[isapros] Re: Regarding SCCA....
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Sun, 26 Aug 2007 13:56:29 -0700
Scoop; oh, yeh - the catbox...
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:55 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Regarding SCCA....
One would think ;)
If you can get some inside scoop on that, it would be great..
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 26, 2007 12:47 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Regarding SCCA....
One would think that by merely receiving an SSL "ClientCert required"
SSL message, the RDP v6 client would respond properly.
Makes me wonder if the SmartCard auth is limited to RDP-only?
Lemme see if I can get clarification on that...
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:12 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Regarding SCCA....
Ah- that was my fault, and solved with your help...
With "Require Authentication" cleared at the listener *and* the rule set
to "All Users," you would get no prompt for the cert at all, as is now
clear (and right) to me. But I didn't get an error in that case-- it
just went to the site. I got the error when I had a cert signed by HoG
CA that was installed on ISA in a different forest/domain where the
listener was set to "require auth" or the rule was set to "all
authenticated." Note that if the listener was set to "require auth"
*and* the rule was set to "all authenticated" that I would have to
present the user cert TWICE. ;)
Everything works perfectly now, and I understand the ramifications of
different auth models in different scenarios-- what would make me pee
myself would be to find out how to get v6 RDP client to present a cert
to the ISA listener-- that way I could indeed protect initial connection
access to the TSGateway via cert.
t
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, August 26, 2007 12:07 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Regarding SCCA....
"it will seem to work, but you'll get a "401 unauthorized" error." - I'd
like to see the tracing (via BPA IDP) for that event.
"if you avoid specifying "Require Authentication" at the listener level"
- what about the case where you didn't get the "choose cert" popup and
got 403/12202 for your efforts? I didn't get to rejoin that testing
because of a forest fire internally (you saw the doc).
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Sunday, August 26, 2007 12:02 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Regarding SCCA....
So, here's some helpful titbids regarding the use of "SSL Client
Certificate Authentication" in ISA:
1) You can only use "self-generated/domain" certificates for the purpose
of "Client Authentication" that are generated by an Enterprise Root CA
in a forest that the ISA server is a domain member of. ISA will accept
the cert, and it will seem to work, but you'll get a "401 unauthorized"
error.
2) Regarding the configuration of the listener itself, if you avoid
specifying "Require Authentication" at the listener level, you can reuse
the same listener for different rules where you require "authenticated
users" or "all users" as required.
In other words, let's say you are publishing a TSGateway where you
require smart-card logon in the TSGateway configuration. In this case,
you won't want the listener to require a certificate because the RDP
client won't present one, and you've solved that problem with a
smart-card. However, let's say you want access to a particular path to
require a user to present a "client authentication certificate."
You can create a rule with your SCCA listener for "all users" to /RPC
for TSGateway access and it won't require a cert, but you can then
create a rule under that one to something like /downloads where the rule
is "authenticated users" with the SCCA listener (still not configure for
"Require Authentication") where a user's "client authentication cert"
will indeed be required.
Pretty cool once you sort it all out.
t
-----------------------------
vinni, viddi, vinni denuo
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
