Would using separate certificates work? One for the FBA, and another for the Mutual TLS? Is there an internal Enterprise CA? I put one in place at my current client (they were having issues with IAS) and computer/user automatic enrollment is enabled. All servers receive a cert for client/server authentication with a common name of <computername>.<domain>. Would that allow you to publish a separate certificate (with a different common name) on the FBA listener that only had server authentication? On Fri, Oct 10, 2008 at 8:24 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>wrote: > Hi All, > > > > An issue exits with ISA2k6 FBA as follows: > > > > *"Client logon is slow and server certificates used for Web publishing are > configured with the default purpose settings "Server Authentication" and > "Client Authentication"* > > Issue: When Windows Server 2003 detects the default purpose setting of > "Client Authentication", the operating system attempts to perform TLS with > mutual authentication to the domain controller. The mutual authentication > process requires ISA Server to have access to the private key of the server > certificate with the "Client Authentication" setting enabled, and ISA Server > does not (and should not) have this access. > > Solution: Ensure that all server certificates do not have the default > "Client Authentication" purpose enabled. You can disable this setting on the > property pages of the relevant server certificate as follows…" > > http://technet.microsoft.com/en-us/library/cc514301.aspx > > > > Based upon this solution (which works very well!) I have come up against a > scenario where we have a customer that needs to "manage" ISA using System > Centre Configuration Manager (SCCM) but this requires a certificate to be > installed that supports the Client Authentication purpose in order to meet > the SCCM mutual TLS design. > > > > So, if the client auth purpose is enabled, FBA login is painfully slow; if > the client auth purpose is disabled, the SCCM agent cannot provide mutual > TLS and subsequently cannot communicate with the SCCM server. > > > > Can anyone think of a way around this? > > > > Cheers > > > > JJ > > ------------------------------ > This email and any files transmitted with it are confidential and intended > solely for the use of the individual to whom it is addressed. If you have > received this email in error, or if you believe this email is unsolicited > and wish to be removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid > for 7 days and offered subject to Silversands Professional Services Terms > and Conditions, a copy of which is available on request. Any pricing > information, design information or information concerning specific > Silversands' staff contained in this email is considered confidential or of > commercial interest and exempt from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author and do not > necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer