[isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent
- From: Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Wed, 22 Oct 2008 15:35:57 +0100
Ok, so ISA FBA is an example symptom of the problem then?
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 21 October 2008 00:18
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
Not ISA; Windows.
When configured for Windows auth, ISA defers all authentication to Windows API.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Monday, October 20, 2008 2:21 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
Bingo! ;-)
As discussed in the article, this slowdown is caused by ISA trying to do mutual
TLS with the DC...
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: 20 October 2008 19:20
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
So, even if you only have a cert with just server authentication on the FBA
listener but a cert on the computer (not tied to any ISA listener) that uses
both server and client authentication, you are seeing the slowdown?
On Mon, Oct 20, 2008 at 9:19 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>
wrote:
Doesn't appear to :-(
_______________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
Greg Mulholland [greg@xxxxxxxxxxxxxx]
Sent: 20 October 2008 11:26
To: ISAPros Mailing List
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
So does the separate cert thing work?
I believe you that it happens, although i dont have time to test and i cant
suggest a way around it other than whether separate certs, if that would even
work.
________________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
Jason Jones [Jason.Jones@xxxxxxxxxxxxxxxxx]
Sent: Thursday, 16 October 2008 10:38 AM
To: ISAPros Mailing List
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
Hi Jim,
Let me elaborate...
The article is a little vague and doesn't cover the exact issue as it talks
about web publishing certificates, rather than "any" certificates. I think the
issue is a little more varied even though the proposed solution works.
To repro the issue:
Publish something with FBA.
Test to see if login delayed (approx 20-30 secs) after clicking "login" button
- It shouldn't be
Enrol a certificate into ISA local computer cert store with client auth purpose.
Test to see if login delayed (approx 20-30 secs) after clicking "login" button
- It shouldn't be
Enable change password feature on web listener.
Test to see if login delayed (approx 20-30 secs) after clicking "login" button
- It *should* be - Problem created!
Reconfigure certificate to remove the client auth purpose (may also have to do
the same on DC certs)
Test to see if login delayed (approx 20-30 secs) after clicking "login" button
- It *shouldn't* be - Problem fixed!
I've had this happen with a few customers now and the client purpose fix always
works, however this is the first occurrence of actually needing a client auth
cert on an ISA server for mutual TLS.
Cheers
JJ
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 16 October 2008 00:23
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
Actually, haven't had a chance to play with it; the multi-cert issue seems odd
to me.
I guess CAPI grabs the first cert it can find regardless of OID?!?
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Wednesday, October 15, 2008 1:30 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
I assume from the silence that you guys don't believe me or have ran out of
ideas? :-P
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 10 October 2008 21:02
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on
SCCM Agent
I'm cornfussed; if the ISA is not allowed to possess the private key for the
multi-purpose certificate, how is it able to use that cert for server
authentication?
Yes; you could use separate certificates, since CAPI will choose the
certificate best suited to the conversation.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Friday, October 10, 2008 5:25 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on SCCM
Agent
Hi All,
An issue exits with ISA2k6 FBA as follows:
"Client logon is slow and server certificates used for Web publishing are
configured with the default purpose settings "Server Authentication" and
"Client Authentication"
Issue: When Windows Server 2003 detects the default purpose setting of "Client
Authentication", the operating system attempts to perform TLS with mutual
authentication to the domain controller. The mutual authentication process
requires ISA Server to have access to the private key of the server certificate
with the "Client Authentication" setting enabled, and ISA Server does not (and
should not) have this access.
Solution: Ensure that all server certificates do not have the default "Client
Authentication" purpose enabled. You can disable this setting on the property
pages of the relevant server certificate as follows..."
http://technet.microsoft.com/en-us/library/cc514301.aspx
Based upon this solution (which works very well!) I have come up against a
scenario where we have a customer that needs to "manage" ISA using System
Centre Configuration Manager (SCCM) but this requires a certificate to be
installed that supports the Client Authentication purpose in order to meet the
SCCM mutual TLS design.
So, if the client auth purpose is enabled, FBA login is painfully slow; if the
client auth purpose is disabled, the SCCM agent cannot provide mutual TLS and
subsequently cannot communicate with the SCCM server.
Can anyone think of a way around this?
Cheers
JJ
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
<mailto:helpdesk@xxxxxxxxxxxxxxxxx>
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
<mailto:helpdesk@xxxxxxxxxxxxxxxxx>
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
<mailto:helpdesk@xxxxxxxxxxxxxxxxx>
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
<mailto:helpdesk@xxxxxxxxxxxxxxxxx>
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
