[isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent
- From: "Jerry Young" <jerrygyoungii@xxxxxxxxx>
- To: isapros@xxxxxxxxxxxxx
- Date: Fri, 10 Oct 2008 13:23:15 -0400
Would using separate certificates work? One for the FBA, and another for
the Mutual TLS?
Is there an internal Enterprise CA? I put one in place at my current client
(they were having issues with IAS) and computer/user automatic enrollment is
enabled. All servers receive a cert for client/server authentication with a
common name of <computername>.<domain>. Would that allow you to publish a
separate certificate (with a different common name) on the FBA listener that
only had server authentication?
On Fri, Oct 10, 2008 at 8:24 AM, Jason Jones
<Jason.Jones@xxxxxxxxxxxxxxxxx>wrote:
> Hi All,
>
>
>
> An issue exits with ISA2k6 FBA as follows:
>
>
>
> *"Client logon is slow and server certificates used for Web publishing are
> configured with the default purpose settings "Server Authentication" and
> "Client Authentication"*
>
> Issue: When Windows Server 2003 detects the default purpose setting of
> "Client Authentication", the operating system attempts to perform TLS with
> mutual authentication to the domain controller. The mutual authentication
> process requires ISA Server to have access to the private key of the server
> certificate with the "Client Authentication" setting enabled, and ISA Server
> does not (and should not) have this access.
>
> Solution: Ensure that all server certificates do not have the default
> "Client Authentication" purpose enabled. You can disable this setting on the
> property pages of the relevant server certificate as follows…"
>
> http://technet.microsoft.com/en-us/library/cc514301.aspx
>
>
>
> Based upon this solution (which works very well!) I have come up against a
> scenario where we have a customer that needs to "manage" ISA using System
> Centre Configuration Manager (SCCM) but this requires a certificate to be
> installed that supports the Client Authentication purpose in order to meet
> the SCCM mutual TLS design.
>
>
>
> So, if the client auth purpose is enabled, FBA login is painfully slow; if
> the client auth purpose is disabled, the SCCM agent cannot provide mutual
> TLS and subsequently cannot communicate with the SCCM server.
>
>
>
> Can anyone think of a way around this?
>
>
>
> Cheers
>
>
>
> JJ
>
> ------------------------------
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom it is addressed. If you have
> received this email in error, or if you believe this email is unsolicited
> and wish to be removed from any future mailings, please contact our Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is valid
> for 7 days and offered subject to Silversands Professional Services Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential or of
> commercial interest and exempt from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
