[isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent
- From: "Jerry Young" <jerrygyoungii@xxxxxxxxx>
- To: isapros@xxxxxxxxxxxxx
- Date: Mon, 20 Oct 2008 14:20:02 -0400
So, even if you only have a cert with just server authentication on the FBA
listener but a cert on the computer (not tied to any ISA listener) that uses
both server and client authentication, you are seeing the slowdown?
On Mon, Oct 20, 2008 at 9:19 AM, Jason Jones
<Jason.Jones@xxxxxxxxxxxxxxxxx>wrote:
> Doesn't appear to :-(
> _______________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Greg Mulholland [greg@xxxxxxxxxxxxxx]
> Sent: 20 October 2008 11:26
> To: ISAPros Mailing List
> Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact
> on SCCM Agent
>
> So does the separate cert thing work?
>
> I believe you that it happens, although i dont have time to test and i cant
> suggest a way around it other than whether separate certs, if that would
> even work.
>
> ________________________________________
> From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Jason Jones [Jason.Jones@xxxxxxxxxxxxxxxxx]
> Sent: Thursday, 16 October 2008 10:38 AM
> To: ISAPros Mailing List
> Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact
> on SCCM Agent
>
> Hi Jim,
>
> Let me elaborate...
>
> The article is a little vague and doesn't cover the exact issue as it talks
> about web publishing certificates, rather than "any" certificates. I think
> the issue is a little more varied even though the proposed solution works.
>
> To repro the issue:
>
> Publish something with FBA.
>
> Test to see if login delayed (approx 20-30 secs) after clicking "login"
> button - It shouldn't be
>
> Enrol a certificate into ISA local computer cert store with client auth
> purpose.
>
> Test to see if login delayed (approx 20-30 secs) after clicking "login"
> button - It shouldn't be
>
> Enable change password feature on web listener.
>
> Test to see if login delayed (approx 20-30 secs) after clicking "login"
> button - It *should* be - Problem created!
>
> Reconfigure certificate to remove the client auth purpose (may also have to
> do the same on DC certs)
>
> Test to see if login delayed (approx 20-30 secs) after clicking "login"
> button - It *shouldn't* be - Problem fixed!
>
> I've had this happen with a few customers now and the client purpose fix
> always works, however this is the first occurrence of actually needing a
> client auth cert on an ISA server for mutual TLS.
>
> Cheers
>
> JJ
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: 16 October 2008 00:23
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact
> on SCCM Agent
>
> Actually, haven't had a chance to play with it; the multi-cert issue seems
> odd to me.
> I guess CAPI grabs the first cert it can find regardless of OID?!?
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jason Jones
> Sent: Wednesday, October 15, 2008 1:30 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact
> on SCCM Agent
>
> I assume from the silence that you guys don't believe me or have ran out of
> ideas? :-P
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: 10 October 2008 21:02
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact
> on SCCM Agent
>
> I'm cornfussed; if the ISA is not allowed to possess the private key for
> the multi-purpose certificate, how is it able to use that cert for server
> authentication?
> Yes; you could use separate certificates, since CAPI will choose the
> certificate best suited to the conversation.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jason Jones
> Sent: Friday, October 10, 2008 5:25 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on
> SCCM Agent
>
> Hi All,
>
>
>
> An issue exits with ISA2k6 FBA as follows:
>
>
>
> "Client logon is slow and server certificates used for Web publishing are
> configured with the default purpose settings "Server Authentication" and
> "Client Authentication"
>
> Issue: When Windows Server 2003 detects the default purpose setting of
> "Client Authentication", the operating system attempts to perform TLS with
> mutual authentication to the domain controller. The mutual authentication
> process requires ISA Server to have access to the private key of the server
> certificate with the "Client Authentication" setting enabled, and ISA Server
> does not (and should not) have this access.
>
> Solution: Ensure that all server certificates do not have the default
> "Client Authentication" purpose enabled. You can disable this setting on the
> property pages of the relevant server certificate as follows..."
>
> http://technet.microsoft.com/en-us/library/cc514301.aspx
>
>
>
> Based upon this solution (which works very well!) I have come up against a
> scenario where we have a customer that needs to "manage" ISA using System
> Centre Configuration Manager (SCCM) but this requires a certificate to be
> installed that supports the Client Authentication purpose in order to meet
> the SCCM mutual TLS design.
>
>
>
> So, if the client auth purpose is enabled, FBA login is painfully slow; if
> the client auth purpose is disabled, the SCCM agent cannot provide mutual
> TLS and subsequently cannot communicate with the SCCM server.
>
>
>
> Can anyone think of a way around this?
>
>
>
> Cheers
>
>
>
> JJ
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom it is addressed. If you have
> received this email in error, or if you believe this email is unsolicited
> and wish to be removed from any future mailings, please contact our Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is valid
> for 7 days and offered subject to Silversands Professional Services Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential or of
> commercial interest and exempt from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom it is addressed. If you have
> received this email in error, or if you believe this email is unsolicited
> and wish to be removed from any future mailings, please contact our Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is valid
> for 7 days and offered subject to Silversands Professional Services Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential or of
> commercial interest and exempt from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom it is addressed. If you have
> received this email in error, or if you believe this email is unsolicited
> and wish to be removed from any future mailings, please contact our Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is valid
> for 7 days and offered subject to Silversands Professional Services Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential or of
> commercial interest and exempt from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual to whom it is addressed. If you have
> received this email in error, or if you believe this email is unsolicited
> and wish to be removed from any future mailings, please contact our Support
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is valid
> for 7 days and offered subject to Silversands Professional Services Terms
> and Conditions, a copy of which is available on request. Any pricing
> information, design information or information concerning specific
> Silversands' staff contained in this email is considered confidential or of
> commercial interest and exempt from the Freedom of Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do not
> necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
