You know, one cool thing about this implementation is that you can just disable the account without worrying about revoking the certificate. That is super cool. It takes a few minutes, but that's pretty damn cool - the user auth will fail even with the right cert. Of course, you can still use the CRL process, but the revocation delta is 1 day by default. So I'm warming up to this "feature." ;) t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, August 27, 2007 8:59 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Aha! Got it. Yes, that is a problem. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, August 27, 2007 10:18 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Of course ;) But limiting the "trust list" doesn't work unless you are using the domain's root CA cert. Let's say I send you my domain root ca cert, and I've got my "user certificate" issued to me for the purposes of "client authentication." If you install that cert on your ISA box, and create a listener the requires SCCA and select that cert, and you create a web pub rule with that listener, when I go to your site and select my cert at your server's prompt, I'll get a 401 error because your server can't contact my AD (the AD the root CA cert was created in). That's what I'm on about. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, August 27, 2007 8:11 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Dude, Did you know that you can limit the CA trust list on a per listener basis? Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, August 27, 2007 9:29 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration There were multiple "causes," but the primary one is that ISA must do an AD lookup to validate the "client authentication" certificate. In my environment, the ISA server is a domain member in a different forest with no cross-trust, so it couldn't validate the account. To me, this is a shortcoming of ISA's "SSL Client Certificate Authentication" mechanism. In other words, you can only issue and use "user certificates" for the purpose of "client authentication" from forest Enterprise Root CA's that ISA is a domain member of, and where ISA can query AD. Even though the docs pair up "SCCA + AD," it seems more like a 'bug' to me. I mean, for SCCA to work, you must enable the system policy rule for "Allow all HTTP from ISA to all networks" for the purposes of CRL downloads. Why worry about CRL when you are forced to use AD? Worse yet, why force a horrible rule like "All HTTP from ISA to all networks" when it's really unnecessary? Further, the fact that one has an option to use "certs issued by all CA's ISA trusts" points to the implementation of SCCA to be a "work in progress" as there is no way it can use those other CA's given the AD requirement. The way it *should* work is the way the docs allude that it will work-- that being the way all certs work -- where you say "if you get a cert for the purposes of client authentication that is signed by the following CA's, authenticate it" but it doesn't. My guess is that this is due to core ISA authentication operations where all authentication is tied to a user account somewhere and SCCA functionality, at the end of the day, requires some sort of account authentication. All other "problems" stemmed from that, and have all been sorted out and documented in the previous emails... t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Sunday, August 26, 2007 4:45 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Was that the cause of the problem you and Jim were working on the last day or so? Or is that and the "require authentication" issue different? I've lost track of them and hadn't ever seen a solution. Jerry From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 2:41 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration P.S. To all those testing TSGateway, don't make the same mistake I did in temporarily redirecting to HTTP to test normal HTTPS-HTTP access for NetMon purposes, and then forgetting to set it back before testing RDP via TSGateway. TSGateway requires HTTPS of course, so redir to HTTP from the rule will give you odd "Logon Failed" errors. It took me a freaking day to figure that one out, but I'm a moron ;) t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 11:31 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration I occasionally enjoy a fine whine :) I've been in and out of this discussion becasue of Exchange horkage, but Jim probably said that the problem is with the client side software, right? There's no way to tell the client to present it's User Certificate for authentication, sort of like the problem with Oulook 2003+ RPC/HTTP -- the Outlook client doesn't know how to present the User Certificate for authentication, so it just chokes on it. So, I don't really see it as ISA's fault, but the RDP client's fault, if we need to assign blame, and I think we do because the RDP and Outlook guyz really need to think about security in a bit more depth and enable User Certificate assignment and presentation to the destination machine. There is a solution, but it means using additional software. The IAG 2007 supports User Certificate authentication to access the SSL VPN portal. Once you're authenticated and authorized by the IAG 2007 to use RDP, you can then use Integrated authentication to authenticate with the terminal server. It's not the best solution, because the best solution would be to build User Certificate support into the RDP and Outloook clients. Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 1:18 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration You mean a "Client Authentication Certificate" in the user's account's certificate store? Done that ;) You just can't tell the RDP client to use it. And ISA's "SSL Client Authentication Certificate" authentication mechanism is flawed-- it only allows the use of a cert generated by a CA that ISA is not only a domain member of, but also one where it can connect to AD and validate it. It completely horks "standard" certificate and trust usage in that regard. You can't even use something like a Verisign "Client Authentication" certificate (I bought one and tried it- no workie). So even if you have a full private key certificate you load and trust on the ISA box, if the ISA server can't confirm via AD, it won't work. Really poor implementation if you asked me. So, you gonna answer the question now? I mean, since you're the one who came up with the idea of publishing TSGateway via an SSL Listener configured to use SCCA, I figga'd you'd have some better answers than nomenclature whining. :-p t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Sunday, August 26, 2007 11:04 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: RDP v6.0 Client Certificate configuration Try using a User Certificate and see if that helps ;) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:56 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] RDP v6.0 Client Certificate configuration Jim, et. al. -- any word on how to get the v6.0 RDP client to present a Client Authentication certificate to an ISA server listener using SSL Client Certificate Authentication? It no workie, and I can't find any data on a hack to specify a cert for the RDP client... t ----------------------------- vinni, viddi, vinni denuo