, September 30, 2008 7:57 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
Thanks Tom.
I assume this was changed to meet a particular common Microsoft scenario
- any idea what?
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: 30 September 2008 13:33
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
Hi Jason,
From the ISA Team Blog:
Secondary client certificate validation without mapping to Active
Directory
Client certificates used as the secondary authentication method to
Forms-Based authentication in ISA Server do not need to be validated
against an Active Directory(r) user account. Previously in this
scenario, ISA Was required to be a domain member. The administrator
would have to ensure that each client certificate mapped to a user
account in Active Directory. Such authentication was available only for
ISA Server in the domain and when FBA with Active Directory was
configured as the primary authentication method. With the new option,
ISA Server in the workgroup can accept client certificates issued from
any CA for which a certificate is included in the local machine Trusted
Root store. If you limit the trusted roots only to your enterprise CA,
then ISA Server will accept only users who were granted a client
certification by your organization.
Note Client certificate mapping to Active Directory user account is
still possible and functions as it did prior to SP1. With SP1, you also
have the option to authenticate client certificates without mapping.
Note This new feature is limited to scenarios where client certificate
authentication is used as a secondary authentication mehod with
Forms-Based authentication (FBA). If client certificates are used as
the primary authentication method, ISA must still be a domain member to
satisfy this authentication method.
I thought it was a miracle drug when I first read about User Certificate
auth support. While it's a nice add-on feature, it's not the magic
bullet many are looking for.
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting www.prowessconsulting.com
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
MVP -- Microsoft Forefront Edge Security
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Tuesday, September 30, 2008 4:03 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA 2006 SP1 - Support for client certificate
authentication in a workgroup deployment
Hi,
I noticed this element of ISA 2006 SP1:
"Support for client certificate authentication in a workgroup
deployment. This removes the requirement to map each client certificate
to an Active Directory(r) directory user account when forms-based
authentication is used as the primary authentication method and client
certificates are used as the secondary method."
Sorry if I am being a dumbass, but can someone explain this feature a
little and ideally provide a scenario or example where it is valid?
Would this change have an impact on publishing non-domain joined SCCM
IBCM clients for example?
Thanks
JJ
________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual to whom it is addressed.
If you have received this email in error, or if you believe this email
is unsolicited and wish to be removed from any future mailings, please
contact our Support Desk immediately on 01202 360360 or email
helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is
valid for 7 days and offered subject to Silversands Professional
Services Terms and Conditions, a copy of which is available on request.
Any pricing information, design information or information concerning
specific Silversands' staff contained in this email is considered
confidential or of commercial interest and exempt from the Freedom of
Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual to whom it is addressed.
If you have received this email in error, or if you believe this email
is unsolicited and wish to be removed from any future mailings, please
contact our Support Desk immediately on 01202 360360 or email
helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is
valid for 7 days and offered subject to Silversands Professional
Services Terms and Conditions, a copy of which is available on request.
Any pricing information, design information or information concerning
specific Silversands' staff contained in this email is considered
confidential or of commercial interest and exempt from the Freedom of
Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
