So, even if you only have a cert with just server authentication on the FBA listener but a cert on the computer (not tied to any ISA listener) that uses both server and client authentication, you are seeing the slowdown? On Mon, Oct 20, 2008 at 9:19 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx>wrote: > Doesn't appear to :-( > _______________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Greg Mulholland [greg@xxxxxxxxxxxxxx] > Sent: 20 October 2008 11:26 > To: ISAPros Mailing List > Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact > on SCCM Agent > > So does the separate cert thing work? > > I believe you that it happens, although i dont have time to test and i cant > suggest a way around it other than whether separate certs, if that would > even work. > > ________________________________________ > From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On > Behalf Of Jason Jones [Jason.Jones@xxxxxxxxxxxxxxxxx] > Sent: Thursday, 16 October 2008 10:38 AM > To: ISAPros Mailing List > Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact > on SCCM Agent > > Hi Jim, > > Let me elaborate... > > The article is a little vague and doesn't cover the exact issue as it talks > about web publishing certificates, rather than "any" certificates. I think > the issue is a little more varied even though the proposed solution works. > > To repro the issue: > > Publish something with FBA. > > Test to see if login delayed (approx 20-30 secs) after clicking "login" > button - It shouldn't be > > Enrol a certificate into ISA local computer cert store with client auth > purpose. > > Test to see if login delayed (approx 20-30 secs) after clicking "login" > button - It shouldn't be > > Enable change password feature on web listener. > > Test to see if login delayed (approx 20-30 secs) after clicking "login" > button - It *should* be - Problem created! > > Reconfigure certificate to remove the client auth purpose (may also have to > do the same on DC certs) > > Test to see if login delayed (approx 20-30 secs) after clicking "login" > button - It *shouldn't* be - Problem fixed! > > I've had this happen with a few customers now and the client purpose fix > always works, however this is the first occurrence of actually needing a > client auth cert on an ISA server for mutual TLS. > > Cheers > > JJ > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 16 October 2008 00:23 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact > on SCCM Agent > > Actually, haven't had a chance to play with it; the multi-cert issue seems > odd to me. > I guess CAPI grabs the first cert it can find regardless of OID?!? > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Wednesday, October 15, 2008 1:30 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact > on SCCM Agent > > I assume from the silence that you guys don't believe me or have ran out of > ideas? :-P > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: 10 October 2008 21:02 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact > on SCCM Agent > > I'm cornfussed; if the ISA is not allowed to possess the private key for > the multi-purpose certificate, how is it able to use that cert for server > authentication? > Yes; you could use separate certificates, since CAPI will choose the > certificate best suited to the conversation. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jason Jones > Sent: Friday, October 10, 2008 5:25 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on > SCCM Agent > > Hi All, > > > > An issue exits with ISA2k6 FBA as follows: > > > > "Client logon is slow and server certificates used for Web publishing are > configured with the default purpose settings "Server Authentication" and > "Client Authentication" > > Issue: When Windows Server 2003 detects the default purpose setting of > "Client Authentication", the operating system attempts to perform TLS with > mutual authentication to the domain controller. The mutual authentication > process requires ISA Server to have access to the private key of the server > certificate with the "Client Authentication" setting enabled, and ISA Server > does not (and should not) have this access. > > Solution: Ensure that all server certificates do not have the default > "Client Authentication" purpose enabled. You can disable this setting on the > property pages of the relevant server certificate as follows..." > > http://technet.microsoft.com/en-us/library/cc514301.aspx > > > > Based upon this solution (which works very well!) I have come up against a > scenario where we have a customer that needs to "manage" ISA using System > Centre Configuration Manager (SCCM) but this requires a certificate to be > installed that supports the Client Authentication purpose in order to meet > the SCCM mutual TLS design. > > > > So, if the client auth purpose is enabled, FBA login is painfully slow; if > the client auth purpose is disabled, the SCCM agent cannot provide mutual > TLS and subsequently cannot communicate with the SCCM server. > > > > Can anyone think of a way around this? > > > > Cheers > > > > JJ > > > ________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual to whom it is addressed. If you have > received this email in error, or if you believe this email is unsolicited > and wish to be removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid > for 7 days and offered subject to Silversands Professional Services Terms > and Conditions, a copy of which is available on request. Any pricing > information, design information or information concerning specific > Silversands' staff contained in this email is considered confidential or of > commercial interest and exempt from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author and do not > necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual to whom it is addressed. If you have > received this email in error, or if you believe this email is unsolicited > and wish to be removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid > for 7 days and offered subject to Silversands Professional Services Terms > and Conditions, a copy of which is available on request. Any pricing > information, design information or information concerning specific > Silversands' staff contained in this email is considered confidential or of > commercial interest and exempt from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author and do not > necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual to whom it is addressed. If you have > received this email in error, or if you believe this email is unsolicited > and wish to be removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid > for 7 days and offered subject to Silversands Professional Services Terms > and Conditions, a copy of which is available on request. Any pricing > information, design information or information concerning specific > Silversands' staff contained in this email is considered confidential or of > commercial interest and exempt from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author and do not > necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual to whom it is addressed. If you have > received this email in error, or if you believe this email is unsolicited > and wish to be removed from any future mailings, please contact our Support > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is valid > for 7 days and offered subject to Silversands Professional Services Terms > and Conditions, a copy of which is available on request. Any pricing > information, design information or information concerning specific > Silversands' staff contained in this email is considered confidential or of > commercial interest and exempt from the Freedom of Information Act 2000. > > Any view or opinions presented are solely those of the author and do not > necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer