[isapros] Re: RDP v6.0 Client Certificate configuration
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 27 Aug 2007 07:28:50 -0700
There were multiple "causes," but the primary one is that ISA must do an AD
lookup to validate the "client authentication" certificate. In my environment,
the ISA server is a domain member in a different forest with no cross-trust, so
it couldn't validate the account. To me, this is a shortcoming of ISA's "SSL
Client Certificate Authentication" mechanism. In other words, you can only
issue and use "user certificates" for the purpose of "client authentication"
from forest Enterprise Root CA's that ISA is a domain member of, and where ISA
can query AD. Even though the docs pair up "SCCA + AD," it seems more like a
'bug' to me. I mean, for SCCA to work, you must enable the system policy rule
for "Allow all HTTP from ISA to all networks" for the purposes of CRL
downloads. Why worry about CRL when you are forced to use AD? Worse yet, why
force a horrible rule like "All HTTP from ISA to all networks" when it's really
unnecessary? Further, the fact that one has an option to use "certs issued by
all CA's ISA trusts" points to the implementation of SCCA to be a "work in
progress" as there is no way it can use those other CA's given the AD
requirement.
The way it *should* work is the way the docs allude that it will work-- that
being the way all certs work -- where you say "if you get a cert for the
purposes of client authentication that is signed by the following CA's,
authenticate it" but it doesn't. My guess is that this is due to core ISA
authentication operations where all authentication is tied to a user account
somewhere and SCCA functionality, at the end of the day, requires some sort of
account authentication.
All other "problems" stemmed from that, and have all been sorted out and
documented in the previous emails...
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Gerald G. Young
Sent: Sunday, August 26, 2007 4:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Was that the cause of the problem you and Jim were working on the last day or
so? Or is that and the “require authentication” issue different? I’ve lost
track of them and hadn’t ever seen a solution.
Jerry
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 2:41 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
P.S. To all those testing TSGateway, don't make the same mistake I did in
temporarily redirecting to HTTP to test normal HTTPS-HTTP access for NetMon
purposes, and then forgetting to set it back before testing RDP via TSGateway.
TSGateway requires HTTPS of course, so redir to HTTP from the rule will give
you odd "Logon Failed" errors. It took me a freaking day to figure that one
out, but I'm a moron ;)
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
I occasionally enjoy a fine whine :)
I've been in and out of this discussion becasue of Exchange horkage, but Jim
probably said that the problem is with the client side software, right? There's
no way to tell the client to present it's User Certificate for authentication,
sort of like the problem with Oulook 2003+ RPC/HTTP -- the Outlook client
doesn't know how to present the User Certificate for authentication, so it just
chokes on it.
So, I don't really see it as ISA's fault, but the RDP client's fault, if we
need to assign blame, and I think we do because the RDP and Outlook guyz really
need to think about security in a bit more depth and enable User Certificate
assignment and presentation to the destination machine.
There is a solution, but it means using additional software. The IAG 2007
supports User Certificate authentication to access the SSL VPN portal. Once
you're authenticated and authorized by the IAG 2007 to use RDP, you can then
use Integrated authentication to authenticate with the terminal server. It's
not the best solution, because the best solution would be to build User
Certificate support into the RDP and Outloook clients.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 1:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
You mean a "Client Authentication Certificate" in the user's account's
certificate store? Done that ;) You just can't tell the RDP client to use it.
And ISA's "SSL Client Authentication Certificate" authentication mechanism is
flawed-- it only allows the use of a cert generated by a CA that ISA is not
only a domain member of, but also one where it can connect to AD and validate
it. It completely horks "standard" certificate and trust usage in that regard.
You can't even use something like a Verisign "Client Authentication"
certificate (I bought one and tried it- no workie). So even if you have a full
private key certificate you load and trust on the ISA box, if the ISA server
can't confirm via AD, it won't work. Really poor implementation if you asked
me.
So, you gonna answer the question now? I mean, since you're the one
who came up with the idea of publishing TSGateway via an SSL Listener
configured to use SCCA, I figga'd you'd have some better answers than
nomenclature whining. :-p
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:04 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Try using a User Certificate and see if that helps ;)
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:56 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] RDP v6.0 Client Certificate configuration
Jim, et. al. -- any word on how to get the v6.0 RDP client to
present a Client Authentication certificate to an ISA server listener using SSL
Client Certificate Authentication? It no workie, and I can't find any data on
a hack to specify a cert for the RDP client...
t
-----------------------------
vinni, viddi, vinni denuo
Other related posts:
