And not just "a" user account, but "THE" user account from the domain where the Enterprise Root Cert lives... I found that out the hard way (as you know so well ;) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, February 01, 2008 2:12 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > It depends on how the client cert (clientcertclientcertclientcert [for > Tom <g>]) is constructed. > By default, ISA doesn't really care how the cert is built as long as it > can trust the CA. The problem comes in with using the certificate for > user authentication. When ISA receives a certificate in response to > "you better show some ID, boy!", ISA passes this to a Windows API > called AcquireCredentialsHandle. This API expects to resolve the > certificate to a user account and if it can't, cert auth will fail. > > Jim > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Friday, February 01, 2008 9:02 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > Really?? Kinda surprised at that and surely there is quite a lot ISA > can add rather than dumbing it down to L3 with server publishing??? > > > > The bit that is really annoying is that some of the SCCM guides > recommend SSL bridging as opposed to SSL tunnelling, so it implies it > should be possible and is best practice - trouble is, there are no docs > that tell you how to get it working!!!. Here are some examples: > > > > http://technet.microsoft.com/en-us/library/bb680995.aspx > > > > http://www.microsoft.com/technet/community/chats/trans/sms/07_0724_tn_s > ccm.mspx > > > > Prabhu Padhi [MSFT] (Expert): > Q: Can I do SSL-Bridging at the edge firewall to route the IBCM clients > to my intranet MP/DP (they are shared)? > A: As long as your firewall supports SSL bridging, we will work fine. > > > > Cheers > > > > JJ > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele > Sent: 01 February 2008 16:41 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi Jason, > > > > my reasoning, whenever client certs are involved, use server > publishing. Nothing ISA can do to enhance the security. > > > > HTH, > > Stefaan > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: vrijdag 1 februari 2008 16:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi All, > > > > Any more thoughts on this? > > > > From what I now understand, the SCCM client is using a client auth cert > to authenticate to the IIS instance running on the SCCM management > point (mutual cert auth). > > > > We are getting close to SCCM deployments where customers want IBCM, > but the only ISA Server solution I can get working is to use SSL > tunnelling (server publishing). I have tried various web publishing > configurations and none of them seem to work - I have tried the > following: > > > > * Simple web publishing , ISA listener with no authentication > and "allow client to authenticate" defined in the delegation tab - > assumed this would just use pass-through auth to the IIS website to > allow for this to do the client auth. > > * Pre-auth web publishing, ISA listener using client cert auth > and then KCD to delegate to IIS. > > > > Do we think that one of these should work, or is web publishing for > SCCM IBCM fundamentally flawed? > > > > Anyone actually got it working??? I know SCCM is quite new, but are we > just too ahead of the curve here? > > > > Cheers > > > > JJ > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: 19 October 2007 08:50 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Hi t, > > > > I was hoping to do the former and then use KCD, but from what I gather > SCCM is using computer based certs - I believe this makes things > harder?. Not really comes across this scenario before...I currently > have it working in the lab using server publishing, but I cannot bear > the thought of doing this for customers... > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: 18 October 2007 22:15 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > While I've not used SCCM, I've done a good bit of work with different > certificate-based authentication models. Are you considering using a > web-listener configured for SSL Client Certificate Authentication, or > just web-publishing to a back-end web server where it will do its own > certificate-to-user mapping? > > > > t > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: Thursday, October 18, 2007 1:11 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Did this Q get hidden within Amy's posts or is it a big fat "don't > know"? J > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > Sent: 17 October 2007 00:49 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] SCCM and ISA - Worth a shot! > > > > Hi, > > > > Has anyone used ISA with System Centre Configuration Manager (SCCM) > yet? Specifically when using Native mode (e.g. full-on PKI mode). > > > > The initial documentation is a little patchy and seems to contradict > itself between using Web Publishing and Server Publishing when using > Internet based clients that cannot back into the CM server. The SCCM > documentation talks about lots of perimeter and internet-facing > scenarios, but I want to try and use an ISA based model in a similar > way to protecting Exchange or SharePoint. A quote from Jim comes to > mind "..we don't need no stinking DMZs" > > > > Ideally I want to use Web Publishing, but all communications in SCCM > utilise client certificate based authentication. > > > > Am I right in thinking I can use ISA Web publishing combined with KCD > to secure access from CM clients to the CM server? > > > > Answers that tell me that I have to use Server Publishing will make me > cry, so please be sensitive > > > > Thanks in advance... > > > > Cheers > > > > JJ > > > > > > ________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual to whom it is addressed. > If you have received this email in error, or if you believe this email > is unsolicited and wish to be removed from any future mailings, please > contact our Support Desk immediately on 01202 360360 or email > helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is > valid for 7 days and offered subject to Silversands Professional > Services Terms and Conditions, a copy of which is available on request. > Any pricing information, design information or information concerning > specific Silversands' staff contained in this email is considered > confidential or of commercial interest and exempt from the Freedom of > Information Act 2000. > > Any view or opinions presented are solely those of the author and do > not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. > > > ________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual to whom it is addressed. > If you have received this email in error, or if you believe this email > is unsolicited and wish to be removed from any future mailings, please > contact our Support Desk immediately on 01202 360360 or email > helpdesk@xxxxxxxxxxxxxxxxx > > If this email contains a quotation then unless otherwise stated it is > valid for 7 days and offered subject to Silversands Professional > Services Terms and Conditions, a copy of which is available on request. > Any pricing information, design information or information concerning > specific Silversands' staff contained in this email is considered > confidential or of commercial interest and exempt from the Freedom of > Information Act 2000. > > Any view or opinions presented are solely those of the author and do > not necessarily represent those of Silversands > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > Company Registration Number : 2141393. >