[isapros] Re: RDP v6.0 Client Certificate configuration
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Mon, 27 Aug 2007 09:27:05 -0700
You know, one cool thing about this implementation is that you can just
disable the account without worrying about revoking the certificate.
That is super cool. It takes a few minutes, but that's pretty damn cool
- the user auth will fail even with the right cert. Of course, you can
still use the CRL process, but the revocation delta is 1 day by default.
So I'm warming up to this "feature." ;)
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, August 27, 2007 8:59 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Aha! Got it. Yes, that is a problem.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, August 27, 2007 10:18 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Of course ;)
But limiting the "trust list" doesn't work unless you are using
the domain's root CA cert. Let's say I send you my domain root ca
cert, and I've got my "user certificate" issued to me for the purposes
of "client authentication." If you install that cert on your ISA box,
and create a listener the requires SCCA and select that cert, and you
create a web pub rule with that listener, when I go to your site and
select my cert at your server's prompt, I'll get a 401 error because
your server can't contact my AD (the AD the root CA cert was created
in).
That's what I'm on about.
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Monday, August 27, 2007 8:11 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate configuration
Dude,
Did you know that you can limit the CA trust list on a per
listener basis?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Monday, August 27, 2007 9:29 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
There were multiple "causes," but the primary one is
that ISA must do an AD lookup to validate the "client authentication"
certificate. In my environment, the ISA server is a domain member in a
different forest with no cross-trust, so it couldn't validate the
account. To me, this is a shortcoming of ISA's "SSL Client Certificate
Authentication" mechanism. In other words, you can only issue and use
"user certificates" for the purpose of "client authentication" from
forest Enterprise Root CA's that ISA is a domain member of, and where
ISA can query AD. Even though the docs pair up "SCCA + AD," it seems
more like a 'bug' to me. I mean, for SCCA to work, you must enable the
system policy rule for "Allow all HTTP from ISA to all networks" for the
purposes of CRL downloads. Why worry about CRL when you are forced to
use AD? Worse yet, why force a horrible rule like "All HTTP from ISA to
all networks" when it's really unnecessary? Further, the fact that one
has an option to use "certs issued by all CA's ISA trusts" points to the
implementation of SCCA to be a "work in progress" as there is no way it
can use those other CA's given the AD requirement.
The way it *should* work is the way the docs allude that
it will work-- that being the way all certs work -- where you say "if
you get a cert for the purposes of client authentication that is signed
by the following CA's, authenticate it" but it doesn't. My guess is
that this is due to core ISA authentication operations where all
authentication is tied to a user account somewhere and SCCA
functionality, at the end of the day, requires some sort of account
authentication.
All other "problems" stemmed from that, and have all
been sorted out and documented in the previous emails...
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Sunday, August 26, 2007 4:45 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
Was that the cause of the problem you and Jim were
working on the last day or so? Or is that and the "require
authentication" issue different? I've lost track of them and hadn't
ever seen a solution.
Jerry
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 2:41 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
P.S. To all those testing TSGateway, don't make the
same mistake I did in temporarily redirecting to HTTP to test normal
HTTPS-HTTP access for NetMon purposes, and then forgetting to set it
back before testing RDP via TSGateway. TSGateway requires HTTPS of
course, so redir to HTTP from the rule will give you odd "Logon Failed"
errors. It took me a freaking day to figure that one out, but I'm a
moron ;)
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:31 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client Certificate
configuration
I occasionally enjoy a fine whine :)
I've been in and out of this discussion becasue of
Exchange horkage, but Jim probably said that the problem is with the
client side software, right? There's no way to tell the client to
present it's User Certificate for authentication, sort of like the
problem with Oulook 2003+ RPC/HTTP -- the Outlook client doesn't know
how to present the User Certificate for authentication, so it just
chokes on it.
So, I don't really see it as ISA's fault, but the RDP
client's fault, if we need to assign blame, and I think we do because
the RDP and Outlook guyz really need to think about security in a bit
more depth and enable User Certificate assignment and presentation to
the destination machine.
There is a solution, but it means using additional
software. The IAG 2007 supports User Certificate authentication to
access the SSL VPN portal. Once you're authenticated and authorized by
the IAG 2007 to use RDP, you can then use Integrated authentication to
authenticate with the terminal server. It's not the best solution,
because the best solution would be to build User Certificate support
into the RDP and Outloook clients.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 1:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client
Certificate configuration
You mean a "Client Authentication Certificate"
in the user's account's certificate store? Done that ;) You just can't
tell the RDP client to use it. And ISA's "SSL Client Authentication
Certificate" authentication mechanism is flawed-- it only allows the use
of a cert generated by a CA that ISA is not only a domain member of, but
also one where it can connect to AD and validate it. It completely
horks "standard" certificate and trust usage in that regard. You can't
even use something like a Verisign "Client Authentication" certificate
(I bought one and tried it- no workie). So even if you have a full
private key certificate you load and trust on the ISA box, if the ISA
server can't confirm via AD, it won't work. Really poor implementation
if you asked me.
So, you gonna answer the question now? I mean,
since you're the one who came up with the idea of publishing TSGateway
via an SSL Listener configured to use SCCA, I figga'd you'd have some
better answers than nomenclature whining. :-p
t
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, August 26, 2007 11:04 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RDP v6.0 Client
Certificate configuration
Try using a User Certificate and see if that
helps ;)
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:56 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] RDP v6.0 Client
Certificate configuration
Jim, et. al. -- any word on how to get
the v6.0 RDP client to present a Client Authentication certificate to an
ISA server listener using SSL Client Certificate Authentication? It no
workie, and I can't find any data on a hack to specify a cert for the
RDP client...
t
-----------------------------
vinni, viddi, vinni denuo
Other related posts:
