[isapros] Re: RDP v6.0 Client Certificate configuration
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sun, 26 Aug 2007 12:54:28 -0700
I know that NOW ;)
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 26, 2007 12:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
You *do* know that the RPC filter isn't involved in processing RPC/HTTP?
Also, in order for the ISA RPC filter to process the RPC within the HTTP
stream, the call would have to start at the EPM, and RPC/HTTP doesn't do
that.
Likewise, there's no method for one application or web filter to call
another "sibling" filter; much less making a "parent's sibling" call as
would be required for the HTTP Filter to reach the RPC filter.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:22 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Totally... but that does two things: one, it allows full stack access
via the IPSec channel which I don't like. Secondly, it obviates the use
of the HTTP and RPC filters, which I also don't like.
What I think I'll do, in the absence of an RDP client hack for the ISA
listener or a smartcard solution for TSGateway, is to use my "source
port" trickery to limit the connection based on a small range of source
ports and use fpipe to bounce my RDP client off a secondary connection
where I can dictate the source port...
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 12:17 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
You got me on that one, I'm completely forgot about how KCD works and
takes the drudgery of certificate mapping away.
We don't even need a "client" certificate in the scenario I painted for
L2TP/IPSec. You just need both machines to have computer certificates
installed in their machine certificate store (sometime called machine
certificates) and both sides just need to trust the other guy's CA. That
should be easy as cake.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 1:57 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
There's no "mapping" requirement as there is in IIS-- it's just that for
ISA to accept the user's "client authentication" certificate, ISA must
be a member of the domain the CA issued it in... Other than that, it's
a piece of cake. Well, for HTTP anyway. If there is a way to tell the
RDP client what user "client authentication" certificate to use, we'll
be golden.
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:48 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
That's a better idea -- instead of using a User Certificate and dealing
with all the painful mappings in AD, why not implement it in a way like
the L2TP/IPSec mutual machine authentication using machine certificates.
That would be very easy and domain membership isn't an issue, as long as
both sides trust the issuing CA of the other guy's cert, that should be
enough.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 1:40 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Wasn't blaming ISA for the RDP client issue at all... I totally
agree. However, I *was* blaming ISA for its implementation of "SSL
Client Certificate Authentication" in regard to it having to actively be
a member of the domain where the Enterprise Root CA issued the cert one
chooses to use for SCCA...
So yeah, I was just hoping you (will prob be Jim) can find some
registry hack where the RDP client can "present" not the "User
Certificate" but a "Client Authentication Certificate", be is a user,
service, or system cert :-p
The RDP client actually goes as far as saying that the TSGateway
certificate is revoked- so I think there's hope for securing TSGateway
via ISA configured to use a SCCA enabled listener.
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
I occasionally enjoy a fine whine :)
I've been in and out of this discussion becasue of Exchange
horkage, but Jim probably said that the problem is with the client side
software, right? There's no way to tell the client to present it's User
Certificate for authentication, sort of like the problem with Oulook
2003+ RPC/HTTP -- the Outlook client doesn't know how to present the
User Certificate for authentication, so it just chokes on it.
So, I don't really see it as ISA's fault, but the RDP client's
fault, if we need to assign blame, and I think we do because the RDP and
Outlook guyz really need to think about security in a bit more depth and
enable User Certificate assignment and presentation to the destination
machine.
There is a solution, but it means using additional software. The
IAG 2007 supports User Certificate authentication to access the SSL VPN
portal. Once you're authenticated and authorized by the IAG 2007 to use
RDP, you can then use Integrated authentication to authenticate with the
terminal server. It's not the best solution, because the best solution
would be to build User Certificate support into the RDP and Outloook
clients.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 1:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
You mean a "Client Authentication Certificate" in the
user's account's certificate store? Done that ;) You just can't tell
the RDP client to use it. And ISA's "SSL Client Authentication
Certificate" authentication mechanism is flawed-- it only allows the use
of a cert generated by a CA that ISA is not only a domain member of, but
also one where it can connect to AD and validate it. It completely
horks "standard" certificate and trust usage in that regard. You can't
even use something like a Verisign "Client Authentication" certificate
(I bought one and tried it- no workie). So even if you have a full
private key certificate you load and trust on the ISA box, if the ISA
server can't confirm via AD, it won't work. Really poor implementation
if you asked me.
So, you gonna answer the question now? I mean, since
you're the one who came up with the idea of publishing TSGateway via an
SSL Listener configured to use SCCA, I figga'd you'd have some better
answers than nomenclature whining. :-p
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:04 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
Try using a User Certificate and see if that helps ;)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:56 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] RDP v6.0 Client Certificate
configuration
Jim, et. al. -- any word on how to get the v6.0
RDP client to present a Client Authentication certificate to an ISA
server listener using SSL Client Certificate Authentication? It no
workie, and I can't find any data on a hack to specify a cert for the
RDP client...
t
-----------------------------
vinni, viddi, vinni denuo
All mail to and from this domain is GFI-scanned.
Other related posts:
