Scoop; oh, yeh - the catbox... From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:55 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Regarding SCCA.... One would think ;) If you can get some inside scoop on that, it would be great.. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, August 26, 2007 12:47 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Regarding SCCA.... One would think that by merely receiving an SSL "ClientCert required" SSL message, the RDP v6 client would respond properly. Makes me wonder if the SmartCard auth is limited to RDP-only? Lemme see if I can get clarification on that... From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:12 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Regarding SCCA.... Ah- that was my fault, and solved with your help... With "Require Authentication" cleared at the listener *and* the rule set to "All Users," you would get no prompt for the cert at all, as is now clear (and right) to me. But I didn't get an error in that case-- it just went to the site. I got the error when I had a cert signed by HoG CA that was installed on ISA in a different forest/domain where the listener was set to "require auth" or the rule was set to "all authenticated." Note that if the listener was set to "require auth" *and* the rule was set to "all authenticated" that I would have to present the user cert TWICE. ;) Everything works perfectly now, and I understand the ramifications of different auth models in different scenarios-- what would make me pee myself would be to find out how to get v6 RDP client to present a cert to the ISA listener-- that way I could indeed protect initial connection access to the TSGateway via cert. t From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, August 26, 2007 12:07 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Regarding SCCA.... "it will seem to work, but you'll get a "401 unauthorized" error." - I'd like to see the tracing (via BPA IDP) for that event. "if you avoid specifying "Require Authentication" at the listener level" - what about the case where you didn't get the "choose cert" popup and got 403/12202 for your efforts? I didn't get to rejoin that testing because of a forest fire internally (you saw the doc). From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Sunday, August 26, 2007 12:02 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Regarding SCCA.... So, here's some helpful titbids regarding the use of "SSL Client Certificate Authentication" in ISA: 1) You can only use "self-generated/domain" certificates for the purpose of "Client Authentication" that are generated by an Enterprise Root CA in a forest that the ISA server is a domain member of. ISA will accept the cert, and it will seem to work, but you'll get a "401 unauthorized" error. 2) Regarding the configuration of the listener itself, if you avoid specifying "Require Authentication" at the listener level, you can reuse the same listener for different rules where you require "authenticated users" or "all users" as required. In other words, let's say you are publishing a TSGateway where you require smart-card logon in the TSGateway configuration. In this case, you won't want the listener to require a certificate because the RDP client won't present one, and you've solved that problem with a smart-card. However, let's say you want access to a particular path to require a user to present a "client authentication certificate." You can create a rule with your SCCA listener for "all users" to /RPC for TSGateway access and it won't require a cert, but you can then create a rule under that one to something like /downloads where the rule is "authenticated users" with the SCCA listener (still not configure for "Require Authentication") where a user's "client authentication cert" will indeed be required. Pretty cool once you sort it all out. t ----------------------------- vinni, viddi, vinni denuo All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.